Additional coverage to ensure values are wrapped as expected; ref pterodactyl#3287

DaneEveritt · DaneEveritt · commit 6ef60633d3b7 · 2021-04-24T16:39:56.000-07:00
diff --git a/app/Traits/Commands/EnvironmentWriterTrait.php b/app/Traits/Commands/EnvironmentWriterTrait.php
@@ -1,18 +1,25 @@
 <?php
-/**
- * Pterodactyl - Panel
- * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
- *
- * This software is licensed under the terms of the MIT license.
- * https://opensource.org/licenses/MIT
- */
 
 namespace Pterodactyl\Traits\Commands;
 
 use Pterodactyl\Exceptions\PterodactylException;
 
 trait EnvironmentWriterTrait
 {
+    /**
+     * Escapes an environment value by looking for any characters that could
+     * reasonablly cause environment parsing issues. Those values are then wrapped
+     * in quotes before being returned.
+     */
+    public function escapeEnvironmentValue(string $value): string
+    {
+        if (!preg_match('/^\"(.*)\"$/', $value) && preg_match('/([^\w.\-+\/])+/', $value)) {
+            return sprintf('"%s"', addslashes($value));
+        }
+
+        return $value;
+    }
+
     /**
      * Update the .env file for the application using the passed in values.
      *
@@ -28,14 +35,7 @@ public function writeToEnvironment(array $values = [])
         $saveContents = file_get_contents($path);
         collect($values)->each(function ($value, $key) use (&$saveContents) {
             $key = strtoupper($key);
-            // If the key value is not sorrounded by quotation marks, and contains anything that could reasonably
-            // cause environment parsing issues, wrap it in quotes before writing it. This also adds slashes to the
-            // value to ensure quotes within it don't cause us issues.
-            if (!preg_match('/^\"(.*)\"$/', $value) && preg_match('/([^\w.\-+\/])+/', $value)) {
-                $value = sprintf('"%s"', addslashes($value));
-            }
-
-            $saveValue = sprintf('%s=%s', $key, $value);
+            $saveValue = sprintf('%s=%s', $key, $this->escapeEnvironmentValue($value));
 
             if (preg_match_all('/^' . $key . '=(.*)$/m', $saveContents) < 1) {
                 $saveContents = $saveContents . PHP_EOL . $saveValue;
diff --git a/tests/Unit/Helpers/EnvironmentWriterTraitTest.php b/tests/Unit/Helpers/EnvironmentWriterTraitTest.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace Pterodactyl\Tests\Unit\Helpers;
+
+use Pterodactyl\Tests\TestCase;
+use Pterodactyl\Traits\Commands\EnvironmentWriterTrait;
+
+class EnvironmentWriterTraitTest extends TestCase
+{
+    /**
+     * @dataProvider variableDataProvider
+     */
+    public function testVariableIsEscapedProperly($input, $expected)
+    {
+        $output = (new FooClass())->escapeEnvironmentValue($input);
+
+        $this->assertSame($expected, $output);
+    }
+
+    public function variableDataProvider(): array
+    {
+        return [
+            ['foo', 'foo'],
+            ['abc123', 'abc123'],
+            ['val"ue', '"val\"ue"'],
+            ['my test value', '"my test value"'],
+            ['mysql_p@assword', '"mysql_p@assword"'],
+            ['mysql_p#assword', '"mysql_p#assword"'],
+            ['mysql p@$$word', '"mysql p@$$word"'],
+            ['mysql p%word', '"mysql p%word"'],
+            ['mysql p#word', '"mysql p#word"'],
+            ['abc_@#test', '"abc_@#test"'],
+            ['test 123 $$$', '"test 123 $$$"'],
+            ['#password%', '"#password%"'],
+            ['$pass ', '"$pass "'],
+        ];
+    }
+}
+
+class FooClass
+{
+    use EnvironmentWriterTrait;
+}
