feat(share) : résolution de chemin SMB anti path-traversal

src/Service/Share/Exception/InvalidPathException.php

@@ -0,0 +1,9 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Service\Share\Exception;
+
+use RuntimeException;
+
+final class InvalidPathException extends RuntimeException {}

src/Service/Share/SharePathResolver.php

@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Service\Share;
+
+use App\Service\Share\Exception\InvalidPathException;
+
+final class SharePathResolver
+{
+    /**
+     * Normalise un chemin relatif et rejette toute tentative de sortie de racine.
+     */
+    public function normalizeRelative(string $path): string
+    {
+        $path     = str_replace('\\', '/', $path);
+        $segments = [];
+
+        foreach (explode('/', $path) as $segment) {
+            if ('' === $segment || '.' === $segment) {
+                continue;
+            }
+            if ('..' === $segment) {
+                throw new InvalidPathException('Path traversal is not allowed.');
+            }
+            $segments[] = $segment;
+        }
+
+        return implode('/', $segments);
+    }
+
+    /**
+     * Construit le chemin SMB absolu (toujours sous basePath).
+     */
+    public function fullPath(string $basePath, string $relativePath): string
+    {
+        $base     = trim(str_replace('\\', '/', $basePath), '/');
+        $relative = $this->normalizeRelative($relativePath);
+
+        $parts = array_values(array_filter([$base, $relative], static fn (string $p): bool => '' !== $p));
+
+        return '/'.implode('/', $parts);
+    }
+}

tests/Unit/Service/SharePathResolverTest.php

@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Service;
+
+use App\Service\Share\Exception\InvalidPathException;
+use App\Service\Share\SharePathResolver;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @internal
+ */
+final class SharePathResolverTest extends TestCase
+{
+    private SharePathResolver $resolver;
+
+    protected function setUp(): void
+    {
+        $this->resolver = new SharePathResolver();
+    }
+
+    public function testNormalizeRelativeKeepsSimplePath(): void
+    {
+        self::assertSame('a/b', $this->resolver->normalizeRelative('a/b'));
+    }
+
+    public function testNormalizeRelativeStripsDotsAndSlashes(): void
+    {
+        self::assertSame('a/b', $this->resolver->normalizeRelative('/a/./b/'));
+    }
+
+    public function testNormalizeRelativeConvertsBackslashes(): void
+    {
+        self::assertSame('a/b', $this->resolver->normalizeRelative('a\b'));
+    }
+
+    public function testNormalizeRelativeRejectsParentTraversal(): void
+    {
+        $this->expectException(InvalidPathException::class);
+        $this->resolver->normalizeRelative('a/../b');
+    }
+
+    public function testNormalizeRelativeRejectsLeadingParent(): void
+    {
+        $this->expectException(InvalidPathException::class);
+        $this->resolver->normalizeRelative('../etc/passwd');
+    }
+
+    public function testFullPathJoinsBaseAndRelative(): void
+    {
+        self::assertSame('/Projets/a/b', $this->resolver->fullPath('/Projets', 'a/b'));
+    }
+
+    public function testFullPathWithEmptyBaseAndEmptyRelativeIsRoot(): void
+    {
+        self::assertSame('/', $this->resolver->fullPath('', ''));
+    }
+
+    public function testFullPathTrimsBaseSlashes(): void
+    {
+        self::assertSame('/Projets/a', $this->resolver->fullPath('/Projets/', 'a'));
+    }
+}