I'll keep this short and sweet, but we thought this would be a useful tip to share with the world as a potential security issue with the combined use of File::getFileUri() and FileSystem::realpath().
Consider the following code excerpt :
$file = File::load($some_file_uri);
if ($file) {
$uri = $file->getFileUri();
$file_realpath = \Drupal::service('file_system')->realpath($uri);
}
Seems pretty harmless right? Load up the file from $some_file_uri , If we have a valid file then get the URI and then grab the real path.
Wrong (potentially, depending on what you do with $file_realpath).
If $file is a valid file, but for whatever reason the file is...