13173932008

Committed 06 Feb 2025 07:32AM UTC coverage: 97.994% (-0.3%) from 98.3%

Build # 13173932008

Build Type

push

github

Committed by

DarkaOnLine

Commit Message

Fix path traversal vulnerability

Run Details

8 of 8 new or added lines in 2 files covered. (100.0%)

1 existing line in 1 file now uncovered.

342 of 349 relevant lines covered (97.99%)

15.06 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

98.67

/src/Http/Controllers/SwaggerController.php

<?php

namespace L5Swagger\Http\Controllers;

use Illuminate\Contracts\Filesystem\FileNotFoundException;
use Illuminate\Filesystem\Filesystem;
use Illuminate\Http\Request;
use Illuminate\Http\Response;
use Illuminate\Routing\Controller as BaseController;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Request as RequestFacade;
use Illuminate\Support\Facades\Response as ResponseFacade;
use L5Swagger\Exceptions\L5SwaggerException;
use L5Swagger\GeneratorFactory;

class SwaggerController extends BaseController
{
    /**
     * @var GeneratorFactory
     */
    protected $generatorFactory;

    public function __construct(GeneratorFactory $generatorFactory)
    {
        $this->generatorFactory = $generatorFactory;
    }

    /**
     * Dump api-docs content endpoint. Supports dumping a json, or yaml file.
     *
     * @param  Request  $request
     * @param  ?string  $file
     * @return Response
     *
     * @throws L5SwaggerException
     * @throws FileNotFoundException
     */
    public function docs(Request $request)
    {
        $fileSystem = new Filesystem();
        $documentation = $request->offsetGet('documentation');
        $config = $request->offsetGet('config');
        $yamlFormat = ($config['paths'][ 'format_to_use_for_docs'] === 'yaml');

        $filePath = sprintf(
            '%s/%s',
            $config['paths'][ 'docs'],
            $yamlFormat ? $config['paths']['docs_yaml'] : $config['paths']['docs_json']
        );

        if ($config['generate_always']) {
            $generator = $this->generatorFactory->make($documentation);

            try {
                $generator->generateDocs();
            } catch (\Exception $e) {
                Log::error($e);

                abort(
                    404,
                    sprintf(
                        'Unable to generate documentation file to: "%s". Please make sure directory is writable. Error: %s',
                        $filePath,
                        $e->getMessage()
                    )
                );
            }
        }

        if (! $fileSystem->exists($filePath)) {
            abort(404, sprintf('Unable to locate documentation file at: "%s"', $filePath));
        }

        $content = $fileSystem->get($filePath);

        if ($yamlFormat) {
            return ResponseFacade::make($content, 200, [
                'Content-Type' => 'application/yaml',
                'Content-Disposition' => 'inline',
            ]);
        }

        return ResponseFacade::make($content, 200, [
            'Content-Type' => 'application/json',
        ]);
    }

    /**
     * Display Swagger API page.
     *
     * @param  Request  $request
     * @return Response
     */
    public function api(Request $request)
    {
        $documentation = $request->offsetGet('documentation');
        $config = $request->offsetGet('config');

        if ($proxy = $config['proxy']) {
            if (! is_array($proxy)) {
                $proxy = [$proxy];
            }
            Request::setTrustedProxies(
                $proxy,
                Request::HEADER_X_FORWARDED_FOR |
                Request::HEADER_X_FORWARDED_HOST |
                Request::HEADER_X_FORWARDED_PORT |
                Request::HEADER_X_FORWARDED_PROTO |
                Request::HEADER_X_FORWARDED_AWS_ELB
            );
        }

        $urlToDocs = $this->generateDocumentationFileURL($documentation, $config);
        $useAbsolutePath = config('l5-swagger.documentations.'.$documentation.'.paths.use_absolute_path', true);

        // Need the / at the end to avoid CORS errors on Homestead systems.
        return ResponseFacade::make(
            view('l5-swagger::index', [
                'documentation' => $documentation,
                'secure' => RequestFacade::secure(),
                'urlToDocs' => $urlToDocs,
                'operationsSorter' => $config['operations_sort'],
                'configUrl' => $config['additional_config_url'],
                'validatorUrl' => $config['validator_url'],
                'useAbsolutePath' => $useAbsolutePath,
            ]),
            200
        );
    }

    /**
     * Display Oauth2 callback pages.
     *
     * @param  Request  $request
     * @return string
     *
     * @throws L5SwaggerException
     * @throws FileNotFoundException
     */
    public function oauth2Callback(Request $request)
    {
        $fileSystem = new Filesystem();
        $documentation = $request->offsetGet('documentation');

        return $fileSystem->get(swagger_ui_dist_path($documentation, 'oauth2-redirect.html'));
    }

    /**
     * Generate URL for documentation file.
     *
     * @param  string  $documentation
     * @param  array  $config
     * @return string
     */
    protected function generateDocumentationFileURL(string $documentation, array $config)
    {
        $fileUsedForDocs = $config['paths']['docs_json'] ?? 'api-docs.json';

        if (! empty($config['paths']['format_to_use_for_docs'])
            && $config['paths']['format_to_use_for_docs'] === 'yaml'
            && $config['paths']['docs_yaml']
        ) {
            $fileUsedForDocs = $config['paths']['docs_yaml'];
        }

        $useAbsolutePath = config('l5-swagger.documentations.'.$documentation.'.paths.use_absolute_path', true);

        return route(
            'l5-swagger.'.$documentation.'.docs',
            $fileUsedForDocs,
            $useAbsolutePath
        );
    }
}

1	<?php
2
3	namespace L5Swagger\Http\Controllers;
4
5	use Illuminate\Contracts\Filesystem\FileNotFoundException;
6	use Illuminate\Filesystem\Filesystem;
7	use Illuminate\Http\Request;
8	use Illuminate\Http\Response;
9	use Illuminate\Routing\Controller as BaseController;
10	use Illuminate\Support\Facades\Log;
11	use Illuminate\Support\Facades\Request as RequestFacade;
12	use Illuminate\Support\Facades\Response as ResponseFacade;
13	use L5Swagger\Exceptions\L5SwaggerException;
14	use L5Swagger\GeneratorFactory;
15
16	class SwaggerController extends BaseController
17	{
18	/**
19	* @var GeneratorFactory
20	*/
21	protected $generatorFactory;
22
23	public function __construct(GeneratorFactory $generatorFactory)
24	{
25	$this->generatorFactory = $generatorFactory;	19✔
26	}
27
28	/**
29	* Dump api-docs content endpoint. Supports dumping a json, or yaml file.
30	*
31	* @param Request $request
32	* @param ?string $file
33	* @return Response
34	*
35	* @throws L5SwaggerException
36	* @throws FileNotFoundException
37	*/
38	public function docs(Request $request)
39	{
40	$fileSystem = new Filesystem();	17✔
41	$documentation = $request->offsetGet('documentation');	17✔
42	$config = $request->offsetGet('config');	17✔
43	$yamlFormat = ($config['paths'][ 'format_to_use_for_docs'] === 'yaml');	17✔
44
45	$filePath = sprintf(	17✔
46	'%s/%s',	17✔
47	$config['paths'][ 'docs'],	17✔
48	$yamlFormat ? $config['paths']['docs_yaml'] : $config['paths']['docs_json']	17✔
49	);	17✔
50
51	if ($config['generate_always']) {	17✔
52	$generator = $this->generatorFactory->make($documentation);	10✔
53
54	try {
55	$generator->generateDocs();	10✔
56	} catch (\Exception $e) {	1✔
57	Log::error($e);	1✔
58
59	abort(	1✔
60	404,	1✔
61	sprintf(	1✔
62	'Unable to generate documentation file to: "%s". Please make sure directory is writable. Error: %s',	1✔
63	$filePath,	1✔
64	$e->getMessage()	1✔
65	)	1✔
66	);	1✔
67	}
68	}
69
70	if (! $fileSystem->exists($filePath)) {	16✔
71	abort(404, sprintf('Unable to locate documentation file at: "%s"', $filePath));	3✔
72	}
73
74	$content = $fileSystem->get($filePath);	13✔
75
76	if ($yamlFormat) {	13✔
77	return ResponseFacade::make($content, 200, [	2✔
78	'Content-Type' => 'application/yaml',	2✔
79	'Content-Disposition' => 'inline',	2✔
80	]);	2✔
81	}
82
83	return ResponseFacade::make($content, 200, [	11✔
84	'Content-Type' => 'application/json',	11✔
85	]);	11✔
86	}
87
88	/**
89	* Display Swagger API page.
90	*
91	* @param Request $request
92	* @return Response
93	*/
94	public function api(Request $request)
95	{
96	$documentation = $request->offsetGet('documentation');	3✔
97	$config = $request->offsetGet('config');	3✔
98
99	if ($proxy = $config['proxy']) {	3✔
100	if (! is_array($proxy)) {	1✔
101	$proxy = [$proxy];	1✔
102	}
103	Request::setTrustedProxies(	1✔
104	$proxy,	1✔
105	Request::HEADER_X_FORWARDED_FOR \|	1✔
106	Request::HEADER_X_FORWARDED_HOST \|	1✔
107	Request::HEADER_X_FORWARDED_PORT \|	1✔
108	Request::HEADER_X_FORWARDED_PROTO \|	1✔
109	Request::HEADER_X_FORWARDED_AWS_ELB	1✔
110	);	1✔
111	}
112
113	$urlToDocs = $this->generateDocumentationFileURL($documentation, $config);	3✔
114	$useAbsolutePath = config('l5-swagger.documentations.'.$documentation.'.paths.use_absolute_path', true);	3✔
115
116	// Need the / at the end to avoid CORS errors on Homestead systems.
117	return ResponseFacade::make(	3✔
118	view('l5-swagger::index', [	3✔
119	'documentation' => $documentation,	3✔
120	'secure' => RequestFacade::secure(),	3✔
121	'urlToDocs' => $urlToDocs,	3✔
122	'operationsSorter' => $config['operations_sort'],	3✔
123	'configUrl' => $config['additional_config_url'],	3✔
124	'validatorUrl' => $config['validator_url'],	3✔
125	'useAbsolutePath' => $useAbsolutePath,	3✔
126	]),	3✔
127	200	3✔
128	);	3✔
129	}
130
131	/**
132	* Display Oauth2 callback pages.
133	*
134	* @param Request $request
135	* @return string
136	*
137	* @throws L5SwaggerException
138	* @throws FileNotFoundException
139	*/
140	public function oauth2Callback(Request $request)
141	{
142	$fileSystem = new Filesystem();	1✔
143	$documentation = $request->offsetGet('documentation');	1✔
144
145	return $fileSystem->get(swagger_ui_dist_path($documentation, 'oauth2-redirect.html'));	1✔
146	}
147
148	/**
149	* Generate URL for documentation file.
150	*
151	* @param string $documentation
152	* @param array $config
153	* @return string
154	*/
155	protected function generateDocumentationFileURL(string $documentation, array $config)
156	{
157	$fileUsedForDocs = $config['paths']['docs_json'] ?? 'api-docs.json';	3✔
158
159	if (! empty($config['paths']['format_to_use_for_docs'])	3✔
160	&& $config['paths']['format_to_use_for_docs'] === 'yaml'	3✔
161	&& $config['paths']['docs_yaml']	3✔
162	) {
UNCOV 163	$fileUsedForDocs = $config['paths']['docs_yaml'];	×
164	}
165
166	$useAbsolutePath = config('l5-swagger.documentations.'.$documentation.'.paths.use_absolute_path', true);	3✔
167
168	return route(	3✔
169	'l5-swagger.'.$documentation.'.docs',	3✔
170	$fileUsedForDocs,	3✔
171	$useAbsolutePath	3✔
172	);	3✔
173	}
174	}

DarkaOnLine / L5-Swagger / 13173932008

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous