Skip to content
This repository has been archived by the owner on Sep 4, 2023. It is now read-only.

Commit

Permalink
Shell arguments properly escaped
Browse files Browse the repository at this point in the history 
Accept parameters of any type
  • Loading branch information
@Eihen
Eihen committed Feb 28, 2018
1 parent f013fa9 commit cf46af1
Show file tree
Hide file tree
Showing 11 changed files with 60 additions and 54 deletions.
10 changes: 5 additions & 5 deletions src/DatabaseProcessors/DatabaseProcessor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ abstract class DatabaseProcessor extends Processor
*/
public function host($host)
{
$this->args['dbHost'] = !empty($host) ? "-H \"$host\"" : '';
$this->args['dbHost'] = !empty($host) ? '-H ' . escapeshellarg($host) : '';

return $this;
}
Expand All @@ -34,7 +34,7 @@ public function host($host)
*/
public function port($port)
{
$this->args['dbPort'] = !empty($port) ? "--db-port \"$port\"" : '';
$this->args['dbPort'] = !empty($port) ? '--db-port ' . escapeshellarg($port) : '';

return $this;
}
Expand All @@ -48,7 +48,7 @@ public function port($port)
*/
public function database($name)
{
$this->args['dbName'] = !empty($name) ? "-n \"$name\"" : '';
$this->args['dbName'] = !empty($name) ? '-n ' . escapeshellarg($name) : '';

return $this;
}
Expand All @@ -62,7 +62,7 @@ public function database($name)
*/
public function user($user)
{
$this->args['dbUser'] = !empty($user) ? "-u \"$user\"" : '';
$this->args['dbUser'] = !empty($user) ? '-u ' . escapeshellarg($user) : '';

return $this;
}
Expand All @@ -76,7 +76,7 @@ public function user($user)
*/
public function password($password)
{
$this->args['dbPassword'] = !empty($password) ? "-p \"$password\"" : '';
$this->args['dbPassword'] = !empty($password) ? '-p ' . escapeshellarg($password) : '';

return $this;
}
Expand Down
8 changes: 4 additions & 4 deletions src/DatabaseProcessors/JdbcProcessor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ class JdbcProcessor extends DatabaseProcessor
*/
public function __construct()
{
$this->args['type'] = '-t generic';
$this->args['type'] = '-t "generic"';
}

/**
Expand All @@ -28,7 +28,7 @@ public function __construct()
*/
public function class($driver)
{
$this->args['jdbcDriver'] = !empty($driver) ? "--db-driver \"$driver\"" : '';
$this->args['jdbcDriver'] = !empty($driver) ? '--db-driver ' . escapeshellarg($driver) : '';

return $this;
}
Expand All @@ -42,7 +42,7 @@ public function class($driver)
*/
public function url($url)
{
$this->args['jdbcUrl'] = !empty($url) ? "--db-url \"$url\"" : '';
$this->args['jdbcUrl'] = !empty($url) ? '--db-url ' . escapeshellarg($url) : '';

return $this;
}
Expand All @@ -57,7 +57,7 @@ public function url($url)
*/
public function dir($dir)
{
$this->args['jdbcDir'] = !empty($dir) ? "--jdbc-dir \"$dir\"" : '';
$this->args['jdbcDir'] = !empty($dir) ? '--jdbc-dir ' . escapeshellarg($dir) : '';

return $this;
}
Expand Down
2 changes: 1 addition & 1 deletion src/DatabaseProcessors/MySqlProcessor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,6 @@ class MySqlProcessor extends DatabaseProcessor
*/
public function __construct()
{
$this->args['type'] = '-t mysql';
$this->args['type'] = '-t "mysql"';
}
}
4 changes: 2 additions & 2 deletions src/DatabaseProcessors/OracleProcessor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ class OracleProcessor extends DatabaseProcessor
*/
public function __construct()
{
$this->args['type'] = '-t oracle';
$this->args['type'] = '-t "oracle"';
}

/**
Expand All @@ -28,7 +28,7 @@ public function __construct()
*/
public function sid($sid)
{
$this->args['oracleSid'] = !empty($sid) ? "--db-sid \"$sid\"" : '';
$this->args['oracleSid'] = !empty($sid) ? '--db-sid ' . escapeshellarg($sid) : '';

return $this;
}
Expand Down
2 changes: 1 addition & 1 deletion src/DatabaseProcessors/PostgresProcessor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,6 @@ class PostgresProcessor extends DatabaseProcessor
*/
public function __construct()
{
$this->args['type'] = '-t postgres';
$this->args['type'] = '-t "postgres"';
}
}
10 changes: 5 additions & 5 deletions src/FileProcessors/CsvProcessor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ class CsvProcessor extends FileProcessor
*/
final public function __construct()
{
$this->args['type'] = '-t csv';
$this->args['type'] = '-t "csv"';
}

/**
Expand Down Expand Up @@ -74,7 +74,7 @@ public function columns($columns)
*/
public function fieldDelimiter($delimiter)
{
$this->args['csvFieldDelimiter'] = !empty($delimiter) ? "--csv-field-del \"$delimiter\"" : '';
$this->args['csvFieldDelimiter'] = !empty($delimiter) ? '--csv-field-del ' . escapeshellarg($delimiter) : '';

return $this;
}
Expand All @@ -89,7 +89,7 @@ public function fieldDelimiter($delimiter)
*/
public function recordDelimiter($delimiter)
{
$this->args['csvRecordDelimiter'] = !empty($delimiter) ? "--csv-record-del \"$delimiter\"" : '';
$this->args['csvRecordDelimiter'] = !empty($delimiter) ? '--csv-record-del ' . escapeshellarg($delimiter) : '';

return $this;
}
Expand All @@ -104,7 +104,7 @@ public function recordDelimiter($delimiter)
*/
public function charset($charset)
{
$this->args['csvCharset'] = !empty($charset) ? "--csv-charset \"$charset\"" : '';
$this->args['csvCharset'] = !empty($charset) ? '--csv-charset ' . escapeshellarg($charset) : '';

return $this;
}
Expand All @@ -124,7 +124,7 @@ public function process($input, $formats)
{
if (count($this->columns) > 0) {
$this->args['csvColumns'] = '--csv-columns '
. implode(' ', $this->columns);
. escapeshellarg(implode(' ', $this->columns));
}

parent::process($input, $formats);
Expand Down
2 changes: 1 addition & 1 deletion src/FileProcessors/FileProcessor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ abstract class FileProcessor extends Processor
*/
public function file($file)
{
$this->args['file'] = !empty($file) ? "--data-file \"$file\"" : '';
$this->args['file'] = !empty($file) ? '--data-file ' . escapeshellarg($file) : '';

return $this;
}
Expand Down
4 changes: 2 additions & 2 deletions src/FileProcessors/JsonProcessor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ class JsonProcessor extends FileProcessor
*/
public function __construct()
{
$this->args['type'] = '-t json';
$this->args['type'] = '-t "json"';
}

/**
Expand All @@ -28,7 +28,7 @@ public function __construct()
*/
public function query($query)
{
$this->args['jsonQuery'] = !empty($query) ? "--json-query \"$query\"" : '';
$this->args['jsonQuery'] = !empty($query) ? '--json-query ' . escapeshellarg($query) : '';

return $this;
}
Expand Down
4 changes: 2 additions & 2 deletions src/FileProcessors/XmlProcessor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ class XmlProcessor extends FileProcessor
*/
public function __construct()
{
$this->args['type'] = '-t xml';
$this->args['type'] = '-t "xml"';
}

/**
Expand All @@ -28,7 +28,7 @@ public function __construct()
*/
public function xpath($xpath)
{
$this->args['xpath'] = !empty($xpath) ? "--xml-xpath $xpath" : '';
$this->args['xpath'] = !empty($xpath) ? '--xml-xpath ' . escapeshellarg($xpath) : '';

return $this;
}
Expand Down
10 changes: 5 additions & 5 deletions src/JasperBase.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,10 @@ public function output($output)
$info = pathinfo($output);
// Checks if the full output is a valid directory
if (($dir = realpath($output)) && is_dir($dir)) {
$output = "-o \"$dir\"";
$output = $dir;
} // Checks if the dirname of the output is a valid directory
elseif (($dir = realpath($info['dirname'])) && is_dir($dir)) {
$output = '-o ' . $dir . '/' . $info['filename'];
$output = $dir . '/' . $info['filename'];

// To avoid .jasper.jasper since JasperStarter always adds the extension
if (isset($info['extension']) && $info['extension'] != 'jasper') {
Expand All @@ -44,7 +44,7 @@ public function output($output)
}
}

$this->output = $output;
$this->output = '-o ' . escapeshellarg($output);
return $this;
}

Expand All @@ -58,7 +58,7 @@ public function output($output)
*/
public function locale($locale)
{
$this->locale = !empty($locale) ? "--locale \"$locale\"" : '';
$this->locale = !empty($locale) ? '--locale ' . escapeshellarg($locale) : '';

return $this;
}
Expand All @@ -85,6 +85,6 @@ protected static function validateInput($input, $acceptedFormats)
throw new \InvalidArgumentException('Invalid input file format.');
}

return realpath($input);
return escapeshellarg(realpath($input));
}
}
58 changes: 32 additions & 26 deletions src/Processor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,31 +53,56 @@ public function writeJasper()
* Add report parameter
*
* @param string $key Parameter name
* @param string $value Parameter value
* @param mixed $value Parameter value
*
* @return $this
*/
public function param($key, $value)
{
$this->params[$key] = !empty($key) ? "$value" : '';
if (!empty($key))
{
$this->params[$key] = $value;
}

return $this;
}

/**
* Add report parameters
*
* @param array $params Parameters in the [name1=>value1,nam2=>value2,...] form
* @param array $params Parameters in the [name1=>value1,name2=>value2,...] form
*
* @return $this
*/
public function params($params)
{
$this->params = array_merge($this->params, $params);
foreach ($params as $key => $value)
{
$this->param($key, $value);
}

return $this;
}

/**
* Implode the array of parameters into the JasperStarter equivalent command
*
* @return string
*/
protected function implodeParams()
{
if (count($this->params) > 0) {
$args = ' -P';
foreach ($this->params as $key => $value) {
$args .= ' ' . escapeshellarg($key) . '=' . (is_string($value) ? escapeshellarg($value) : $value);
}

return $args;
}

return '';
}

/**
* Set the path to the resource directory or jar file
* If not given the input directory is used
Expand All @@ -88,7 +113,7 @@ public function params($params)
*/
public function resource($path)
{
$this->args['resource'] = $path !== null ? "-r $path" : '';
$this->args['resource'] = $path !== null ? '-r ' . escapeshellarg($path) : '';

return $this;
}
Expand All @@ -103,7 +128,7 @@ public function resource($path)
*/
public function outDelimiter($delimiter)
{
$this->args['delimiter'] = !empty($delimiter) ? "--out-field-del $delimiter" : '';
$this->args['delimiter'] = !empty($delimiter) ? '--out-field-del ' . escapeshellarg($delimiter) : '';

return $this;
}
Expand All @@ -118,7 +143,7 @@ public function outDelimiter($delimiter)
*/
public function charset($charset)
{
$this->args['charset'] = !empty($charset) ? "--out-charset $charset" : '';
$this->args['charset'] = !empty($charset) ? '--out-charset ' . escapeshellarg($charset) : '';

return $this;
}
Expand Down Expand Up @@ -186,23 +211,4 @@ protected static function validateInput($input, $acceptedFormats = self::VALID_I
{
return parent::validateInput($input, $acceptedFormats);
}

/**
* Implode the array of parameters into the JasperStarter equivalent command
*
* @return string
*/
protected function implodeParams()
{
if (count($this->params) > 0) {
$args = ' -P';
foreach ($this->params as $key => $value) {
$args .= " $key=\"$value\"";
}

return $args;
}

return '';
}
}

0 comments on commit cf46af1

Please sign in to comment.