actions/setup-php
1
0
Fork 0
mirror of https://github.com/shivammathur/setup-php.git synced 2026-05-14 17:35:05 +07:00
Code Issues Packages Projects Releases Wiki Activity

GHSA-pqwm-q9pv-ph8r - Fix CWE-78 [skip ci]

Browse Source
This commit is contained in:
Shivam Mathur
2026-05-14 03:56:37 +05:30
parent 0dc33069a3
commit eeef37e059
8 changed files with 199 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
__tests__/config.test.ts
View File

@@ -2,14 +2,18 @@ import * as config from '../src/config';
describe('Config tests', () => {
it.each`
ini_values | os | output
${'a=b, c=d'} | ${'win32'} | ${'Add-Content "$php_dir\\php.ini" "a=b\nc=d"'}
${'a=b, c=d'} | ${'linux'} | ${'echo "a=b\nc=d" | sudo tee -a "${pecl_file:-${ini_file[@]}}"'}
${'a=b, c=d'} | ${'darwin'} | ${'echo "a=b\nc=d" | sudo tee -a "${pecl_file:-${ini_file[@]}}"'}
${'a=b & ~c'} | ${'win32'} | ${'Add-Content "$php_dir\\php.ini" "a=\'b & ~c\'"'}
${'a="~(b)"'} | ${'win32'} | ${'Add-Content "$php_dir\\php.ini" "a=\'~(b)\'"'}
${'a="b, c"'} | ${'win32'} | ${'Add-Content "$php_dir\\php.ini" "a=b, c"'}
${'a=b, c=d'} | ${'openbsd'} | ${'Platform openbsd is not supported'}
ini_values | os | output
${'a=b, c=d'} | ${'win32'} | ${'Add-Content "$php_dir\\php.ini" "a=b\nc=d"'}
${'a=b, c=d'} | ${'linux'} | ${'echo "a=b\nc=d" | sudo tee -a "${pecl_file:-${ini_file[@]}}"'}
${'a=b, c=d'} | ${'darwin'} | ${'echo "a=b\nc=d" | sudo tee -a "${pecl_file:-${ini_file[@]}}"'}
${'a=b & ~c'} | ${'win32'} | ${'Add-Content "$php_dir\\php.ini" "a=\'b & ~c\'"'}
${'a="~(b)"'} | ${'win32'} | ${'Add-Content "$php_dir\\php.ini" "a=\'~(b)\'"'}
${'a="b, c"'} | ${'win32'} | ${'Add-Content "$php_dir\\php.ini" "a=b, c"'}
${'disable_functions="exec,system"'} | ${'linux'} | ${'echo "disable_functions=exec,system" | sudo tee -a'}
${'disable_functions="exec,system"'} | ${'win32'} | ${'Add-Content "$php_dir\\php.ini" "disable_functions=exec,system"'}
${'a=$(id)'} | ${'linux'} | ${'echo "a=\'\\$(id)\'"'}
${'a=$(id)'} | ${'win32'} | ${'Add-Content "$php_dir\\php.ini" "a=\'`$(id)\'"'}
${'a=b, c=d'} | ${'openbsd'} | ${'Platform openbsd is not supported'}
`('checking addINIValues on $os', async ({ini_values, os, output}) => {
expect(await config.addINIValues(ini_values, os)).toContain(output);
});

45
__tests__/tools.test.ts
View File

@@ -187,6 +187,7 @@ describe('Tools tests', () => {
${'1.2.3-dev'} | ${'tool'} | ${'phar'} | ${'1.2.3-dev'}
${'1.2.3-alpha1'} | ${'tool'} | ${'phar'} | ${'1.2.3-alpha1'}
${'1.2.3-alpha.1'} | ${'tool'} | ${'phar'} | ${'1.2.3-alpha.1'}
${'1.>=0'} | ${'tool'} | ${'phar'} | ${'1.0'}
`(
'checking getVersion: $version, $tool, $type',
async ({version, tool, type, expected}) => {
@@ -304,22 +305,30 @@ describe('Tools tests', () => {
});
it.each`
os | script | scope
${'linux'} | ${'add_composer_tool tool tool:1.2.3 user/ global'} | ${'global'}
${'darwin'} | ${'add_composer_tool tool tool:1.2.3 user/ scoped'} | ${'scoped'}
${'win32'} | ${'Add-ComposerTool tool tool:1.2.3 user/ scoped'} | ${'scoped'}
${'openbsd'} | ${'Platform openbsd is not supported'} | ${'global'}
`('checking addPackage: $os, $scope', async ({os, script, scope}) => {
const data = getData({
tool: 'tool',
version: '1.2.3',
repository: 'user/tool',
os: os,
scope: scope
});
data['release'] = [data['tool'], data['version']].join(':');
expect(await tools.addPackage(data)).toContain(script);
});
os | release | scope | script
${'linux'} | ${'tool:1.2.3'} | ${'global'} | ${'add_composer_tool tool tool:1.2.3 user/ global'}
${'darwin'} | ${'tool:1.2.3'} | ${'scoped'} | ${'add_composer_tool tool tool:1.2.3 user/ scoped'}
${'win32'} | ${'tool:1.2.3'} | ${'scoped'} | ${'Add-ComposerTool tool tool:1.2.3 user/ scoped'}
${'linux'} | ${'tool:>=1.2'} | ${'global'} | ${'add_composer_tool tool "tool:>=1.2" user/ global'}
${'win32'} | ${'tool:>=1.2'} | ${'global'} | ${'Add-ComposerTool tool "tool:>=1.2" user/ global'}
${'linux'} | ${'tool:1.*'} | ${'global'} | ${'add_composer_tool tool "tool:1.*" user/ global'}
${'linux'} | ${'psalm:^5||^6'} | ${'global'} | ${'add_composer_tool tool "psalm:^5||^6" user/ global'}
${'linux'} | ${'psalm:>=5,<6'} | ${'global'} | ${'add_composer_tool tool "psalm:>=5,<6" user/ global'}
${'openbsd'} | ${'tool:1.2.3'} | ${'global'} | ${'Platform openbsd is not supported'}
`(
'checking addPackage: $os, $release',
async ({os, release, scope, script}) => {
const data = getData({
tool: 'tool',
version: '1.2.3',
repository: 'user/tool',
os,
scope
});
data['release'] = release;
expect(await tools.addPackage(data)).toContain(script);
}
);
it.each`
version | php_version | os | script
@@ -651,7 +660,7 @@ describe('Tools tests', () => {
'add_devtools phpize',
'add_tool https://github.com/phpmd/phpmd/releases/latest/download/phpmd.phar phpmd "--version"',
'add_tool https://github.com/phpspec/phpspec/releases/latest/download/phpspec.phar phpspec "-V"',
'add_composer_tool phpunit-bridge phpunit-bridge:5.6.* symfony/ global',
'add_composer_tool phpunit-bridge "phpunit-bridge:5.6.*" symfony/ global',
'add_composer_tool phpunit-polyfills phpunit-polyfills:1.0.1 yoast/ global',
'add_protoc 1.2.3',
'add_tool https://github.com/vimeo/psalm/releases/latest/download/psalm.phar psalm "-v"',
@@ -711,7 +720,7 @@ describe('Tools tests', () => {
'Add-ComposerTool codeception codeception codeception/ global',
'Add-ComposerTool prestissimo prestissimo hirak/ global',
'Add-ComposerTool automatic-composer-prefetcher automatic-composer-prefetcher narrowspark/ global',
'Add-ComposerTool phinx phinx:1.2.* robmorgan/ scoped',
'Add-ComposerTool phinx "phinx:1.2.*" robmorgan/ scoped',
'Add-ComposerTool phinx phinx:^1.2 robmorgan/ global',
'Add-ComposerTool tool tool:1.2.3 user/ global',
'Add-ComposerTool tool tool:~1.2 user/ global'

72
__tests__/utils.test.ts
View File

@@ -40,7 +40,19 @@ describe('Utils tests', () => {
expect(await utils.parseVersion('7')).toBe('7.0');
expect(await utils.parseVersion('7.4')).toBe('7.4');
expect(await utils.parseVersion('5.x')).toBe('5.6');
expect(await utils.parseVersion('4.x')).toBe(undefined);
expect(await utils.parseVersion('pre')).toBe('pre');
expect(await utils.parseVersion('pre-installed')).toBe('pre');
await expect(utils.parseVersion('4.x')).rejects.toThrow(
'Invalid PHP version: 4.x'
);
await expect(utils.parseVersion('foo')).rejects.toThrow(
'Invalid PHP version:'
);
fetchSpy.mockResolvedValue({data: '{ "latest": "8.1.0" }'});
await expect(utils.parseVersion('latest')).rejects.toThrow(
'Invalid PHP version in manifest:'
);
fetchSpy.mockReset();
fetchSpy.mockResolvedValueOnce({}).mockResolvedValueOnce({});
@@ -56,6 +68,12 @@ describe('Utils tests', () => {
expect(await utils.parseIniFile('none')).toBe('none');
expect(await utils.parseIniFile('php.ini-production')).toBe('production');
expect(await utils.parseIniFile('php.ini-development')).toBe('development');
expect(await utils.parseIniFile('/etc/php.ini-production')).toBe(
'production'
);
expect(await utils.parseIniFile('/a-b/php.ini-development')).toBe(
'development'
);
expect(await utils.parseIniFile('invalid')).toBe('production');
});
@@ -91,6 +109,22 @@ describe('Utils tests', () => {
).toEqual(['apcu', 'mbstring', 'pdo_pgsql', 'posix', 'session']);
});
it('checking shell helpers', () => {
expect(utils.escapeForShell('a$b`c\\d"e', 'linux')).toBe(
'a\\$b\\`c\\\\d\\"e'
);
expect(utils.escapeForShell('a$b`c"d', 'win32')).toBe('a`$b``c`"d');
expect(utils.safeArg('vendor-pkg/repo@v1.0.0', 'linux')).toBe(
'vendor-pkg/repo@v1.0.0'
);
expect(utils.safeArg('phpcs:>=3.0', 'linux')).toBe('"phpcs:>=3.0"');
expect(utils.safeArg('foo$bar', 'win32')).toBe('"foo`$bar"');
expect(utils.sanitizeShellInput('foo;$(`ls`)bar')).toBe('foolsbar');
expect(utils.sanitizeShellInput('vendor/foo:1.*', true)).toBe(
'vendor/foo:1.'
);
});
it('checking INIArray', async () => {
expect(await utils.CSVArray('a=1, b=2, c=3')).toEqual([
'a=1',
@@ -282,6 +316,9 @@ describe('Utils tests', () => {
process.env['php-version'] = '8.2';
expect(await utils.readPHPVersion()).toBe('8.2');
process.env['php-version'] = 'pre-installed';
expect(await utils.readPHPVersion()).toBe('pre-installed');
delete process.env['php-version-file'];
delete process.env['php-version'];
@@ -291,7 +328,7 @@ describe('Utils tests', () => {
existsSync.mockReturnValue(true);
readFileSync.mockReturnValue('setup-php');
expect(await utils.readPHPVersion()).toBe('setup-php');
await expect(utils.readPHPVersion()).rejects.toThrow('Invalid PHP version');
existsSync.mockReturnValueOnce(false).mockReturnValueOnce(true);
readFileSync.mockReturnValue(
@@ -312,6 +349,37 @@ describe('Utils tests', () => {
readFileSync.mockClear();
});
it('readPHPVersion rejects unsupported values from each source', async () => {
const existsSync = jest.spyOn(fs, 'existsSync').mockImplementation();
const readFileSync = jest.spyOn(fs, 'readFileSync').mockImplementation();
process.env['php-version'] = 'bogus';
await expect(utils.readPHPVersion()).rejects.toThrow('php-version input');
delete process.env['php-version'];
existsSync.mockReturnValue(true);
readFileSync.mockReturnValue('bogus');
await expect(utils.readPHPVersion()).rejects.toThrow('.php-version');
existsSync.mockReturnValueOnce(false).mockReturnValueOnce(true);
readFileSync.mockReturnValue('{"platform-overrides":{"php":"bogus"}}');
await expect(utils.readPHPVersion()).rejects.toThrow(
'composer.lock platform-overrides.php'
);
existsSync
.mockReturnValueOnce(false)
.mockReturnValueOnce(false)
.mockReturnValueOnce(true);
readFileSync.mockReturnValue('{"config":{"platform":{"php":"bogus"}}}');
await expect(utils.readPHPVersion()).rejects.toThrow(
'composer.json config.platform.php'
);
existsSync.mockClear();
readFileSync.mockClear();
});
it('checking setVariable', async () => {
let script: string = await utils.setVariable('var', 'command', 'linux');
expect(script).toEqual('\nvar="$(command)"\n');