[4.x] Parameter validation and other DB manager improvements

src/Database/Concerns/ManagesPostgresUsers.php

@@ -28,6 +28,9 @@ public function createUser(DatabaseConfig $databaseConfig): bool
         $username = $databaseConfig->getUsername();
         $password = $databaseConfig->getPassword();
 
+        $this->validateParameter($username);
+        $this->validatePassword($password);
+
         $createUser = ! $this->userExists($username);
 
         if ($createUser) {
@@ -42,7 +45,7 @@ public function createUser(DatabaseConfig $databaseConfig): bool
     public function deleteUser(DatabaseConfig $databaseConfig): bool
     {
         // Tenant DB username
-        $username = $databaseConfig->getUsername();
+        $username = $this->validateParameter($databaseConfig->getUsername());
 
         // Tenant host connection config
         $connectionName = $this->connection()->getConfig('name');
@@ -77,6 +80,6 @@ public function deleteUser(DatabaseConfig $databaseConfig): bool
 
     public function userExists(string $username): bool
     {
-        return (bool) $this->connection()->selectOne("SELECT usename FROM pg_user WHERE usename = '{$username}'");
+        return (bool) $this->connection()->select('SELECT usename FROM pg_user WHERE usename = ?', [$username]);
     }
 }

src/Database/Concerns/ValidatesDatabaseParameters.php

@@ -0,0 +1,83 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Stancl\Tenancy\Database\Concerns;
+
+use InvalidArgumentException;
+
+/**
+ * Provides methods to validate database parameters (e.g. database names, usernames, passwords)
+ * before using them in SQL statements (or in file paths in the case of SQLiteDatabaseManager).
+ *
+ * Used where parameters can be provided by users, and where parameter binding isn't possible.
+ *
+ * @mixin \Stancl\Tenancy\Database\TenantDatabaseManagers\TenantDatabaseManager
+ * @mixin \Stancl\Tenancy\Database\TenantDatabaseManagers\SQLiteDatabaseManager
+ */
+trait ValidatesDatabaseParameters
+{
+    /**
+     * Characters allowed in the parameters.
+     */
+    protected static function parameterAllowlist(): string
+    {
+        return 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-';
+    }
+
+    /**
+     * Characters allowed in database user passwords.
+     *
+     * Passwords are always quoted in the SQL statements, so it's safe
+     * to allow a wider range of characters, as long as it doesn't include
+     * characters that can break out of the quoted SQL strings (so e.g.
+     * ', ", \, and ` aren't allowed).
+     */
+    protected static function passwordAllowlist(): string
+    {
+        return ' !#$%&()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{|}~';
+    }
+
+    /**
+     * Ensure that parameters (database names, usernames, etc.)
+     * only contain allowed characters before used in SQL statements
+     * (or file names in the case of SQLiteDatabaseManager).
+     *
+     * By default, only the characters in static::parameterAllowlist() are allowed.
+     *
+     * @throws InvalidArgumentException
+     */
+    protected function validateParameter(string|array|null $parameters, string|null $allowlist = null): string|array|null
+    {
+        if (is_null($parameters)) {
+            // Return null if there's nothing to validate
+            // (e.g. when $databaseConfig->getUsername() of an
+            // improperly created tenant is passed).
+            return null;
+        }
+
+        $allowlist = $allowlist ?? static::parameterAllowlist();
+
+        foreach ((array) $parameters as $parameter) {
+            foreach (str_split($parameter) as $char) {
+                if (! str_contains($allowlist, $char)) {
+                    throw new InvalidArgumentException("Invalid character '{$char}' in parameter: {$parameter}");
+                }
+            }
+        }
+
+        return $parameters;
+    }
+
+    /**
+     * Ensure password only contains allowed characters before used in SQL statements.
+     *
+     * Used as a shorthand for calling validateParameter() with the less strict allowlist.
+     *
+     * @throws InvalidArgumentException
+     */
+    protected function validatePassword(string|null $password): string|null
+    {
+        return $this->validateParameter($password, static::passwordAllowlist());
+    }
+}

src/Database/TenantDatabaseManagers/MicrosoftSQLDatabaseManager.php

@@ -10,18 +10,20 @@
 {
     public function createDatabase(TenantWithDatabase $tenant): bool
     {
-        $database = $tenant->database()->getName();
+        $database = $this->validateParameter($tenant->database()->getName());
 
         return $this->connection()->statement("CREATE DATABASE [{$database}]");
     }
 
     public function deleteDatabase(TenantWithDatabase $tenant): bool
     {
-        return $this->connection()->statement("DROP DATABASE [{$tenant->database()->getName()}]");
+        $database = $this->validateParameter($tenant->database()->getName());
+
+        return $this->connection()->statement("DROP DATABASE [{$database}]");
     }
 
     public function databaseExists(string $name): bool
     {
-        return (bool) $this->connection()->select("SELECT name FROM master.sys.databases WHERE name = '$name'");
+        return (bool) $this->connection()->select('SELECT name FROM master.sys.databases WHERE name = ?', [$name]);
     }
 }

src/Database/TenantDatabaseManagers/MySQLDatabaseManager.php

@@ -14,16 +14,20 @@ public function createDatabase(TenantWithDatabase $tenant): bool
         $charset = $this->connection()->getConfig('charset');
         $collation = $this->connection()->getConfig('collation');
 
+        $this->validateParameter([$database, $charset, $collation]);
+
         return $this->connection()->statement("CREATE DATABASE `{$database}` CHARACTER SET `$charset` COLLATE `$collation`");
     }
 
     public function deleteDatabase(TenantWithDatabase $tenant): bool
     {
-        return $this->connection()->statement("DROP DATABASE `{$tenant->database()->getName()}`");
+        $database = $this->validateParameter($tenant->database()->getName());
+
+        return $this->connection()->statement("DROP DATABASE `{$database}`");
     }
 
     public function databaseExists(string $name): bool
     {
-        return (bool) $this->connection()->select("SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = '$name'");
+        return (bool) $this->connection()->select('SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = ?', [$name]);
     }
 }

src/Database/TenantDatabaseManagers/PermissionControlledMicrosoftSQLServerDatabaseManager.php

@@ -24,6 +24,9 @@ public function createUser(DatabaseConfig $databaseConfig): bool
         $username = $databaseConfig->getUsername();
         $password = $databaseConfig->getPassword();
 
+        $this->validateParameter([$database, $username]);
+        $this->validatePassword($password);
+
         // Create login
         $this->connection()->statement("CREATE LOGIN [$username] WITH PASSWORD = '$password'");
 
@@ -37,12 +40,14 @@ public function createUser(DatabaseConfig $databaseConfig): bool
 
     public function deleteUser(DatabaseConfig $databaseConfig): bool
     {
-        return $this->connection()->statement("DROP LOGIN [{$databaseConfig->getUsername()}]");
+        $username = $this->validateParameter($databaseConfig->getUsername());
+
+        return $this->connection()->statement("DROP LOGIN [{$username}]");
     }
 
     public function userExists(string $username): bool
     {
-        return (bool) $this->connection()->select("SELECT sp.name as username FROM sys.server_principals sp WHERE sp.name = '{$username}'");
+        return (bool) $this->connection()->select('SELECT sp.name as username FROM sys.server_principals sp WHERE sp.name = ?', [$username]);
     }
 
     public function makeConnectionConfig(array $baseConfig, string $databaseName): array
@@ -54,11 +59,13 @@ public function makeConnectionConfig(array $baseConfig, string $databaseName): a
 
     public function deleteDatabase(TenantWithDatabase $tenant): bool
     {
+        $name = $this->validateParameter($tenant->database()->getName());
+
         // Close all connections to the database before deleting it
         // Set the database to SINGLE_USER mode to ensure that
         // No other connections are using the database while we're trying to delete it
         // Rollback all active transactions
-        $this->connection()->statement("ALTER DATABASE [{$tenant->database()->getName()}] SET SINGLE_USER WITH ROLLBACK IMMEDIATE;");
+        $this->connection()->statement("ALTER DATABASE [{$name}] SET SINGLE_USER WITH ROLLBACK IMMEDIATE;");
 
         return parent::deleteDatabase($tenant);
     }

src/Database/TenantDatabaseManagers/PermissionControlledMySQLDatabaseManager.php

@@ -25,6 +25,9 @@ public function createUser(DatabaseConfig $databaseConfig): bool
         $username = $databaseConfig->getUsername();
         $password = $databaseConfig->getPassword();
 
+        $this->validateParameter([$database, $username]);
+        $this->validatePassword($password);
+
         $this->connection()->statement("CREATE USER `{$username}`@`%` IDENTIFIED BY '{$password}'");
 
         $grants = implode(', ', static::$grants);
@@ -48,11 +51,13 @@ protected function isVersion8(): bool
 
     public function deleteUser(DatabaseConfig $databaseConfig): bool
     {
-        return $this->connection()->statement("DROP USER IF EXISTS '{$databaseConfig->getUsername()}'");
+        $username = $this->validateParameter($databaseConfig->getUsername());
+
+        return $this->connection()->statement("DROP USER IF EXISTS '{$username}'");
     }
 
     public function userExists(string $username): bool
     {
-        return (bool) $this->connection()->select("SELECT count(*) FROM mysql.user WHERE user = '$username'")[0]->{'count(*)'};
+        return (bool) $this->connection()->select('SELECT count(*) FROM mysql.user WHERE user = ?', [$username])[0]->{'count(*)'};
     }
 }

src/Database/TenantDatabaseManagers/PermissionControlledPostgreSQLDatabaseManager.php

@@ -20,6 +20,8 @@ protected function grantPermissions(DatabaseConfig $databaseConfig): bool
         $username = $databaseConfig->getUsername();
         $schema = $databaseConfig->connection()['search_path'];
 
+        $this->validateParameter([$database, $username, $schema]);
+
         // Host config
         $connectionName = $this->connection()->getConfig('name');
         $centralDatabase = $this->connection()->getConfig('database');

src/Database/TenantDatabaseManagers/PermissionControlledPostgreSQLSchemaManager.php

@@ -23,23 +23,25 @@ protected function grantPermissions(DatabaseConfig $databaseConfig): bool
         // Central database name
         $database = DB::connection(config('tenancy.database.central_connection'))->getDatabaseName();
 
+        $this->validateParameter([$username, $schema, $database]);
+
         $this->connection()->statement("GRANT CONNECT ON DATABASE {$database} TO \"{$username}\"");
         $this->connection()->statement("GRANT USAGE, CREATE ON SCHEMA \"{$schema}\" TO \"{$username}\"");
         $this->connection()->statement("GRANT USAGE ON ALL SEQUENCES IN SCHEMA \"{$schema}\" TO \"{$username}\"");
 
-        $tables = $this->connection()->select("SELECT table_name FROM information_schema.tables WHERE table_schema = '{$schema}' AND table_type = 'BASE TABLE'");
+        $tables = $this->connection()->select("SELECT table_name FROM information_schema.tables WHERE table_schema = ? AND table_type = 'BASE TABLE'", [$schema]);
 
         // Grant permissions to any existing tables. This is used with RLS
         foreach ($tables as $table) {
             $tableName = $table->table_name;
 
             /** @var string $primaryKey */
-            $primaryKey = $this->connection()->selectOne(<<<SQL
+            $primaryKey = $this->connection()->selectOne(<<<'SQL'
                 SELECT column_name
                 FROM information_schema.key_column_usage
-                WHERE table_name = '{$tableName}'
+                WHERE table_name = ?
                 AND constraint_name LIKE '%_pkey'
-            SQL)->column_name;
+            SQL, [$tableName])->column_name;
 
             // Grant all permissions for all existing tables
             $this->connection()->statement("GRANT ALL ON \"{$schema}\".\"{$tableName}\" TO \"{$username}\"");

src/Database/TenantDatabaseManagers/PostgreSQLDatabaseManager.php

@@ -10,16 +10,20 @@ class PostgreSQLDatabaseManager extends TenantDatabaseManager
 {
     public function createDatabase(TenantWithDatabase $tenant): bool
     {
-        return $this->connection()->statement("CREATE DATABASE \"{$tenant->database()->getName()}\" WITH TEMPLATE=template0");
+        $name = $this->validateParameter($tenant->database()->getName());
+
+        return $this->connection()->statement("CREATE DATABASE \"{$name}\" WITH TEMPLATE=template0");
     }
 
     public function deleteDatabase(TenantWithDatabase $tenant): bool
     {
-        return $this->connection()->statement("DROP DATABASE \"{$tenant->database()->getName()}\"");
+        $name = $this->validateParameter($tenant->database()->getName());
+
+        return $this->connection()->statement("DROP DATABASE \"{$name}\"");
     }
 
     public function databaseExists(string $name): bool
     {
-        return (bool) $this->connection()->selectOne("SELECT datname FROM pg_database WHERE datname = '$name'");
+        return (bool) $this->connection()->select('SELECT datname FROM pg_database WHERE datname = ?', [$name]);
     }
 }

src/Database/TenantDatabaseManagers/PostgreSQLSchemaManager.php

@@ -10,17 +10,21 @@ class PostgreSQLSchemaManager extends TenantDatabaseManager
 {
     public function createDatabase(TenantWithDatabase $tenant): bool
     {
-        return $this->connection()->statement("CREATE SCHEMA \"{$tenant->database()->getName()}\"");
+        $name = $this->validateParameter($tenant->database()->getName());
+
+        return $this->connection()->statement("CREATE SCHEMA \"{$name}\"");
     }
 
     public function deleteDatabase(TenantWithDatabase $tenant): bool
     {
-        return $this->connection()->statement("DROP SCHEMA \"{$tenant->database()->getName()}\" CASCADE");
+        $name = $this->validateParameter($tenant->database()->getName());
+
+        return $this->connection()->statement("DROP SCHEMA \"{$name}\" CASCADE");
     }
 
     public function databaseExists(string $name): bool
     {
-        return (bool) $this->connection()->select("SELECT schema_name FROM information_schema.schemata WHERE schema_name = '$name'");
+        return (bool) $this->connection()->select('SELECT schema_name FROM information_schema.schemata WHERE schema_name = ?', [$name]);
     }
 
     public function makeConnectionConfig(array $baseConfig, string $databaseName): array

src/Database/TenantDatabaseManagers/SQLiteDatabaseManager.php

@@ -7,12 +7,15 @@
 use Closure;
 use Illuminate\Database\Eloquent\Model;
 use PDO;
+use Stancl\Tenancy\Database\Concerns\ValidatesDatabaseParameters;
 use Stancl\Tenancy\Database\Contracts\TenantDatabaseManager;
 use Stancl\Tenancy\Database\Contracts\TenantWithDatabase;
 use Throwable;
 
 class SQLiteDatabaseManager implements TenantDatabaseManager
 {
+    use ValidatesDatabaseParameters;
+
     /**
      * SQLite database directory path.
      *
@@ -57,6 +60,11 @@ class SQLiteDatabaseManager implements TenantDatabaseManager
      */
     public static Closure|null $closeInMemoryConnectionUsing = null;
 
+    protected static function parameterAllowlist(): string
+    {
+        return 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-.';
+    }
+
     public function createDatabase(TenantWithDatabase $tenant): bool
     {
         /** @var TenantWithDatabase&Model $tenant */
@@ -84,6 +92,8 @@ public function createDatabase(TenantWithDatabase $tenant): bool
             return true;
         }
 
+        $this->validateParameter($name);
+
         return file_put_contents($this->getPath($name), '') !== false;
     }
 
@@ -99,6 +109,8 @@ public function deleteDatabase(TenantWithDatabase $tenant): bool
             return true;
         }
 
+        $this->validateParameter($name);
+
         $path = $this->getPath($name);
 
         try {

src/Database/TenantDatabaseManagers/TenantDatabaseManager.php

@@ -6,11 +6,14 @@
 
 use Illuminate\Database\Connection;
 use Illuminate\Support\Facades\DB;
+use Stancl\Tenancy\Database\Concerns\ValidatesDatabaseParameters;
 use Stancl\Tenancy\Database\Contracts\StatefulTenantDatabaseManager;
 use Stancl\Tenancy\Database\Exceptions\NoConnectionSetException;
 
 abstract class TenantDatabaseManager implements StatefulTenantDatabaseManager
 {
+    use ValidatesDatabaseParameters;
+
     /** The database connection to the server. */
     protected string $connection;