From 26c1102567c095b051b5e1a0aedb45b78713c283 Mon Sep 17 00:00:00 2001
From: Bartłomiej Dmitruk <bartek.dmitruk@gmail.com>
Date: Sat, 3 Jan 2026 18:09:44 +0100
Subject: Merge commit from fork

* Fix Path Traversal vulnerability in UserDAO methods

* Add tests and changelog for UserDAO path traversal fix

* make fix-all

* Fix PHPStan

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
---
 tests/app/Models/UserDAOTest.php | 78 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 tests/app/Models/UserDAOTest.php

(limited to 'tests/app')

diff --git a/tests/app/Models/UserDAOTest.php b/tests/app/Models/UserDAOTest.php
new file mode 100644
index 000000000..33a59c504
--- /dev/null
+++ b/tests/app/Models/UserDAOTest.php
@@ -0,0 +1,78 @@
+<?php
+declare(strict_types=1);
+
+use PHPUnit\Framework\Attributes\DataProvider;
+use PHPUnit\Framework\TestCase;
+
+class UserDAOTest extends TestCase {
+
+	#[DataProvider('pathTraversalPayloadsProvider')]
+	public function testExistsRejectsPathTraversal(string $payload): void {
+		self::assertFalse(FreshRSS_UserDAO::exists($payload));
+	}
+
+	#[DataProvider('pathTraversalPayloadsProvider')]
+	public function testMtimeRejectsPathTraversal(string $payload): void {
+		self::assertSame(0, FreshRSS_UserDAO::mtime($payload));
+	}
+
+	#[DataProvider('pathTraversalPayloadsProvider')]
+	public function testCtimeRejectsPathTraversal(string $payload): void {
+		self::assertSame(0, FreshRSS_UserDAO::ctime($payload));
+	}
+
+	/**
+	 * @return array<string,array<int,string>>
+	 */
+	public static function pathTraversalPayloadsProvider(): array {
+		return [
+			'parent directory' => ['../'],
+			'double parent directory' => ['../../'],
+			'traversal to app' => ['../../app'],
+			'traversal to etc' => ['../../../etc'],
+			'traversal with null byte' => ["../\0"],
+			'absolute path' => ['/etc/passwd'],
+			'dot only' => ['.'],
+			'double dot' => ['..'],
+			'slash in name' => ['user/config'],
+			'backslash traversal' => ['..\\..\\app'],
+			'encoded traversal' => ['%2e%2e%2f'],
+			'mixed traversal' => ['valid/../invalid'],
+			'empty string' => [''],
+		];
+	}
+
+	#[DataProvider('validUsernamesProvider')]
+	public function testExistsAcceptsValidUsernames(string $username): void {
+		$result = FreshRSS_UserDAO::exists($username);
+		self::assertIsBool($result);
+	}
+
+	#[DataProvider('validUsernamesProvider')]
+	public function testMtimeAcceptsValidUsernames(string $username): void {
+		$result = FreshRSS_UserDAO::mtime($username);
+		self::assertIsInt($result);
+	}
+
+	#[DataProvider('validUsernamesProvider')]
+	public function testCtimeAcceptsValidUsernames(string $username): void {
+		$result = FreshRSS_UserDAO::ctime($username);
+		self::assertIsInt($result);
+	}
+
+	/**
+	 * @return array<string,array<int,string>>
+	 */
+	public static function validUsernamesProvider(): array {
+		return [
+			'simple' => ['alice'],
+			'with numbers' => ['user123'],
+			'with underscore' => ['test_user'],
+			'with dot' => ['user.name'],
+			'with hyphen' => ['user-name'],
+			'with at' => ['user@domain'],
+			'single char' => ['a'],
+			'max length' => [str_repeat('a', 39)],
+		];
+	}
+}
-- 
cgit v1.2.3