Sanitize/improve placeholder patterns

squrious · squrious · commit 1cabcf9b0e9a · 2023-10-20T21:01:21.000+02:00
diff --git a/src/Symfony/Component/Security/Core/Role/RoleHierarchy.php b/src/Symfony/Component/Security/Core/Role/RoleHierarchy.php
@@ -75,8 +75,8 @@ protected function buildRoleMap()
 
             $this->map[$main] = array_unique($this->map[$main]);
 
-            if (str_contains($main, '*')) {
-                $this->rolePlaceholdersPatterns[$main] = sprintf('/%s/', strtr($main, ['*' => '[^\*]+']));
+            if (str_contains($main, '*') && false !== ($pattern = $this->getPlaceholderPattern($main))) {
+                $this->rolePlaceholdersPatterns[$main] = $pattern;
             }
         }
     }
@@ -119,4 +119,20 @@ private function getMatchingPlaceholders(array $roles): array
 
         return $resolved;
     }
+
+    /**
+     * Build the regex pattern for the given role:
+     *   - Replace valid wildcards with a non-wildcard matching pattern and
+     *   - Escape reserved regex characters
+     *
+     * A valid wildcard is a * prefixed with _ and immediately followed by _ or EOL.
+     *
+     * @return string|false The regex pattern, or false if there is no valid wildcard in the role
+     */
+    private function getPlaceholderPattern(string $role): string|false
+    {
+        /** @var int $count */
+        $placeholderPattern = \preg_replace(pattern:'/(?<=_)\\\\\*(?=_|$)/', replacement: '[^\*]*', subject: preg_quote($role), count: $count);
+        return ($count > 0) ? \sprintf('/%s/', $placeholderPattern) : false;
+    }
 }
diff --git a/src/Symfony/Component/Security/Core/Tests/Role/RoleHierarchyTest.php b/src/Symfony/Component/Security/Core/Tests/Role/RoleHierarchyTest.php
@@ -70,4 +70,19 @@ public function testGetReachableRoleNamesWithRecursivePlaceholders()
         $this->assertEquals(['ROLE_QUX_A', 'ROLE_QUX_BAZ'], $role->getReachableRoleNames(['ROLE_QUX_A']));
         $this->assertEquals(['ROLE_QUX_BAZ'], $role->getReachableRoleNames(['ROLE_QUX_BAZ']));
     }
+
+    public function testInvalidPlaceholderSyntaxAreNotResolved()
+    {
+        $role = new RoleHierarchy([
+            'ROLE_FOO*' => ['ROLE_FOOBAR'],
+            'ROLE_*FOO' => ['ROLE_FOOBAR'],
+            'ROLE_FOO_*BAR' => ['ROLE_FOOBAR'],
+            'ROLE_FOO*_BAR' => ['ROLE_FOOBAR'],
+        ]);
+
+        $this->assertEquals(['ROLE_FOOA'], $role->getReachableRoleNames(['ROLE_FOOA']));
+        $this->assertEquals(['ROLE_AFOO'], $role->getReachableRoleNames(['ROLE_AFOO']));
+        $this->assertEquals(['ROLE_FOO_ABAR'], $role->getReachableRoleNames(['ROLE_FOO_ABAR']));
+        $this->assertEquals(['ROLE_FOOA_BAR'], $role->getReachableRoleNames(['ROLE_FOOA_BAR']));
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -75,8 +75,8 @@ protected function buildRoleMap()`
`75`	`75`
`76`	`76`	`$this->map[$main] = array_unique($this->map[$main]);`
`77`	`77`
`78`		`- if (str_contains($main, '*')) {`
`79`		`- $this->rolePlaceholdersPatterns[$main] = sprintf('/%s/', strtr($main, ['' => '[^\]+']));`
	`78`	`+ if (str_contains($main, '*') && false !== ($pattern = $this->getPlaceholderPattern($main))) {`
	`79`	`+ $this->rolePlaceholdersPatterns[$main] = $pattern;`
`80`	`80`	`}`
`81`	`81`	`}`
`82`	`82`	`}`
`@@ -119,4 +119,20 @@ private function getMatchingPlaceholders(array $roles): array`
`119`	`119`
`120`	`120`	`return $resolved;`
`121`	`121`	`}`
	`122`	`+`
	`123`	`+ /**`
	`124`	`+ * Build the regex pattern for the given role:`
	`125`	`+ * - Replace valid wildcards with a non-wildcard matching pattern and`
	`126`	`+ * - Escape reserved regex characters`
	`127`	`+ *`
	`128`	`+ * A valid wildcard is a * prefixed with _ and immediately followed by _ or EOL.`
	`129`	`+ *`
	`130`	`+ * @return string\|false The regex pattern, or false if there is no valid wildcard in the role`
	`131`	`+ */`
	`132`	`+ private function getPlaceholderPattern(string $role): string\|false`
	`133`	`+ {`
	`134`	`+ /** @var int $count */`
	`135`	`+ $placeholderPattern = \preg_replace(pattern:'/(?<=_)\\\\\(?=_\|$)/', replacement: '[^\]*', subject: preg_quote($role), count: $count);`
	`136`	`+ return ($count > 0) ? \sprintf('/%s/', $placeholderPattern) : false;`
	`137`	`+ }`
`122`	`138`	`}`