[4.x] Parameter validation and other DB manager improvements

src/Bootstrappers/DatabaseTenancyBootstrapper.php

@@ -5,14 +5,42 @@
 namespace Stancl\Tenancy\Bootstrappers;
 
 use Exception;
+use Illuminate\Support\Facades\DB;
+use RuntimeException;
 use Stancl\Tenancy\Contracts\TenancyBootstrapper;
 use Stancl\Tenancy\Contracts\Tenant;
 use Stancl\Tenancy\Database\Contracts\TenantWithDatabase;
 use Stancl\Tenancy\Database\DatabaseManager;
 use Stancl\Tenancy\Database\Exceptions\TenantDatabaseDoesNotExistException;
+use Throwable;
 
 class DatabaseTenancyBootstrapper implements TenancyBootstrapper
 {
+    /**
+     * When true, throw an exception if a tenant gets connected to
+     * another tenant's database or to the central database.
+     *
+     * This case should never come up in well-configured apps where
+     * users cannot set or edit tenant IDs or database names, so this
+     * option is disabled by default.
+     *
+     * However, applications dealing with extremely sensitive data may
+     * choose to enable this runtime check to prevent a bug or misconfiguration
+     * from creating an exploit that would let an attacker access another
+     * tenant's data or data from the central database.
+     *
+     * One way such a scenario might come up is if an application allows
+     * broad tenant attribute updates on a page for updating some fields
+     * on the tenant, without restricting that action to only a limited
+     * set of fields that are safe to edit. An attacker might be able to add
+     * something like ['tenancy_db_name' => '...'] to the request which could
+     * lead to this internal attribute being updated on an existing tenant.
+     *
+     * It's possible that enabling this setting will negate the performance
+     * benefits of cached tenant lookup.
+     */
+    public static bool $harden = false;
+
     /** @var DatabaseManager */
     protected $database;
 
@@ -41,10 +69,43 @@ public function bootstrap(Tenant $tenant): void
         }
 
         $this->database->connectToTenant($tenant);
+
+        if (static::$harden) {
+            try {
+                $this->verifyTenantCanUseDatabase($tenant);
+            } catch (Throwable $e) {
+                // Revert connection back to central
+                $this->revert();
+
+                throw $e;
+            }
+        }
     }
 
     public function revert(): void
     {
         $this->database->reconnectToCentral();
     }
+
+    protected function verifyTenantCanUseDatabase(Tenant $tenant): void
+    {
+        /** @var \Stancl\Tenancy\Database\Models\Tenant&TenantWithDatabase $tenant */
+        $tenantDbName = $tenant->database()->getName();
+
+        // Check if any other tenant uses this tenant's database
+        if ($tenant::where($tenant->getTenantKeyName(), '!=', $tenant->getTenantKey())
+            ->where($tenant::getDataColumn() . '->' . $tenant->internalPrefix() . 'db_name', $tenantDbName)
+            ->exists()) {
+            throw new RuntimeException('Tenant cannot use a database of another tenant.');
+        }
+
+        // Check if the current database is not the central database
+        $centralDbName = DB::connection(
+            config('tenancy.database.central_connection', 'central')
+        )->getDatabaseName();
+
+        if (DB::getDatabaseName() === $centralDbName) {
+            throw new RuntimeException('Tenant cannot use the central database.');
+        }
+    }
 }

src/Database/Concerns/ManagesPostgresUsers.php

@@ -28,6 +28,9 @@ public function createUser(DatabaseConfig $databaseConfig): bool
         $username = $databaseConfig->getUsername();
         $password = $databaseConfig->getPassword();
 
+        $this->validateParameter($username);
+        $this->validatePassword($password);
+
         $createUser = ! $this->userExists($username);
 
         if ($createUser) {
@@ -44,6 +47,8 @@ public function deleteUser(DatabaseConfig $databaseConfig): bool
         // Tenant DB username
         $username = $databaseConfig->getUsername();
 
+        $this->validateParameter($username);
+
         // Tenant host connection config
         $connectionName = $this->connection()->getConfig('name');
         $centralDatabase = $this->connection()->getConfig('database');
@@ -77,6 +82,6 @@ public function deleteUser(DatabaseConfig $databaseConfig): bool
 
     public function userExists(string $username): bool
     {
-        return (bool) $this->connection()->selectOne("SELECT usename FROM pg_user WHERE usename = '{$username}'");
+        return (bool) $this->connection()->select('SELECT usename FROM pg_user WHERE usename = ?', [$username]);
     }
 }

src/Database/Concerns/ValidatesDatabaseParameters.php

@@ -0,0 +1,92 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Stancl\Tenancy\Database\Concerns;
+
+use Illuminate\Support\Arr;
+use InvalidArgumentException;
+
+/**
+ * Provides methods to validate database parameters (e.g. database names, usernames, passwords)
+ * before using them in SQL statements (or in file paths in the case of SQLiteDatabaseManager).
+ *
+ * Used where parameters can be provided by users, and where parameter binding cannot be used.
+ *
+ * @see \Stancl\Tenancy\Database\TenantDatabaseManagers\TenantDatabaseManager
+ * @see \Stancl\Tenancy\Database\TenantDatabaseManagers\SQLiteDatabaseManager
+ */
+trait ValidatesDatabaseParameters
+{
+    /**
+     * Characters allowed in parameters.
+     *
+     * Used as the default allowlist in validateParameter(), which validates non-password
+     * parameters such as database names or usernames.
+     *
+     * Since non-password parameters don't need to use as many special characters, we use
+     * a stricter allowlist here.
+     */
+    public static string $allowedParameterCharacters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-';
+
+    /**
+     * Characters allowed in database user passwords.
+     *
+     * The allowlist for passwords is less strict than for other parameters
+     * because it's more common to use more special characters in passwords.
+     */
+    public static string $allowedPasswordCharacters = ' !#$%&()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{|}~';
+
+    /**
+     * Ensure that parameters (database names, usernames, etc.)
+     * only contain allowed characters before used in SQL statements
+     * (or paths in the case of SQLiteDatabaseManager).
+     *
+     * By default, only the characters in allowedParameterCharacters() are allowed.
+     *
+     * @throws InvalidArgumentException
+     */
+    protected function validateParameter(string|array|null $parameters, string|null $allowedCharacters = null): void
+    {
+        if ($parameters === null) {
+            throw new InvalidArgumentException('Parameter cannot be null.');
+        }
+
+        $allowedCharacters ??= static::$allowedParameterCharacters;
+
+        foreach (Arr::wrap($parameters) as $parameter) {
+            if (is_null($parameter)) {
+                throw new InvalidArgumentException('Parameter cannot be null.');
+            }
+
+            if (is_numeric($parameter)) {
+                $parameter = (string) $parameter;
+            }
+
+            if (! is_string($parameter)) {
+                // E.g. if a parameter is retrieved from the config, it isn't necessarily a string
+                throw new InvalidArgumentException('Parameter has to be a string.');
+            }
+
+            foreach (str_split($parameter) as $character) {
+                if (! str_contains($allowedCharacters, $character)) {
+                    throw new InvalidArgumentException("Forbidden character '{$character}' in parameter.");
+                }
+            }
+        }
+    }
+
+    /**
+     * Ensure password only contains allowed characters (allowedPasswordCharacters())
+     * before being used in SQL statements.
+     *
+     * Used in permission controlled managers as a shorthand for calling validateParameter()
+     * with the less strict allowlist to validate database user passwords.
+     *
+     * @throws InvalidArgumentException
+     */
+    protected function validatePassword(string|null $password): void
+    {
+        $this->validateParameter($password, allowedCharacters: static::$allowedPasswordCharacters);
+    }
+}

src/Database/TenantDatabaseManagers/MicrosoftSQLDatabaseManager.php

@@ -12,16 +12,22 @@ public function createDatabase(TenantWithDatabase $tenant): bool
     {
         $database = $tenant->database()->getName();
 
+        $this->validateParameter($database);
+
         return $this->connection()->statement("CREATE DATABASE [{$database}]");
     }
 
     public function deleteDatabase(TenantWithDatabase $tenant): bool
     {
-        return $this->connection()->statement("DROP DATABASE [{$tenant->database()->getName()}]");
+        $database = $tenant->database()->getName();
+
+        $this->validateParameter($database);
+
+        return $this->connection()->statement("DROP DATABASE [{$database}]");
     }
 
     public function databaseExists(string $name): bool
     {
-        return (bool) $this->connection()->select("SELECT name FROM master.sys.databases WHERE name = '$name'");
+        return (bool) $this->connection()->select('SELECT name FROM master.sys.databases WHERE name = ?', [$name]);
     }
 }

src/Database/TenantDatabaseManagers/MySQLDatabaseManager.php

@@ -14,16 +14,36 @@ public function createDatabase(TenantWithDatabase $tenant): bool
         $charset = $this->connection()->getConfig('charset');
         $collation = $this->connection()->getConfig('collation');
 
-        return $this->connection()->statement("CREATE DATABASE `{$database}` CHARACTER SET `$charset` COLLATE `$collation`");
+        $this->validateParameter(array_filter([$database, $charset, $collation], fn ($param) => $param !== null));
+
+        // MySQL defaults to the server's charset and collation
+        // if charset and collation are not specified.
+        // If charset is specified but collation is null, MySQL
+        // will choose a default collation for the specified charset (and vice versa).
+        $statement = "CREATE DATABASE `{$database}`";
+
+        if ($charset !== null) {
+            $statement .= " CHARACTER SET `{$charset}`";
+        }
+
+        if ($collation !== null) {
+            $statement .= " COLLATE `{$collation}`";
+        }
+
+        return $this->connection()->statement($statement);
     }
 
     public function deleteDatabase(TenantWithDatabase $tenant): bool
     {
-        return $this->connection()->statement("DROP DATABASE `{$tenant->database()->getName()}`");
+        $database = $tenant->database()->getName();
+
+        $this->validateParameter($database);
+
+        return $this->connection()->statement("DROP DATABASE `{$database}`");
     }
 
     public function databaseExists(string $name): bool
     {
-        return (bool) $this->connection()->select("SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = '$name'");
+        return (bool) $this->connection()->select('SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = ?', [$name]);
     }
 }

src/Database/TenantDatabaseManagers/PermissionControlledMicrosoftSQLServerDatabaseManager.php

@@ -24,6 +24,9 @@ public function createUser(DatabaseConfig $databaseConfig): bool
         $username = $databaseConfig->getUsername();
         $password = $databaseConfig->getPassword();
 
+        $this->validateParameter([$database, $username]);
+        $this->validatePassword($password);
+
         // Create login
         $this->connection()->statement("CREATE LOGIN [$username] WITH PASSWORD = '$password'");
 
@@ -37,12 +40,16 @@ public function createUser(DatabaseConfig $databaseConfig): bool
 
     public function deleteUser(DatabaseConfig $databaseConfig): bool
     {
-        return $this->connection()->statement("DROP LOGIN [{$databaseConfig->getUsername()}]");
+        $username = $databaseConfig->getUsername();
+
+        $this->validateParameter($username);
+
+        return $this->connection()->statement("DROP LOGIN [{$username}]");
     }
 
     public function userExists(string $username): bool
     {
-        return (bool) $this->connection()->select("SELECT sp.name as username FROM sys.server_principals sp WHERE sp.name = '{$username}'");
+        return (bool) $this->connection()->select('SELECT sp.name as username FROM sys.server_principals sp WHERE sp.name = ?', [$username]);
     }
 
     public function makeConnectionConfig(array $baseConfig, string $databaseName): array
@@ -54,11 +61,15 @@ public function makeConnectionConfig(array $baseConfig, string $databaseName): a
 
     public function deleteDatabase(TenantWithDatabase $tenant): bool
     {
+        $name = $tenant->database()->getName();
+
+        $this->validateParameter($name);
+
         // Close all connections to the database before deleting it
         // Set the database to SINGLE_USER mode to ensure that
         // No other connections are using the database while we're trying to delete it
         // Rollback all active transactions
-        $this->connection()->statement("ALTER DATABASE [{$tenant->database()->getName()}] SET SINGLE_USER WITH ROLLBACK IMMEDIATE;");
+        $this->connection()->statement("ALTER DATABASE [{$name}] SET SINGLE_USER WITH ROLLBACK IMMEDIATE;");
 
         return parent::deleteDatabase($tenant);
     }

src/Database/TenantDatabaseManagers/PermissionControlledMySQLDatabaseManager.php

@@ -25,6 +25,9 @@ public function createUser(DatabaseConfig $databaseConfig): bool
         $username = $databaseConfig->getUsername();
         $password = $databaseConfig->getPassword();
 
+        $this->validateParameter([$database, $username]);
+        $this->validatePassword($password);
+
         $this->connection()->statement("CREATE USER `{$username}`@`%` IDENTIFIED BY '{$password}'");
 
         $grants = implode(', ', static::$grants);
@@ -48,11 +51,15 @@ protected function isVersion8(): bool
 
     public function deleteUser(DatabaseConfig $databaseConfig): bool
     {
-        return $this->connection()->statement("DROP USER IF EXISTS '{$databaseConfig->getUsername()}'");
+        $username = $databaseConfig->getUsername();
+
+        $this->validateParameter($username);
+
+        return $this->connection()->statement("DROP USER IF EXISTS '{$username}'");
     }
 
     public function userExists(string $username): bool
     {
-        return (bool) $this->connection()->select("SELECT count(*) FROM mysql.user WHERE user = '$username'")[0]->{'count(*)'};
+        return (bool) $this->connection()->select('SELECT count(*) FROM mysql.user WHERE user = ?', [$username])[0]->{'count(*)'};
     }
 }

src/Database/TenantDatabaseManagers/PermissionControlledPostgreSQLDatabaseManager.php

@@ -20,6 +20,8 @@ protected function grantPermissions(DatabaseConfig $databaseConfig): bool
         $username = $databaseConfig->getUsername();
         $schema = $databaseConfig->connection()['search_path'];
 
+        $this->validateParameter([$database, $username, $schema]);
+
         // Host config
         $connectionName = $this->connection()->getConfig('name');
         $centralDatabase = $this->connection()->getConfig('database');
@@ -32,10 +34,10 @@ protected function grantPermissions(DatabaseConfig $databaseConfig): bool
         $this->connection()->reconnect();
 
         // Grant permissions to create and use tables in the configured schema ("public" by default) to the user
-        $this->connection()->statement("GRANT USAGE, CREATE ON SCHEMA {$schema} TO \"{$username}\"");
+        $this->connection()->statement("GRANT USAGE, CREATE ON SCHEMA \"{$schema}\" TO \"{$username}\"");
 
         // Grant permissions to use sequences in the current schema to the user
-        $this->connection()->statement("GRANT USAGE ON ALL SEQUENCES IN SCHEMA {$schema} TO \"{$username}\"");
+        $this->connection()->statement("GRANT USAGE ON ALL SEQUENCES IN SCHEMA \"{$schema}\" TO \"{$username}\"");
 
         // Reconnect to central database
         config(["database.connections.{$connectionName}.database" => $centralDatabase]);

src/Database/TenantDatabaseManagers/PermissionControlledPostgreSQLSchemaManager.php

@@ -23,23 +23,25 @@ protected function grantPermissions(DatabaseConfig $databaseConfig): bool
         // Central database name
         $database = DB::connection(config('tenancy.database.central_connection'))->getDatabaseName();
 
-        $this->connection()->statement("GRANT CONNECT ON DATABASE {$database} TO \"{$username}\"");
+        $this->validateParameter([$username, $schema, $database]);
+
+        $this->connection()->statement("GRANT CONNECT ON DATABASE \"{$database}\" TO \"{$username}\"");
         $this->connection()->statement("GRANT USAGE, CREATE ON SCHEMA \"{$schema}\" TO \"{$username}\"");
         $this->connection()->statement("GRANT USAGE ON ALL SEQUENCES IN SCHEMA \"{$schema}\" TO \"{$username}\"");
 
-        $tables = $this->connection()->select("SELECT table_name FROM information_schema.tables WHERE table_schema = '{$schema}' AND table_type = 'BASE TABLE'");
+        $tables = $this->connection()->select("SELECT table_name FROM information_schema.tables WHERE table_schema = ? AND table_type = 'BASE TABLE'", [$schema]);
 
         // Grant permissions to any existing tables. This is used with RLS
         foreach ($tables as $table) {
             $tableName = $table->table_name;
 
             /** @var string $primaryKey */
-            $primaryKey = $this->connection()->selectOne(<<<SQL
+            $primaryKey = $this->connection()->selectOne(<<<'SQL'
                 SELECT column_name
                 FROM information_schema.key_column_usage
-                WHERE table_name = '{$tableName}'
+                WHERE table_name = ?
                 AND constraint_name LIKE '%_pkey'
-            SQL)->column_name;
+            SQL, [$tableName])->column_name;
 
             // Grant all permissions for all existing tables
             $this->connection()->statement("GRANT ALL ON \"{$schema}\".\"{$tableName}\" TO \"{$username}\"");