WIP Bundle path validation

JanJakes · JanJakes · commit 413489952156 · 2025-08-12T17:21:45.000+02:00
diff --git a/components/Blueprints/BlueprintParser.php b/components/Blueprints/BlueprintParser.php
@@ -274,7 +274,7 @@ private function createExecutionPlan( array $blueprint ): array {
 		if ( isset( $blueprint['activeTheme'] ) ) {
 			$themeRef = $blueprint['activeTheme'];
 			if ( is_string( $themeRef ) ) {
-				$plan[] = [
+				$step = [
                     'name' => 'installTheme',
                     'args' => [
                         'source'               => $themeRef,
@@ -283,9 +283,9 @@ private function createExecutionPlan( array $blueprint ): array {
                         ]
                     ];
 			} elseif ( is_array( $themeRef ) && isset( $themeRef['source'] ) && is_string( $themeRef['source'] ) ) {
-				$plan[] = [
+				$step = [
                     'name' => 'installTheme',
-                        'args' => [
+                    'args' => [
                         'source'               => $themeRef['source'],
                         'active'               => true,
                         'importStarterContent' => $themeRef['importStarterContent'] ?? false,
@@ -295,6 +295,12 @@ private function createExecutionPlan( array $blueprint ): array {
 			} else {
 				throw new InvalidArgumentException( 'Invalid theme reference format for "activeTheme".' );
 			}
+
+            $plan[] = $step;
+            $error = $this->validateDataSource( $step['args']['source'], 'wp-content/themes/' );
+            if ( $error ) {
+                $errors['themes'] = [$error];
+            }
 		}
 
 		// 6. plugins
@@ -309,6 +315,11 @@ private function createExecutionPlan( array $blueprint ): array {
                     'name' => 'installPlugin',
                     'args' => $pluginDef
                 ];
+
+                $error = $this->validateDataSource( $pluginDef['source'], 'wp-content/plugins/' );
+                if ( $error ) {
+                    $errors['plugins'] = [$error];
+                }
 			}
 		}
 
@@ -410,4 +421,33 @@ private function createExecutionPlan( array $blueprint ): array {
 
 		return [ $plan, $errors ];
 	}
+
+    private function validateDataSource( string $source, string $bundle_prefix ): ?string {
+
+        if ( strlen( $source ) === 0 ) {
+            return 'Source must be a non-empty string.';
+        }
+
+        // 1. Absolute URL.
+        if ( str_contains( $source, '://' ) ) {
+            return null;
+        }
+
+        // 2. Bundle-relative path.
+        $byte_1 = $source[0];
+        $byte_2 = $source[1] ?? null;
+        if ( str_contains( $source, '/' ) ) {
+            if ( $byte_1 === '/' ) {
+                $source = substr( $source, 1 );
+            } elseif ( $byte_1 === '.' && $byte_2 === '/' ) {
+                $source = substr( $source, 2 );
+            }
+
+            if ( ! str_starts_with( $source, $bundle_prefix ) ) {
+                return 'Source must be a relative path starting with "' . $bundle_prefix . '".';
+            }
+        }
+
+        return null;
+    }
 }
