Issue #3026414 by alexpott, Fabianx: Add tests for PharExtensionInterceptor...

Issue #3026414 by alexpott, Fabianx: Add tests for PharExtensionInterceptor for invocation from a CLI command

core/tests/Drupal/KernelTests/Core/File/PharWrapperTest.php

@@ -3,6 +3,8 @@
 namespace Drupal\KernelTests\Core\File;
 
 use Drupal\KernelTests\KernelTestBase;
+use Symfony\Component\Process\PhpExecutableFinder;
+use Symfony\Component\Process\Process;
 
 /**
  * Tests that the phar stream wrapper works.
@@ -30,4 +32,25 @@ public function testPharFile() {
     file_exists("phar://$base/image-2.jpg/index.php");
   }
 
+  /**
+   * Tests phar files not ending in .phar can be executed using the CLI.
+   */
+  public function testCliPharFile() {
+    $php = (new PhpExecutableFinder())->find();
+    $process = new Process("$php cli_phar", __DIR__ . '/fixtures');
+    $process->run();
+
+    $expected_output = <<<EOF
+Can access phar files without .phar extension if they are the CLI command.
+Can access phar files with .phar extension.
+Cannot access other phar files without .phar extension.
+Shutdown functions work in phar files without a .phar extension.
+Shutdown functions cannot access other phar files without .phar extension.
+
+EOF;
+
+    $this->assertSame($expected_output, $process->getOutput());
+    $this->assertSame(0, $process->getExitCode());
+  }
+
 }

core/tests/Drupal/KernelTests/Core/File/fixtures/build_phar.php

+<?php
+
+/**
+ * @file
+ * Builds a test phar file.
+ */
+
+if (PHP_SAPI !== 'cli') {
+  return;
+}
+// Create a phar to run from CLI.
+$phar = new \Phar(__DIR__ . '/cli.phar');
+$phar->buildFromDirectory(__DIR__ . '/cli_phar_builder');
+
+// pointing main file which requires all classes
+$phar->setDefaultStub('index.php', '/index.php');
+
+// Make a version without a phar extension.
+copy(__DIR__ . '/cli.phar', __DIR__ . '/cli_phar');
+copy(__DIR__ . '/cli.phar', __DIR__ . '/cli_phar.png');

core/tests/Drupal/KernelTests/Core/File/fixtures/cli_phar_builder/index.php

+<?php
+
+/**
+ * @file
+ * Tests phar protection.
+ */
+
+use Drupal\Core\Security\PharExtensionInterceptor;
+use TYPO3\PharStreamWrapper\Behavior;
+use TYPO3\PharStreamWrapper\Exception as PharStreamWrapperException;
+use TYPO3\PharStreamWrapper\Manager;
+use TYPO3\PharStreamWrapper\PharStreamWrapper;
+
+// Use the current working directory so we don't have to include all the code in
+// the phar file.
+require_once getcwd() . '/../../../../../../../autoload.php';
+stream_wrapper_unregister('phar');
+stream_wrapper_register('phar', PharStreamWrapper::class);
+
+Manager::initialize(
+  (new Behavior())
+    ->withAssertion(new PharExtensionInterceptor())
+);
+
+if (file_exists(__DIR__ . '/index.php')) {
+  echo "Can access phar files without .phar extension if they are the CLI command.\n";
+}
+
+if (file_exists('phar://cli.phar')) {
+  echo "Can access phar files with .phar extension.\n";
+}
+
+// Try an insecure phar without an extension.
+try {
+  file_exists('phar://cli_phar.png');
+}
+catch (PharStreamWrapperException $e) {
+  echo "Cannot access other phar files without .phar extension.\n";
+}
+
+// Try accessing phar from a shutdown function.
+register_shutdown_function('phar_shutdown');
+
+function phar_shutdown() {
+  if (file_exists(__DIR__ . '/index.php')) {
+    echo "Shutdown functions work in phar files without a .phar extension.\n";
+  }
+  // Try an insecure phar without an extension.
+  try {
+    file_exists('phar://cli_phar.png');
+  }
+  catch (PharStreamWrapperException $e) {
+    echo "Shutdown functions cannot access other phar files without .phar extension.\n";
+  }
+}