Disallow using line breaks in database configuration during setup process

Kovah · Kovah · commit 7d7a64b5bccf · 2026-04-13T14:11:35.000+02:00
diff --git a/app/Http/Requests/SetupDatabaseRequest.php b/app/Http/Requests/SetupDatabaseRequest.php
@@ -18,19 +18,23 @@ public function rules(): array
             ],
             'db_host' => [
                 'required_unless:connection,sqlite',
+                'not_regex:/[\r\n]/',
             ],
             'db_port' => [
                 'required_unless:connection,sqlite',
                 'numeric',
             ],
             'db_name' => [
                 'required_unless:connection,sqlite',
+                'not_regex:/[\r\n]/',
             ],
             'db_user' => [
                 'required_unless:connection,sqlite',
+                'not_regex:/[\r\n]/',
             ],
             'db_password' => [
                 'nullable',
+                'not_regex:/[\r\n]/',
             ],
         ];
     }
diff --git a/tests/Controller/SetupDatabaseControllerTest.php b/tests/Controller/SetupDatabaseControllerTest.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace Tests\Controller;
+
+use App\Settings\SystemSettings;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class SetupDatabaseControllerTest extends TestCase
+{
+    use RefreshDatabase;
+
+    public function test_database_setup_rejects_multiline_passwords(): void
+    {
+        SystemSettings::fake([
+            'setup_completed' => false,
+        ]);
+
+        $response = $this->from('/setup/database')->post('/setup/database', [
+            'connection' => 'mysql',
+            'db_host' => '127.0.0.1',
+            'db_port' => 3306,
+            'db_name' => 'linkace',
+            'db_user' => 'linkace',
+            'db_password' => "secret\nMAIL_MAILER=sendmail",
+        ]);
+
+        $response
+            ->assertRedirect('/setup/database')
+            ->assertSessionHasErrors('db_password');
+    }
+}
