Harden ServiceMap config path validation to prevent local file disclosure

[terabytesoftw]

Motivation

• The extension accepted an arbitrary yii2.config_path and passed it to require after only checking file_exists, which allowed non-PHP readable files to be emitted to output/logs and attacker-controlled PHP to be executed.
• The root cause was insufficient validation around the config path before calling require, enabling local file disclosure in analysis/CI environments.
• The change aims to prevent accidental disclosure while preserving the intended behavior of loading PHP configuration files.

Description

• Tighten ServiceMap constructor validation so that when yii2.config_path is provided it must be an existing regular file, is_readable, and have a .php extension before being loaded.
• Add imports for is_file, pathinfo, and the PATHINFO_EXTENSION constant to support the new checks.
• Update the thrown InvalidArgumentException message to explicitly require a readable PHP file.

Testing

• php -l src/ServiceMap.php reported no syntax errors.
• Attempting ./vendor/bin/phpunit --version could not run because vendor/bin/phpunit is not present in this environment, so unit tests were not executed here.

---

Codex Task

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0b7a3dd8-4278-4bdd-a665-a39019384b36

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-local-file-disclosure-vulnerability

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

❌ 5 Tests Failed:

Tests completed	Failed	Passed	Skipped
523	5	518	0

View the top 3 failed test(s) by shortest run time

yii2.extensions.phpstan.tests.web.property.ApplicationPropertiesClassReflectionExtensionTest::testFileAsserts with data set "D:\a\phpstan\phpstan\tests\web\data\property\ApplicationPropertiesClassReflectionType.php:64"

Stack Traces | 0.000545s run time

yii2\extensions\phpstan\tests\web\property\ApplicationPropertiesClassReflectionExtensionTest::testFileAsserts with data set "D:\a\phpstan\phpstan\tests\web\data\property\ApplicationPropertiesClassReflectionType.php:64"
Expected type yii\web\Controller<yii\base\Module>|null, got type yii\web\Controller|null in D:\a\phpstan\phpstan\tests\web\data\property\ApplicationPropertiesClassReflectionType.php on line 64.
Failed asserting that two strings are identical.
--- Expected
+++ Actual
@@ @@
-'yii\web\Controller<yii\base\Module>|null'
+'yii\web\Controller|null'

phar://D:.../phpstan/phpstan/phpstan.phar.../src/Testing/TypeInferenceTestCase.php:115
D:\a\phpstan\phpstan\tests\web\property\ApplicationPropertiesClassReflectionExtensionTest.php:51

yii2.extensions.phpstan.tests.web.property.ApplicationPropertiesClassReflectionExtensionTest::testFileAsserts with data set "/home/runner/work/phpstan/phpstan/tests/web/data/property/ApplicationPropertiesClassReflectionType.php:64"

Stack Traces | 0.000617s run time

yii2\extensions\phpstan\tests\web\property\ApplicationPropertiesClassReflectionExtensionTest::testFileAsserts with data set ".../data/property/ApplicationPropertiesClassReflectionType.php:64"
Expected type yii\web\Controller<yii\base\Module>|null, got type yii\web\Controller|null in .../data/property/ApplicationPropertiesClassReflectionType.php on line 64.
Failed asserting that two strings are identical.
--- Expected
+++ Actual
@@ @@
-'yii\web\Controller<yii\base\Module>|null'
+'yii\web\Controller|null'

phar:.../phpstan/phpstan/phpstan.phar.../src/Testing/TypeInferenceTestCase.php:115
.../web/property/ApplicationPropertiesClassReflectionExtensionTest.php:51

yii2.extensions.phpstan.tests.console.property.ApplicationPropertiesClassReflectionExtensionTest::testFileAsserts with data set "/home/runner/work/phpstan/phpstan/tests/console/data/property/ApplicationPropertiesClassReflectionType.php:67"

Stack Traces | 0.00143s run time

yii2\extensions\phpstan\tests\console\property\ApplicationPropertiesClassReflectionExtensionTest::testFileAsserts with data set ".../data/property/ApplicationPropertiesClassReflectionType.php:67"
Expected type yii\console\Controller<yii\base\Module>|null, got type yii\console\Controller|null in .../data/property/ApplicationPropertiesClassReflectionType.php on line 67.
Failed asserting that two strings are identical.
--- Expected
+++ Actual
@@ @@
-'yii\console\Controller<yii\base\Module>|null'
+'yii\console\Controller|null'

phar:.../phpstan/phpstan/phpstan.phar.../src/Testing/TypeInferenceTestCase.php:115
.../console/property/ApplicationPropertiesClassReflectionExtensionTest.php:51

yii2.extensions.phpstan.tests.console.property.ApplicationPropertiesClassReflectionExtensionTest::testFileAsserts with data set "D:\a\phpstan\phpstan\tests\console\data\property\ApplicationPropertiesClassReflectionType.php:67"

Stack Traces | 0.00205s run time

yii2\extensions\phpstan\tests\console\property\ApplicationPropertiesClassReflectionExtensionTest::testFileAsserts with data set "D:\a\phpstan\phpstan\tests\console\data\property\ApplicationPropertiesClassReflectionType.php:67"
Expected type yii\console\Controller<yii\base\Module>|null, got type yii\console\Controller|null in D:\a\phpstan\phpstan\tests\console\data\property\ApplicationPropertiesClassReflectionType.php on line 67.
Failed asserting that two strings are identical.
--- Expected
+++ Actual
@@ @@
-'yii\console\Controller<yii\base\Module>|null'
+'yii\console\Controller|null'

phar://D:.../phpstan/phpstan/phpstan.phar.../src/Testing/TypeInferenceTestCase.php:115
D:\a\phpstan\phpstan\tests\console\property\ApplicationPropertiesClassReflectionExtensionTest.php:51

yii2.extensions.phpstan.tests.ServiceMapServiceTest::testThrowExceptionWhenConfigPathInvalid

Stack Traces | 0.00276s run time

yii2\extensions\phpstan\tests\ServiceMapServiceTest::testThrowExceptionWhenConfigPathInvalid
Failed asserting that exception message 'Provided config path 'invalid-path' must be a readable PHP file.' contains 'Provided config path 'invalid-path' must be a readable file.'.

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}