Merge remote-tracking branch 'origin/main'

aguingand · aguingand · commit 5ec7dc3ede2a · 2026-03-19T17:56:28.000+01:00
diff --git a/src/Http/Controllers/Api/ApiController.php b/src/Http/Controllers/Api/ApiController.php
@@ -6,18 +6,9 @@
 use Code16\Sharp\EntityList\SharpEntityList;
 use Code16\Sharp\Http\Controllers\SharpProtectedController;
 use Code16\Sharp\Show\SharpShow;
-use Code16\Sharp\Utils\Entities\SharpEntityManager;
 
 abstract class ApiController extends SharpProtectedController
 {
-    protected SharpEntityManager $entityManager;
-
-    public function __construct()
-    {
-        parent::__construct();
-        $this->entityManager = app(SharpEntityManager::class);
-    }
-
     protected function getListInstance(string $entityKey): SharpEntityList
     {
         return $this->entityManager->entityFor($entityKey)->getListOrFail();
diff --git a/src/Http/Controllers/Api/ApiFormEditorUploadFormController.php b/src/Http/Controllers/Api/ApiFormEditorUploadFormController.php
@@ -3,9 +3,8 @@
 namespace Code16\Sharp\Http\Controllers\Api;
 
 use Code16\Sharp\Http\Controllers\Api\Requests\EditorUploadFormRequest;
-use Illuminate\Routing\Controller;
 
-class ApiFormEditorUploadFormController extends Controller
+class ApiFormEditorUploadFormController extends ApiController
 {
     public function update(string $globalFilter, EditorUploadFormRequest $request, string $entityKey, ?string $instanceId = null)
     {
diff --git a/src/Http/Controllers/Api/ApiFormUploadController.php b/src/Http/Controllers/Api/ApiFormUploadController.php
@@ -4,9 +4,8 @@
 
 use Code16\Sharp\Utils\FileUtil;
 use Illuminate\Foundation\Validation\ValidatesRequests;
-use Illuminate\Routing\Controller;
 
-class ApiFormUploadController extends Controller
+class ApiFormUploadController extends ApiController
 {
     use ValidatesRequests;
 
diff --git a/src/Http/Controllers/Api/ApiFormUploadThumbnailController.php b/src/Http/Controllers/Api/ApiFormUploadThumbnailController.php
@@ -2,16 +2,12 @@
 
 namespace Code16\Sharp\Http\Controllers\Api;
 
-use Code16\Sharp\Auth\SharpAuthorizationManager;
 use Code16\Sharp\Form\Eloquent\Uploads\Traits\UsesSharpUploadModel;
-use Illuminate\Routing\Controller;
 
-class ApiFormUploadThumbnailController extends Controller
+class ApiFormUploadThumbnailController extends ApiController
 {
     use UsesSharpUploadModel;
 
-    public function __construct(private readonly SharpAuthorizationManager $authorizationManager) {}
-
     // Used to generate large thumbnail for upload crop modal
     public function show(string $globalFilter, string $entityKey, ?string $instanceId = null)
     {
diff --git a/tests/Http/Api/ApiFormUploadControllerTest.php b/tests/Http/Api/ApiFormUploadControllerTest.php
@@ -4,6 +4,7 @@
 use Illuminate\Support\Facades\Storage;
 
 beforeEach(function () {
+    login();
     Storage::fake('local');
 });
 
@@ -102,3 +103,13 @@
         ->assertStatus(422)
         ->assertJsonValidationErrorFor('validation_rule.1');
 });
+
+it('does not allow to use a path traversal exploit', function () {
+    $this
+        ->postJson(route('code16.sharp.api.form.upload'), [
+            'file' => UploadedFile::fake()->create('../../../etc/passwd.txt'),
+        ])
+        ->assertOk();
+
+    $this->assertTrue(Storage::disk('local')->exists('tmp/passwd.txt'));
+});
diff --git a/tests/Http/Form/FormUploadsTest.php b/tests/Http/Form/FormUploadsTest.php
@@ -5,6 +5,7 @@
 use Illuminate\Support\Facades\Storage;
 
 beforeEach(function () {
+    login();
     Storage::fake('local');
 });
 
diff --git a/tests/Unit/Console/GeneratorTest.php b/tests/Unit/Console/GeneratorTest.php
@@ -7,7 +7,10 @@
 
 beforeEach(function () {
     login();
+    File::deleteDirectory(base_path('app/Sharp'));
+});
 
+afterEach(function () {
     File::deleteDirectory(base_path('app/Sharp'));
 });
 

Original file line number	Diff line number	Diff line change
`@@ -3,9 +3,8 @@`
`3`	`3`	`namespace Code16\Sharp\Http\Controllers\Api;`
`4`	`4`
`5`	`5`	`use Code16\Sharp\Http\Controllers\Api\Requests\EditorUploadFormRequest;`
`6`		`-use Illuminate\Routing\Controller;`
`7`	`6`
`8`		`-class ApiFormEditorUploadFormController extends Controller`
	`7`	`+class ApiFormEditorUploadFormController extends ApiController`
`9`	`8`	`{`
`10`	`9`	`public function update(string $globalFilter, EditorUploadFormRequest $request, string $entityKey, ?string $instanceId = null)`
`11`	`10`	`{`
Original file line number	Diff line number	Diff line change
`@@ -4,9 +4,8 @@`
`4`	`4`
`5`	`5`	`use Code16\Sharp\Utils\FileUtil;`
`6`	`6`	`use Illuminate\Foundation\Validation\ValidatesRequests;`
`7`		`-use Illuminate\Routing\Controller;`
`8`	`7`
`9`		`-class ApiFormUploadController extends Controller`
	`8`	`+class ApiFormUploadController extends ApiController`
`10`	`9`	`{`
`11`	`10`	`use ValidatesRequests;`
`12`	`11`
Original file line number	Diff line number	Diff line change
`@@ -2,16 +2,12 @@`
`2`	`2`
`3`	`3`	`namespace Code16\Sharp\Http\Controllers\Api;`
`4`	`4`
`5`		`-use Code16\Sharp\Auth\SharpAuthorizationManager;`
`6`	`5`	`use Code16\Sharp\Form\Eloquent\Uploads\Traits\UsesSharpUploadModel;`
`7`		`-use Illuminate\Routing\Controller;`
`8`	`6`
`9`		`-class ApiFormUploadThumbnailController extends Controller`
	`7`	`+class ApiFormUploadThumbnailController extends ApiController`
`10`	`8`	`{`
`11`	`9`	`use UsesSharpUploadModel;`
`12`	`10`
`13`		`- public function __construct(private readonly SharpAuthorizationManager $authorizationManager) {}`
`14`		`-`
`15`	`11`	`// Used to generate large thumbnail for upload crop modal`
`16`	`12`	`public function show(string $globalFilter, string $entityKey, ?string $instanceId = null)`
`17`	`13`	`{`