From e9738da2c3ef715e0ac6daa998b0e48b9c97ede5 Mon Sep 17 00:00:00 2001
From: jplana <54039533+jplana-ubc@users.noreply.github.com>
Date: Sat, 13 Feb 2021 02:47:03 -0800
Subject: [PATCH] CVE-2021-3129 (#353)

---
 .../MakeViewVariableOptionalSolution.php        | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/Solutions/MakeViewVariableOptionalSolution.php b/src/Solutions/MakeViewVariableOptionalSolution.php
index 2903414f..7e53117d 100644
--- a/src/Solutions/MakeViewVariableOptionalSolution.php
+++ b/src/Solutions/MakeViewVariableOptionalSolution.php
@@ -4,6 +4,7 @@
 
 use Facade\IgnitionContracts\RunnableSolution;
 use Illuminate\Support\Facades\Blade;
+use Illuminate\Support\Str;
 
 class MakeViewVariableOptionalSolution implements RunnableSolution
 {
@@ -71,8 +72,24 @@ public function run(array $parameters = [])
         }
     }
 
+    protected function isSafePath(string $path): bool
+    {
+        if (!Str::startsWith($path, ['/', './'])) {
+            return false;
+        }
+        if (!Str::endsWith($path, '.blade.php')) {
+            return false;
+        }
+
+        return true;
+    }
+
     public function makeOptional(array $parameters = [])
     {
+        if (!$this->isSafePath($parameters['viewFile'])) {
+            return false;
+        }
+
         $originalContents = file_get_contents($parameters['viewFile']);
         $newContents = str_replace('$'.$parameters['variableName'], '$'.$parameters['variableName']." ?? ''", $originalContents);