Skip to content

fix: enhance security by validating and escaping database names, file paths, and proxy configuration filenames #7375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
andrasbacsai merged 2 commits into from
Nov 27, 2025
Merged

fix: enhance security by validating and escaping database names, file paths, and proxy configuration filenames #7375

andrasbacsai merged 2 commits into from
Nov 27, 2025

Conversation

@andrasbacsai
Copy link
Member

@andrasbacsai andrasbacsai commented Nov 27, 2025

Summary

This PR enhances security across database backup operations, file storage management, PostgreSQL init scripts, and proxy configuration handling by implementing comprehensive input validation and shell argument escaping to prevent command injection attacks.

Changes

  • Added validateShellSafePath() validation calls for database names in backup operations (MongoDB, PostgreSQL, MySQL, MariaDB)
  • Implemented escapeshellarg() escaping for all shell commands involving user-provided paths and filenames
  • Updated PostgreSQL init script management with validation and escaping
  • Added path validation for file storage operations
  • Secured proxy configuration filename handling in dynamic configuration management

Testing

Added comprehensive security test suites:

  • DatabaseBackupSecurityTest.php - Tests command injection prevention in database backup operations
  • FileStorageSecurityTest.php - Tests path validation and escaping for file storage
  • PostgresqlInitScriptSecurityTest.php - Tests filename validation for PostgreSQL init scripts
  • ProxyConfigurationSecurityTest.php - Tests filename validation for proxy configurations

All tests verify that malicious inputs are rejected and legitimate inputs are properly escaped.

@andrasbacsai
fix: enhance security by validating and escaping database names, file…
0073d04 
… paths, and proxy configuration filenames to prevent command injection
@andrasbacsai andrasbacsai changed the base branch from v4.x to next November 27, 2025 13:38
@andrasbacsai andrasbacsai merged commit 31e2ac4 into next Nov 27, 2025
4 checks passed
@andrasbacsai andrasbacsai deleted the security-validation-escaping branch November 27, 2025 13:54
@andrasbacsai andrasbacsai mentioned this pull request Nov 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@andrasbacsai