Add test to prove a path traversal attack

If I try to retrieve the translations using the following url:

    http://localhost/translations?locales=randomstring/something

The file `something.js` gets created in the subdirectory
`messages.randomstring` of the cache directory:

    /var/www/someproject/app/cache/dev/bazinga-js-translation/messages.randomstring/something.js

This is the actual string that gets passed to the constructor of
`ConfigCache` by the JsTranslationBundle controller.

I can now traverse down from the JsTranslationBundle cache directory
(without first creating the `messages.randomstring` directory using the
previous step, this won't work):

    http://localhost/translations?locales=randomstring/../../evil

becomes:

    /var/www/someproject/app/cache/dev/bazinga-js-translation/messages.randomstring/../../evil.js

... and depending on the configuration of the server, I could also do:

    http://localhost/translations?locales=randomstring/../../../../../web/evil

=>

    /var/www/someproject/app/cache/dev/bazinga-js-translation/messages.randomstring/../../../../../web/evil.js

Thus creating the file `evil.js` (and `evil.js.meta`) under the Symfony
`web` root. Depending on file system permissions, this will also
overwrite existing files.

Signed-off-by: William DURAND <william.durand1@gmail.com>

Author: willdurand

Controller/Controller.php

@@ -9,6 +9,8 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Config\ConfigCache;
 use Symfony\Component\Config\Resource\FileResource;
+use Symfony\Component\Filesystem\Exception\IOException;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
 /**
  * @author William DURAND <william.durand1@gmail.com>
@@ -143,7 +145,11 @@ public function getTranslationsAction(Request $request, $domain, $_format)
                 'include_config' => true,
             ));
 
-            $cache->write($content, $resources);
+            try {
+                $cache->write($content, $resources);
+            } catch (IOException $e) {
+                throw new NotFoundHttpException();
+            }
         }
 
         $response = new Response(

Tests/Controller/ControllerTest.php

@@ -171,4 +171,30 @@ public function testGetTranslationsWithNumericKeys()
 JSON
         , $response->getContent());
     }
+
+    public function testGetTranslationsWithPathTraversalAttack()
+    {
+        $client  = static::createClient();
+
+        // 1. `evil.js` is not accessible
+        $crawler  = $client->request('GET', '/translations?locales=randomstring/../../evil');
+        $response = $client->getResponse();
+
+        $this->assertEquals(404, $response->getStatusCode());
+
+        // 2. let's create a random directory with a randome js file
+        $crawler  = $client->request('GET', '/translations?locales=randomstring/something');
+        $response = $client->getResponse();
+
+        $this->assertFileExists(sprintf('%s/%s/messages.randomstring/something.js',
+            $client->getKernel()->getCacheDir(),
+            'bazinga-js-translation'
+        ));
+
+        // 3. path traversal attack
+        $crawler  = $client->request('GET', '/translations?locales=randomstring/../../evil');
+        $response = $client->getResponse();
+
+        $this->assertEquals(200, $response->getStatusCode());
+    }
 }