WIP Bundle path validation

JanJakes · JanJakes · commit a7ba5a8ec4cb · 2025-08-13T16:50:45.000+02:00
diff --git a/components/Blueprints/BlueprintParser.php b/components/Blueprints/BlueprintParser.php
@@ -245,7 +245,7 @@ private function createExecutionPlan( array $blueprint ): array {
 		if ( ! empty( $blueprint['themes'] ) && is_array( $blueprint['themes'] ) ) {
 			foreach ( $blueprint['themes'] as $themeRef ) {
 				if ( is_string( $themeRef ) ) {
-					$plan[] = [
+					$step = [
                         'name' => 'installTheme',
                         'args' => [
                             'source'               => $themeRef,
@@ -255,7 +255,7 @@ private function createExecutionPlan( array $blueprint ): array {
                     ];
 				} elseif ( is_array( $themeRef ) && isset( $themeRef['source'] ) && is_string( $themeRef['source'] ) ) {
 					// Pass through the raw definition for extensibility.
-					$plan[] = [
+					$step = [
                         'name' => 'installTheme',
                         'args' => [
                             'source'               => $themeRef['source'],
@@ -267,14 +267,20 @@ private function createExecutionPlan( array $blueprint ): array {
 				} else {
 					throw new InvalidArgumentException( 'Invalid theme reference format in "themes" array.' );
 				}
+
+                $plan[] = $step;
+                $error = $this->validateDataSource( $step['args']['source'], 'wp-content/themes/*' );
+                if ( $error ) {
+                    $errors['themes'] = [$error];
+                }
 			}
 		}
 
 		// 5. activeTheme (install and activate)
 		if ( isset( $blueprint['activeTheme'] ) ) {
 			$themeRef = $blueprint['activeTheme'];
 			if ( is_string( $themeRef ) ) {
-				$plan[] = [
+				$step = [
                     'name' => 'installTheme',
                     'args' => [
                         'source'               => $themeRef,
@@ -283,9 +289,9 @@ private function createExecutionPlan( array $blueprint ): array {
                         ]
                     ];
 			} elseif ( is_array( $themeRef ) && isset( $themeRef['source'] ) && is_string( $themeRef['source'] ) ) {
-				$plan[] = [
+				$step = [
                     'name' => 'installTheme',
-                        'args' => [
+                    'args' => [
                         'source'               => $themeRef['source'],
                         'active'               => true,
                         'importStarterContent' => $themeRef['importStarterContent'] ?? false,
@@ -295,6 +301,12 @@ private function createExecutionPlan( array $blueprint ): array {
 			} else {
 				throw new InvalidArgumentException( 'Invalid theme reference format for "activeTheme".' );
 			}
+
+            $plan[] = $step;
+            $error  = $this->validateDataSource( $step['args']['source'], 'wp-content/themes/*' );
+            if ( $error ) {
+                $errors['themes'] = [$error];
+            }
 		}
 
 		// 6. plugins
@@ -309,6 +321,11 @@ private function createExecutionPlan( array $blueprint ): array {
                     'name' => 'installPlugin',
                     'args' => $pluginDef
                 ];
+
+                $error = $this->validateDataSource( $pluginDef['source'], 'wp-content/plugins/*' );
+                if ( $error ) {
+                    $errors['plugins'] = [$error];
+                }
 			}
 		}
 
@@ -323,6 +340,14 @@ private function createExecutionPlan( array $blueprint ): array {
                 'name' => 'importMedia',
                 'args' => [ 'media' => $blueprint['media'] ]
             ];
+
+            foreach ( $blueprint['media'] as $mediaDef ) {
+                $source = is_array( $mediaDef ) ? $mediaDef['source'] : $mediaDef;
+                $error = $this->validateDataSource( $source, 'wp-content/uploads/*' );
+                if ( $error ) {
+                    $errors['media'] = [$error];
+                }
+            }
 		}
 
 		// 9. siteLanguage
@@ -364,6 +389,31 @@ private function createExecutionPlan( array $blueprint ): array {
                 'name' => 'importContent',
                 'args' => [ 'content' => $blueprint['content'] ]
             ];
+
+            $post_errors = [];
+            foreach ( $blueprint['content'] as $contentDef ) {
+                if ( 'posts' === $contentDef['type'] ) {
+                    if ( isset( $contentDef['source'] ) ) {
+                        $sources = $contentDef['source'];
+                    } else {
+                        $sources = $contentDef;
+                    }
+
+                    if ( ! is_array( $sources ) ) {
+                        $sources = [ $sources ];
+                    }
+
+                    foreach ( $sources as $source ) {
+                        $error = $this->validateDataSource( $source, 'wp-content/content/posts/*' );
+                        if ( $error ) {
+                            $post_errors[] = $error;
+                        }
+                    }
+                }
+            }
+            if ( count( $post_errors ) > 0 ) {
+                $errors['content'] = $post_errors;
+            }
 		}
 
 		// 14. additionalStepsAfterExecution
@@ -410,4 +460,36 @@ private function createExecutionPlan( array $blueprint ): array {
 
 		return [ $plan, $errors ];
 	}
+
+    private function validateDataSource( string $source, string $allowed_pattern ): ?string {
+        if ( strlen( $source ) === 0 ) {
+            return 'Source must be a non-empty string.';
+        }
+
+        // 1. Absolute URL.
+        if ( str_contains( $source, '://' ) ) {
+            return null;
+        }
+
+        // 2. Bundle-relative path.
+        $byte_1 = $source[0];
+        $byte_2 = $source[1] ?? null;
+        if ( str_contains( $source, '/' ) ) {
+            if ( $byte_1 === '/' ) {
+                $source = substr( $source, 1 );
+            } elseif ( $byte_1 === '.' && $byte_2 === '/' ) {
+                $source = substr( $source, 2 );
+            }
+
+            if ( ! fnmatch( $allowed_pattern, $source ) ) {
+                return sprintf(
+                    'Invalid path "%s". Expected to match "%s".',
+                    $source,
+                    $allowed_pattern
+                );
+            }
+        }
+
+        return null;
+    }
 }
