From fd76452c48318aa711bceaea4faee90a186c61b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=81=AE=E3=81=B6?= <nobuhiko.kimoto@gmail.com>
Date: Tue, 3 Mar 2026 10:15:17 +0900
Subject: [PATCH] =?UTF-8?q?fix:=20AUTH=5FMAGIC=E5=85=A5=E5=8A=9B=E3=83=90?=
 =?UTF-8?q?=E3=83=AA=E3=83=87=E3=83=BC=E3=82=B7=E3=83=A7=E3=83=B3=E8=BF=BD?=
 =?UTF-8?q?=E5=8A=A0=EF=BC=88.env=E3=82=A4=E3=83=B3=E3=82=B8=E3=82=A7?=
 =?UTF-8?q?=E3=82=AF=E3=82=B7=E3=83=A7=E3=83=B3=E5=AF=BE=E7=AD=96=EF=BC=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

auth_magicフィールドに改行文字を含む値を送信すると、updateEnv()の
preg_replaceで.envファイルに任意の環境変数を注入可能な脆弱性を修正。

- ConfigType: auth_magicにNotBlank + Regex制約を追加
- DataMigrationService::updateEnv(): 改行除去 + パターン検証（二重防御）

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 Form/Type/Admin/ConfigType.php   | 9 ++++++++-
 Service/DataMigrationService.php | 6 ++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/Form/Type/Admin/ConfigType.php b/Form/Type/Admin/ConfigType.php
index f9b0e31..a73a931 100644
--- a/Form/Type/Admin/ConfigType.php
+++ b/Form/Type/Admin/ConfigType.php
@@ -9,6 +9,7 @@
 use Symfony\Component\Form\FormBuilderInterface;
 use Symfony\Component\Validator\Constraints\File;
 use Symfony\Component\Validator\Constraints\NotBlank;
+use Symfony\Component\Validator\Constraints\Regex;
 
 class ConfigType extends AbstractType
 {
@@ -36,10 +37,16 @@ public function buildForm(FormBuilderInterface $builder, array $options)
             ->add('auth_magic', TextType::class, [
                 'label' => 'AUTH_MAGIC',
                 'required' => true,
-                //'placeholder' => '',
                 'attr' => [
                     'placeholder' => "旧サイトのAUTH_MAGICを入力してください。",
                 ],
+                'constraints' => [
+                    new NotBlank(['message' => 'AUTH_MAGICを入力してください。']),
+                    new Regex([
+                        'pattern' => '/^[a-zA-Z0-9_\-\.]+$/',
+                        'message' => 'AUTH_MAGICには英数字、アンダースコア、ハイフン、ドットのみ使用できます。',
+                    ]),
+                ],
             ])
         ;
     }
diff --git a/Service/DataMigrationService.php b/Service/DataMigrationService.php
index 8493e03..13244f5 100644
--- a/Service/DataMigrationService.php
+++ b/Service/DataMigrationService.php
@@ -120,6 +120,12 @@ public function isVersion($version)
 
     public function updateEnv($newMagicValue)
     {
+        // 改行を除去し、安全な文字のみ許可（.envインジェクション対策）
+        $newMagicValue = str_replace(["\r", "\n"], '', $newMagicValue);
+        if (!preg_match('/^[a-zA-Z0-9_\-\.]+$/', $newMagicValue)) {
+            throw new \InvalidArgumentException('AUTH_MAGIC に使用できない文字が含まれています。');
+        }
+
         $projectDir = $this->params->get('kernel.project_dir');
         $envFile = $projectDir . '/.env';