bc1bb/OpenLink
1
0
Fork 0
Code Issues 9 Pull requests Projects Releases Packages Wiki Activity Actions

Path traversal in GetVersion::get_current_commit() via unsanitized $branch parameter #4

New issue
Open
opened 2026-05-14 20:29:50 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 20:29:50 +02:00
Copy link

Problem

get_current_commit() interpolates the $branch parameter directly into a sprintf() call that constructs a filesystem path: sprintf('../.git/refs/heads/%s', $branch). The method is public static with no sanitization, so any caller can pass arbitrary strings including path-traversal sequences.

Location

src/GetVersion.php, lines 10–11

if (file_get_contents(sprintf('../.git/refs/heads/%s', $branch))) {
    $hash = file_get_contents(sprintf('../.git/refs/heads/%s', $branch));

Risk

All three controllers today call this with the hardcoded string "master", so there is no immediate user-controlled input path. However, the unguarded public static signature is a latent vulnerability — one refactor away from exploitation. If user input were ever passed as $branch, an attacker could supply ../../config/packages/security to read arbitrary files accessible to the web process, leaking secrets, configuration, or source code.

Suggested fix direction

Restrict allowed branch names to an alphanumeric allowlist (e.g., preg_match('/^[a-zA-Z0-9_\-]+$/', $branch)) before use in the path, or make the branch value a compile-time constant rather than a parameter.

Severity

moderate

Found by

Automated audit by Claude Code

## Problem `get_current_commit()` interpolates the `$branch` parameter directly into a `sprintf()` call that constructs a filesystem path: `sprintf('../.git/refs/heads/%s', $branch)`. The method is `public static` with no sanitization, so any caller can pass arbitrary strings including path-traversal sequences. ## Location `src/GetVersion.php`, lines 10–11 ```php if (file_get_contents(sprintf('../.git/refs/heads/%s', $branch))) { $hash = file_get_contents(sprintf('../.git/refs/heads/%s', $branch)); ``` ## Risk All three controllers today call this with the hardcoded string `"master"`, so there is no immediate user-controlled input path. However, the unguarded public static signature is a latent vulnerability — one refactor away from exploitation. If user input were ever passed as `$branch`, an attacker could supply `../../config/packages/security` to read arbitrary files accessible to the web process, leaking secrets, configuration, or source code. ## Suggested fix direction Restrict allowed branch names to an alphanumeric allowlist (e.g., `preg_match('/^[a-zA-Z0-9_\-]+$/', $branch)`) before use in the path, or make the branch value a compile-time constant rather than a parameter. ## Severity moderate ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
develop
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/OpenLink#4
No description provided.