Skip to content

Validate downloaded files before adding to cache #6149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
swissspidy merged 13 commits into from
Feb 18, 2026
Merged

Validate downloaded files before adding to cache #6149

Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
ee48cbb
Check cache file validation
dhruvang21 Nov 11, 2025
6983b03
Update warning message
dhruvang21 Nov 12, 2025
397bb1b
refactor: code suggestions
dhruvang21 Nov 12, 2025
754c3d9
Revert unrelated changes
swissspidy Nov 12, 2025
5174653
Simplify a bit
swissspidy Nov 12, 2025
a7814f7
Merge branch 'main' into issue/6148
swissspidy Dec 2, 2025
65424a8
simpler existence check
dhruvang21 Dec 3, 2025
af47146
Revert "simpler existence check"
swissspidy Dec 12, 2025
d2b9cf2
Merge branch 'main' into issue/6148
swissspidy Dec 12, 2025
c275ac4
Merge branch 'main' into issue/6148
dhruvang21 Dec 17, 2025
94c2dac
Merge branch 'main' into issue/6148
dhruvang21 Dec 25, 2025
6164733
Merge branch 'main' into issue/6148
swissspidy Jan 21, 2026
a229ea7
Merge branch 'main' into issue/6148
swissspidy Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 64 additions & 2 deletions php/WP_CLI/WpHttpCacheManager.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,14 @@ class WpHttpCacheManager {
*/
protected $cache;

/**
* Minimum valid archive file size in bytes.
*
* This threshold (20 bytes) roughly corresponds to the smallest possible
* valid ZIP or TAR.GZ header, ensuring we skip obviously invalid or empty downloads.
*/
private const MIN_VALID_ARCHIVE_SIZE = 20;

/**
* @param FileCache $cache
*/
Expand Down Expand Up @@ -68,8 +76,8 @@ public function filter_pre_http_request( $response, $args, $url ) {
/**
* cache wp http api downloads
*
* @param array $response
* @param array $args
* @param array $response
* @param array $args
* @param string $url
* @return array
*/
Expand All @@ -86,11 +94,65 @@ public function filter_http_response( $response, $args, $url ) {
if ( 200 !== wp_remote_retrieve_response_code( $response ) ) {
return $response;
}
// Validate before caching.
if ( ! $this->validate_downloaded_file( $response['filename'], $url ) ) {
WP_CLI::warning( "Invalid or corrupt file from {$url}, skipping cache." );
return $response;
}
// cache downloaded file
$this->cache->import( $this->whitelist[ $url ]['key'], $response['filename'] );
return $response;
}

/**
* Validate downloaded file before adding to cache.
*
* @param string $file Path to the downloaded file.
* @param string $url Source URL.
* @return bool True if file is valid, false otherwise.
*/
private function validate_downloaded_file( $file, $url ) {
if ( ! is_readable( $file ) ) {
return false;
}

$size = filesize( $file );
if ( false === $size || $size < self::MIN_VALID_ARCHIVE_SIZE ) {
return false;
}

$ext = strtolower( pathinfo( (string) wp_parse_url( $url, PHP_URL_PATH ), PATHINFO_EXTENSION ) );
$mime = function_exists( 'mime_content_type' ) ? mime_content_type( $file ) : '';

if ( ( 'zip' === $ext || 'application/zip' === $mime ) && class_exists( '\ZipArchive' ) ) {
$zip = new \ZipArchive();
$result = $zip->open( $file );
if ( true !== $result ) {
return false;
}
// Optional deeper check: ensure we can read file list.
if ( 0 === $zip->numFiles ) { //phpcs:ignore
$zip->close();
return false;
}
$zip->close();
}

if ( ( preg_match( '/\.tar\.gz$/i', $url ) || 'application/gzip' === $mime ) && class_exists( '\PharData' ) ) {
try {
$phar = new \PharData( $file );
// Accessing the file list ensures it can be read.
if ( empty( iterator_to_array( $phar ) ) ) {
return false;
}
} catch ( \Exception $e ) {
return false;
}
}

return true;
}

/**
* whitelist a package url
*
Expand Down
Loading