feat: sanitize root folder also in php error messages (RSS-Bridge#3262)

Author: dvikan

lib/Logger.php

@@ -34,8 +34,8 @@ private static function log(string $level, string $message, array $context = [])
             unset($context['e']);
             $context['type'] = get_class($e);
             $context['code'] = $e->getCode();
-            $context['message'] = $e->getMessage();
-            $context['file'] = trim_path_prefix($e->getFile());
+            $context['message'] = sanitize_root($e->getMessage());
+            $context['file'] = sanitize_root($e->getFile());
             $context['line'] = $e->getLine();
             $context['url'] = get_current_url();
             $context['trace'] = trace_to_call_points(trace_from_exception($e));
@@ -58,13 +58,15 @@ private static function log(string $level, string $message, array $context = [])
                 }
             }
         }
+        // Intentionally not sanitizing $message
         $text = sprintf(
             "[%s] rssbridge.%s %s %s\n",
             now()->format('Y-m-d H:i:s'),
             $level,
             $message,
             $context ? Json::encode($context) : ''
         );
+        // Log to stderr/stdout whatever that is
         error_log($text);
     }
 }

lib/RssBridge.php

@@ -34,8 +34,12 @@ private function run($request): void
             if ((error_reporting() & $code) === 0) {
                 return false;
             }
-            $text = sprintf('%s at %s line %s', $message, trim_path_prefix($file), $line);
-            // Drop the current frame
+            $text = sprintf(
+                '%s at %s line %s',
+                sanitize_root($message),
+                sanitize_root($file),
+                $line
+            );
             Logger::warning($text);
             if (Debug::isEnabled()) {
                 print sprintf("<pre>%s</pre>\n", e($text));
@@ -49,8 +53,8 @@ private function run($request): void
                 $message = sprintf(
                     'Fatal Error %s: %s in %s line %s',
                     $error['type'],
-                    $error['message'],
-                    trim_path_prefix($error['file']),
+                    sanitize_root($error['message']),
+                    sanitize_root($error['file']),
                     $error['line']
                 );
                 Logger::error($message);

lib/utils.php

@@ -50,8 +50,8 @@ function create_sane_exception_message(\Throwable $e): string
     return sprintf(
         '%s: %s in %s line %s',
         get_class($e),
-        $e->getMessage(),
-        trim_path_prefix($e->getFile()),
+        sanitize_root($e->getMessage()),
+        sanitize_root($e->getFile()),
         $e->getLine()
     );
 }
@@ -74,7 +74,7 @@ function trace_from_exception(\Throwable $e): array
     $trace = [];
     foreach ($frames as $frame) {
         $trace[] = [
-            'file'      => trim_path_prefix($frame['file'] ?? ''),
+            'file'      => sanitize_root($frame['file'] ?? ''),
             'line'      => $frame['line'] ?? null,
             'class'     => $frame['class'] ?? null,
             'type'      => $frame['type'] ?? null,
@@ -121,9 +121,17 @@ function frame_to_call_point(array $frame): string
  *
  * Example: "/home/davidsf/rss-bridge/index.php" => "index.php"
  */
-function trim_path_prefix(string $filePath): string
+function sanitize_root(string $filePath): string
 {
-    return mb_substr($filePath, mb_strlen(dirname(__DIR__)) + 1);
+    // Root folder of the project e.g. /home/satoshi/repos/rss-bridge
+    $root = dirname(__DIR__);
+    return _sanitize_path_name($filePath, $root);
+}
+
+function _sanitize_path_name(string $s, string $pathName): string
+{
+    // Remove all occurrences of $pathName in the string
+    return str_replace(["$pathName/", $pathName], '', $s);
 }
 
 /**

templates/error.html.php

@@ -16,11 +16,11 @@
         </div>
 
         <div>
-            <strong>Message:</strong> <?= e($e->getMessage()) ?>
+            <strong>Message:</strong> <?= e(sanitize_root($e->getMessage())) ?>
         </div>
 
         <div>
-            <strong>File:</strong> <?= e(trim_path_prefix($e->getFile())) ?>
+            <strong>File:</strong> <?= e(sanitize_root($e->getFile())) ?>
         </div>
 
         <div>

tests/UtilsTest.php

@@ -41,10 +41,17 @@ public function testFileCache()
         $sut->purgeCache(-1);
     }
 
-    public function testTrimFilePath()
+    public function testSanitizePathName()
     {
-        $this->assertSame('', trim_path_prefix(dirname(__DIR__)));
-        $this->assertSame('tests', trim_path_prefix(__DIR__));
-        $this->assertSame('tests/UtilsTest.php', trim_path_prefix(__DIR__ . '/UtilsTest.php'));
+        $this->assertSame('index.php', _sanitize_path_name('/home/satoshi/rss-bridge/index.php', '/home/satoshi/rss-bridge'));
+        $this->assertSame('tests/UtilsTest.php', _sanitize_path_name('/home/satoshi/rss-bridge/tests/UtilsTest.php', '/home/satoshi/rss-bridge'));
+        $this->assertSame('bug in lib/kek.php', _sanitize_path_name('bug in /home/satoshi/rss-bridge/lib/kek.php', '/home/satoshi/rss-bridge'));
+    }
+
+    public function testSanitizePathNameInErrorMessage()
+    {
+        $raw       = 'Error: Argument 1 passed to foo() must be an instance of kk, string given, called in /home/satoshi/rss-bridge/bridges/RumbleBridge.php';
+        $sanitized = 'Error: Argument 1 passed to foo() must be an instance of kk, string given, called in bridges/RumbleBridge.php';
+        $this->assertSame($sanitized, _sanitize_path_name($raw, '/home/satoshi/rss-bridge'));
     }
 }