Shell arguments properly escaped

Accept parameters of any type
Eihen · Feb 28, 2018 · bbc1bcb · bbc1bcb
1 parent 997776a
commit bbc1bcb
Show file tree

Hide file tree

Showing 12 changed files with 62 additions and 56 deletions.
diff --git a/src/Compiler.php b/src/Compiler.php
@@ -22,7 +22,7 @@ class Compiler extends JasperBase
      * @return null|string
      * @throws \Exception
      */
-    public function compile(string $input, bool $dontExec)
+    public function compile(string $input, bool $dontExec = false)
     {
         $input = static::validateInput($input, ['jrxml']);
 

diff --git a/src/DatabaseProcessors/DatabaseProcessor.php b/src/DatabaseProcessors/DatabaseProcessor.php
@@ -22,7 +22,7 @@ abstract class DatabaseProcessor extends Processor
      */
     public function host(string $host)
     {
-        $this->args['dbHost'] = !empty($host) ? "-H \"$host\"" : '';
+        $this->args['dbHost'] = !empty($host) ? '-H ' . escapeshellarg($host) : '';
 
         return $this;
     }
@@ -36,7 +36,7 @@ public function host(string $host)
      */
     public function port(string $port)
     {
-        $this->args['dbPort'] = !empty($port) ? "--db-port \"$port\"" : '';
+        $this->args['dbPort'] = !empty($port) ? '--db-port ' . escapeshellarg($port) : '';
 
         return $this;
     }
@@ -50,7 +50,7 @@ public function port(string $port)
      */
     public function database(string $name)
     {
-        $this->args['dbName'] = !empty($name) ? "-n \"$name\"" : '';
+        $this->args['dbName'] = !empty($name) ? '-n ' . escapeshellarg($name) : '';
 
         return $this;
     }
@@ -64,7 +64,7 @@ public function database(string $name)
      */
     public function user(string $user)
     {
-        $this->args['dbUser'] = !empty($user) ? "-u \"$user\"" : '';
+        $this->args['dbUser'] = !empty($user) ? '-u ' . escapeshellarg($user) : '';
 
         return $this;
     }
@@ -78,7 +78,7 @@ public function user(string $user)
      */
     public function password(string $password)
     {
-        $this->args['dbPassword'] = !empty($password) ? "-p \"$password\"" : '';
+        $this->args['dbPassword'] = !empty($password) ? '-p ' . escapeshellarg($password) : '';
 
         return $this;
     }

diff --git a/src/DatabaseProcessors/JdbcProcessor.php b/src/DatabaseProcessors/JdbcProcessor.php
@@ -18,7 +18,7 @@ class JdbcProcessor extends DatabaseProcessor
      */
     public function __construct()
     {
-        $this->args['type'] = '-t generic';
+        $this->args['type'] = '-t "generic"';
     }
 
     /**
@@ -30,7 +30,7 @@ public function __construct()
      */
     public function class(string $driver)
     {
-        $this->args['jdbcDriver'] = !empty($driver) ? "--db-driver \"$driver\"" : '';
+        $this->args['jdbcDriver'] = !empty($driver) ? '--db-driver ' . escapeshellarg($driver) : '';
 
         return $this;
     }
@@ -44,7 +44,7 @@ public function class(string $driver)
      */
     public function url(string $url)
     {
-        $this->args['jdbcUrl'] = !empty($url) ? "--db-url \"$url\"" : '';
+        $this->args['jdbcUrl'] = !empty($url) ? '--db-url ' . escapeshellarg($url) : '';
 
         return $this;
     }
@@ -59,7 +59,7 @@ public function url(string $url)
      */
     public function dir(string $dir)
     {
-        $this->args['jdbcDir'] = !empty($dir) ? "--jdbc-dir \"$dir\"" : '';
+        $this->args['jdbcDir'] = !empty($dir) ? '--jdbc-dir ' . escapeshellarg($dir) : '';
 
         return $this;
     }

diff --git a/src/DatabaseProcessors/MySqlProcessor.php b/src/DatabaseProcessors/MySqlProcessor.php
@@ -18,6 +18,6 @@ class MySqlProcessor extends DatabaseProcessor
      */
     public function __construct()
     {
-        $this->args['type'] = '-t mysql';
+        $this->args['type'] = '-t "mysql"';
     }
 }
diff --git a/src/DatabaseProcessors/OracleProcessor.php b/src/DatabaseProcessors/OracleProcessor.php
@@ -18,7 +18,7 @@ class OracleProcessor extends DatabaseProcessor
      */
     public function __construct()
     {
-        $this->args['type'] = '-t oracle';
+        $this->args['type'] = '-t "oracle"';
     }
 
     /**
@@ -30,7 +30,7 @@ public function __construct()
      */
     public function sid(string $sid)
     {
-        $this->args['oracleSid'] = !empty($sid) ? "--db-sid \"$sid\"" : '';
+        $this->args['oracleSid'] = !empty($sid) ? '--db-sid ' . escapeshellarg($sid) : '';
 
         return $this;
     }

diff --git a/src/DatabaseProcessors/PostgresProcessor.php b/src/DatabaseProcessors/PostgresProcessor.php
@@ -18,6 +18,6 @@ class PostgresProcessor extends DatabaseProcessor
      */
     public function __construct()
     {
-        $this->args['type'] = '-t postgres';
+        $this->args['type'] = '-t "postgres"';
     }
 }
diff --git a/src/FileProcessors/CsvProcessor.php b/src/FileProcessors/CsvProcessor.php
@@ -23,7 +23,7 @@ class CsvProcessor extends FileProcessor
      */
     final public function __construct()
     {
-        $this->args['type'] = '-t csv';
+        $this->args['type'] = '-t "csv"';
     }
 
     /**
@@ -76,7 +76,7 @@ public function columns(array $columns)
      */
     public function fieldDelimiter(string $delimiter)
     {
-        $this->args['csvFieldDelimiter'] = !empty($delimiter) ? "--csv-field-del \"$delimiter\"" : '';
+        $this->args['csvFieldDelimiter'] = !empty($delimiter) ? '--csv-field-del ' . escapeshellarg($delimiter) : '';
 
         return $this;
     }
@@ -91,7 +91,7 @@ public function fieldDelimiter(string $delimiter)
      */
     public function recordDelimiter(string $delimiter)
     {
-        $this->args['csvRecordDelimiter'] = !empty($delimiter) ? "--csv-record-del \"$delimiter\"" : '';
+        $this->args['csvRecordDelimiter'] = !empty($delimiter) ? '--csv-record-del ' . escapeshellarg($delimiter) : '';
 
         return $this;
     }
@@ -106,7 +106,7 @@ public function recordDelimiter(string $delimiter)
      */
     public function charset(string $charset)
     {
-        $this->args['csvCharset'] = !empty($charset) ? "--csv-charset \"$charset\"" : '';
+        $this->args['csvCharset'] = !empty($charset) ? '--csv-charset ' . escapeshellarg($charset) : '';
 
         return $this;
     }
@@ -126,7 +126,7 @@ public function process(string $input, array $formats)
     {
         if (count($this->columns) > 0) {
             $this->args['csvColumns'] = '--csv-columns '
-                . implode(' ', $this->columns);
+                . escapeshellarg(implode(' ', $this->columns));
         }
 
         parent::process($input, $formats);

diff --git a/src/FileProcessors/FileProcessor.php b/src/FileProcessors/FileProcessor.php
@@ -22,7 +22,7 @@ abstract class FileProcessor extends Processor
      */
     public function file(string $file)
     {
-        $this->args['file'] = !empty($file) ? "--data-file \"$file\"" : '';
+        $this->args['file'] = !empty($file) ? '--data-file ' . escapeshellarg($file) : '';
 
         return $this;
     }

diff --git a/src/FileProcessors/JsonProcessor.php b/src/FileProcessors/JsonProcessor.php
@@ -18,7 +18,7 @@ class JsonProcessor extends FileProcessor
      */
     public function __construct()
     {
-        $this->args['type'] = '-t json';
+        $this->args['type'] = '-t "json"';
     }
 
     /**
@@ -30,7 +30,7 @@ public function __construct()
      */
     public function query(string $query)
     {
-        $this->args['jsonQuery'] = !empty($query) ? "--json-query \"$query\"" : '';
+        $this->args['jsonQuery'] = !empty($query) ? '--json-query ' . escapeshellarg($query) : '';
 
         return $this;
     }

diff --git a/src/FileProcessors/XmlProcessor.php b/src/FileProcessors/XmlProcessor.php
@@ -18,7 +18,7 @@ class XmlProcessor extends FileProcessor
      */
     public function __construct()
     {
-        $this->args['type'] = '-t xml';
+        $this->args['type'] = '-t "xml"';
     }
 
     /**
@@ -30,7 +30,7 @@ public function __construct()
      */
     public function xpath(string $xpath)
     {
-        $this->args['xpath'] = !empty($xpath) ? "--xml-xpath $xpath" : '';
+        $this->args['xpath'] = !empty($xpath) ? '--xml-xpath ' . escapeshellarg($xpath) : '';
 
         return $this;
     }

diff --git a/src/JasperBase.php b/src/JasperBase.php
@@ -32,10 +32,10 @@ public function output(string $output)
             $info = pathinfo($output);
             // Checks if the full output is a valid directory
             if (($dir = realpath($output)) && is_dir($dir)) {
-                $output = "-o \"$dir\"";
+                $output = $dir;
             } // Checks if the dirname of the output is a valid directory
             elseif (($dir = realpath($info['dirname'])) && is_dir($dir)) {
-                $output = '-o ' . $dir . '/' . $info['filename'];
+                $output = $dir . '/' . $info['filename'];
 
                 // To avoid .jasper.jasper since JasperStarter always adds the extension
                 if (isset($info['extension']) && $info['extension'] != 'jasper') {
@@ -46,7 +46,7 @@ public function output(string $output)
             }
         }
 
-        $this->output = $output;
+        $this->output = '-o ' . escapeshellarg($output);
         return $this;
     }
 
@@ -60,7 +60,7 @@ public function output(string $output)
      */
     public function locale(string $locale)
     {
-        $this->locale = !empty($locale) ? "--locale \"$locale\"" : '';
+        $this->locale = !empty($locale) ? '--locale ' . escapeshellarg($locale) : '';
 
         return $this;
     }
@@ -87,6 +87,6 @@ protected static function validateInput(string $input, array $acceptedFormats)
             throw new \InvalidArgumentException('Invalid input file format.');
         }
 
-        return realpath($input);
+        return escapeshellarg(realpath($input));
     }
 }
diff --git a/src/Processor.php b/src/Processor.php
@@ -55,31 +55,56 @@ public function writeJasper()
      * Add report parameter
      *
      * @param string $key Parameter name
-     * @param string $value Parameter value
+     * @param mixed $value Parameter value
      *
      * @return $this
      */
-    public function param(string $key, string $value)
+    public function param(string $key, $value)
     {
-        $this->params[$key] = !empty($key) ? "$value" : '';
+        if (!empty($key))
+        {
+            $this->params[$key] = $value;
+        }
 
         return $this;
     }
 
     /**
      * Add report parameters
      *
-     * @param array $params Parameters in the [name1=>value1,nam2=>value2,...] form
+     * @param array $params Parameters in the [name1=>value1,name2=>value2,...] form
      *
      * @return $this
      */
     public function params(array $params)
     {
-        $this->params = array_merge($this->params, $params);
+        foreach ($params as $key => $value)
+        {
+            $this->param($key, $value);
+        }
 
         return $this;
     }
 
+    /**
+     * Implode the array of parameters into the JasperStarter equivalent command
+     *
+     * @return string
+     */
+    protected function implodeParams()
+    {
+        if (count($this->params) > 0) {
+            $args = ' -P';
+            foreach ($this->params as $key => $value) {
+                $args .= ' ' . escapeshellarg($key) . '=' . (is_string($value) ? escapeshellarg($value) : $value);
+            }
+
+            return $args;
+        }
+
+        return '';
+    }
+
     /**
      * Set the path to the resource directory or jar file
      * If not given the input directory is used
@@ -90,7 +115,7 @@ public function params(array $params)
      */
     public function resource(string $path)
     {
-        $this->args['resource'] = $path !== null ? "-r $path" : '';
+        $this->args['resource'] = $path !== null ? '-r ' . escapeshellarg($path) : '';
 
         return $this;
     }
@@ -105,7 +130,7 @@ public function resource(string $path)
      */
     public function outDelimiter(string $delimiter)
     {
-        $this->args['delimiter'] = !empty($delimiter) ? "--out-field-del $delimiter" : '';
+        $this->args['delimiter'] = !empty($delimiter) ? '--out-field-del ' . escapeshellarg($delimiter) : '';
 
         return $this;
     }
@@ -120,7 +145,7 @@ public function outDelimiter(string $delimiter)
      */
     public function charset(string $charset)
     {
-        $this->args['charset'] = !empty($charset) ? "--out-charset $charset" : '';
+        $this->args['charset'] = !empty($charset) ? '--out-charset ' . escapeshellarg($charset) : '';
 
         return $this;
     }
@@ -188,23 +213,4 @@ protected static function validateInput(string $input, array $acceptedFormats =
     {
         return parent::validateInput($input, $acceptedFormats);
     }
-
-    /**
-     * Implode the array of parameters into the JasperStarter equivalent command
-     *
-     * @return string
-     */
-    protected function implodeParams()
-    {
-        if (count($this->params) > 0) {
-            $args = ' -P';
-            foreach ($this->params as $key => $value) {
-                $args .= " $key=\"$value\"";
-            }
-
-            return $args;
-        }
-
-        return '';
-    }
 }