From 7af514af7669f7e530af3c21c784c1b5b669382f Mon Sep 17 00:00:00 2001
From: Iesan Remus <iesanremus@192.168.1.5>
Date: Tue, 16 Sep 2025 15:42:53 +0300
Subject: [PATCH] BAU-28231 Fixed the Snyk vulnerabilities with 800+ score

---
 src/Codeception/Command/Run.php        | 10 +++++++++-
 src/Codeception/Command/SelfUpdate.php |  4 ++++
 src/Codeception/Configuration.php      |  9 ++++++++-
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/Codeception/Command/Run.php b/src/Codeception/Command/Run.php
index eb37f7f4b1..a202f24057 100644
--- a/src/Codeception/Command/Run.php
+++ b/src/Codeception/Command/Run.php
@@ -269,8 +269,16 @@ protected function runSuites($suites, $skippedSuites = array())
 
     protected function matchTestFromFilename($filename, $tests_path)
     {
+        // Basic validation: ensure filename is a string and not too long
+        if (!is_string($filename) || strlen($filename) > 1024) {
+            throw new \InvalidArgumentException("Invalid test filename");
+        }
+
+        // Escape regex special characters in $tests_path
+        $safe_tests_path = preg_quote($tests_path, '~');
         $filename = str_replace(array('//', '\/', '\\'), '/', $filename);
-        $res      = preg_match("~^$tests_path/(.*?)/(.*)$~", $filename, $matches);
+
+        $res = preg_match("~^{$safe_tests_path}/(.*?)/(.*)$~", $filename, $matches);
         if (! $res) {
             throw new \InvalidArgumentException("Test file can't be matched");
         }
diff --git a/src/Codeception/Command/SelfUpdate.php b/src/Codeception/Command/SelfUpdate.php
index 82e1f9925c..3fccbe7367 100644
--- a/src/Codeception/Command/SelfUpdate.php
+++ b/src/Codeception/Command/SelfUpdate.php
@@ -178,6 +178,10 @@ protected function retrieveLatestPharFile(OutputInterface $output)
                 $phar = new \Phar($temp);
                 // free the variable to unlock the file
                 unset($phar);
+                // Add this validation before rename($temp, $this->filename);
+                if (!is_string($this->filename) || !preg_match('/^[\w\-\.\/]+\.phar$/', $this->filename) || strpos($this->filename, '..') !== false) {
+                    throw new \Exception('Invalid filename for update.');
+                }
                 rename($temp, $this->filename);
             } else {
                 throw new \Exception('Request failed.');
diff --git a/src/Codeception/Configuration.php b/src/Codeception/Configuration.php
index a17319dd28..06239ca26e 100644
--- a/src/Codeception/Configuration.php
+++ b/src/Codeception/Configuration.php
@@ -178,7 +178,14 @@ protected static function loadConfigFile($file, $parentConfig)
 
     protected static function autoloadHelpers()
     {
-        Autoload::registerSuffix('Helper', self::helpersDir());
+        $helpersDir = self::helpersDir();
+
+        // Sanitize helpersDir to allow only safe characters (alphanumeric, underscore, dash, slash, dot)
+        if (!is_string($helpersDir) || !preg_match('/^[\w\-\/\.]+$/', $helpersDir)) {
+            throw new \InvalidArgumentException('Invalid helpers directory path');
+        }
+
+        Autoload::registerSuffix('Helper', $helpersDir);
     }
 
     protected static function loadSuites()