Merge pull request #469 from KnpLabs/fix/GHSA-gq6w-q6wh-jggc

fix: security issue GHSA-gq6w-q6wh-jggc

src/Knp/Snappy/AbstractGenerator.php

@@ -625,6 +625,10 @@ protected function executeCommand($command)
      */
     protected function prepareOutput($filename, $overwrite)
     {
+        if (\strpos($filename, 'phar://') === 0) {
+            throw new InvalidArgumentException('The output file cannot be a phar archive.');
+        }
+
         $directory = \dirname($filename);
 
         if ($this->fileExists($filename)) {

tests/Knp/Snappy/AbstractGeneratorTest.php

@@ -938,6 +938,30 @@ protected function configure(): void
         );
     }
 
+    public function testFailingGenerateWithOutputContainingPharPrefix(): void
+    {
+        $media = $this->getMockBuilder(AbstractGenerator::class)
+            ->setMethods([
+                'configure',
+                'prepareOutput',
+            ])
+            ->setConstructorArgs(['the_binary', [], ['PATH' => '/usr/bin']])
+            ->getMock()
+        ;
+
+        $media->setTimeout(2000);
+
+        $media
+            ->expects($this->once())
+            ->method('prepareOutput')
+            ->with($this->equalTo('phar://the_output_file'))
+        ;
+
+        $this->expectException(InvalidArgumentException::class);
+
+        $media->generate('the_input_file', 'phar://the_output_file', ['foo' => 'bar']);
+    }
+
     /**
      * @return null|string
      */