Bug: Cannot call Security Service from Command Line

[colethorsen]

PHP Version

8.3

CodeIgniter4 Version

4.6.1

CodeIgniter4 Installation Method

Composer (using codeigniter4/appstarter)

Which operating systems have you tested for this bug?

macOS, Linux

Which server did you use?

apache

Database

MySQL 8

What happened?

You can't run the security class from the command line because the security service automatically adds the request on construct and it requires an instance of IncomingRequest not CLIRequest.

Throws an error:

[TypeError]
Cannot assign CodeIgniter\HTTP\CLIRequest to property CodeIgniter\Security\Security::$request of type CodeIgniter\HTTP\IncomingRequest
at SYSTEMPATH/Security/Security.php:209

Backtrace:
  1    SYSTEMPATH/Config/Services.php:657
       CodeIgniter\Security\Security()->__construct(Object(Config\Security))

  2    SYSTEMPATH/Config/BaseService.php:312
       CodeIgniter\Config\Services::security(Object(Config\Security), false)

  3    SYSTEMPATH/Config/BaseService.php:251
       CodeIgniter\Config\BaseService::__callStatic('security', [...])

  4    SYSTEMPATH/Config/Services.php:652
       CodeIgniter\Config\BaseService::getSharedInstance('security', null)

  5    SYSTEMPATH/Config/BaseService.php:321
       CodeIgniter\Config\Services::security()

  6    SYSTEMPATH/Config/BaseService.php:202
       CodeIgniter\Config\BaseService::__callStatic('security', [])

  7    SYSTEMPATH/Common.php:1000
       CodeIgniter\Config\BaseService::get('security')

  8    APPPATH/Commands/Test.php:17
       service('security')

  9    SYSTEMPATH/CLI/Commands.php:74
       App\Commands\Test()->run([])

Steps to Reproduce

Write a command like:

<?php

namespace App\Commands;

use CodeIgniter\CLI\BaseCommand;
use CodeIgniter\CLI\CLI;

class Test extends BaseCommand
{
    protected $group       = 'Testing';
    protected $name        = 'test:sanitize';
    protected $description = 'Sanitize string.';

    public function run(array $params)
    {

        $sanitized = service('security')->sanitizeFilename('test');

        CLI::write($sanitized);
    }
}

Expected Output

In this specific case, I'd like to be able to sanitize the file names of files from sources I don't necessarily trust.

Anything else?

Could the security class be updated to accept any CodeIgnier\HTTP\Request or is there something specific about the IncomingRequest that it relies on?

[michalsn]

The Security class is specifically designed to protect against CSRF attacks, a type of exploit relevant only to HTTP-based requests. CLI requests do not include sessions, cookies, or HTTP headers. There is no concept of CSRF in the CLI.
Given this, I would consider moving the functionality to the sanitize_filename() helper, which now uses a method defined in the service.

[michalsn]

@colethorsen After the release of v4.6.2, you will be able to use the sanitize_filename() helper.