atomic-docs
atomic-docs copied to clipboard
nickberens360
Sanitizing File Names
I just found Atomic Docs last night, pretty awesome so far, but I ran into something that caused me a big headache right off the bat.
File names ( and strings in general ) are not sanitized ( as far as I can tell ). This can cause a problem when certain illegal characters are added as part of a component or category, which then breaks the application.
Example: component name: Box (Red) results in a file with a name like _Box(Red).scss,
Since "(" is an illegal character in a file name, the application is unable to open the file, and it's impossible to edit / rename the component because the file system is unable to access the file name. ( I had to resort to manually editing the file name, and components.dat )
There is no hinting that the string used to create the component will be used as the file name, or any sort of filtering / validation to prevent illegal characters.
Further, this might create a security issue, if unsanitized user input can directly interact with the file system.
My suggestion(s):
-
Add the appropriate warnings / filtering to all user input. Maybe some front-end validation to prevent bad data before attempting to save?
-
Add an entry to components.dat for the user supplied string as well as a sanitized version that is used for the file name.
I didn't check to see if it were possible for name collisions, but this would be important as well.
A good example can be found on stack exchange of a regex:
// Remove anything which isn't a word, whitespace, number // or any of the following caracters -~,;. // If you don't need to handle multi-byte characters // you can use preg_replace rather than mb_ereg_replace // Thanks @Łukasz Rysiak! $file = mb_ereg_replace("([^\w\s\d-~,;[]().])", '', $file); // Remove any runs of periods (thanks falstro!) $file = mb_ereg_replace("([.]{2,})", '', $file);
https://stackoverflow.com/a/2021729/3264690
Then the entry in components.dat might be like:
"component": "Box (Red)", "file_name": "BoxRed"
Again, Atomic Docs would need to be sure there isn't already a file name "BoxRed", for "Box Red", "Box (Red)", "Box.Red", etc.
Atomic Docs seems to be fairly straight forward from a PHP perspective, if you are still looking for some PHP help, I might be able to pitch in some. My time is very limited, but I write PHP about 80% of the time.
@scottsawyer Yeah pretty much everything you've mentioned has been on my todo list for awhile. I've started version 2 which will definitely take care of the issues you've mentioned. You're welcome to dive into the current version if you'd like to address the sanitization, but i'm about 5% PHP developer and 95% designer so the code is pretty gross.
I'm writing the next version using the FatFree php framework to make use of routing. Also switching it over to an SQLite DB.
Thanks Nick, I saw in another issue that the newest code was being pushed to v2_dev branch, is that still the case?
Yeah, I noticed the routing issue. I am running this on nginx, and I ran into some trouble but got it resolved.
Once I get this particular project squared away, I will touch base with you and see what the best approach to help will be. I plan to use this a lot.
@scottsawyer No, i need to clean up that mess of branches. I just have the new version locally at the moment. When I get a chance I'll push it and let you know. Thanks for checking out the project
Hi @nickberens360! Thanks for atomic-docs! Do you have any kind of idea about the time plan for the next version? A month? A year?
@vladdu I am hoping to have it finished by the end of summer. Thanks!