Refinement & Fix bugs (#3540)

* fix: Patch `LFI` vulnerability in `createMultipleFromRequest -> FileAdderFactory::class` method

- Implemented input sanitization to prevent directory traversal attacks
- Removed unsafe file path manipulation in createMultipleFromRequest method
- Added validation checks to ensure file paths are safe before processing

* Fix: Human-readable size support-function return incorrect results

getHumanReadableSize() support function return (KB) unit for (0), For a size of 0 bytes, it's more relevant to display it as 0 B (bytes). Displaying it as 0 KB could be misleading, implying that there is a non-zero amount of data, albeit in kilobytes. Therefore, it's more appropriate to represent 0 as 0 B to accurately convey that there is no data present.

* Fix: file name optimizer from `FileAdderFactory`

* Adding tests for larger file size support `[TB, PB, EB, ZB, YB]` - Qualified Code

* Testing negative byte value in `getHumanReadableSize()` support function

---------

Co-authored-by: TheXerr0r <[email protected]>

src/MediaCollections/FileAdderFactory.php

@@ -40,10 +40,7 @@ public static function createMultipleFromRequest(Model $subject, array $keys = [
     {
         return collect($keys)
             ->map(function (string $key) use ($subject) {
-                $search = ['[', ']', '"', "'"];
-                $replace = ['.', '', '', ''];
-
-                $key = str_replace($search, $replace, $key);
+                $key =  trim(basename($key), './');
 
                 if (! request()->hasFile($key)) {
                     throw RequestDoesNotHaveFile::create($key);

src/Support/File.php

@@ -6,19 +6,13 @@
 
 class File
 {
-    public static function getHumanReadableSize(int $sizeInBytes): string
+    public static function getHumanReadableSize(int|float $sizeInBytes): string
     {
-        $units = ['B', 'KB', 'MB', 'GB', 'TB'];
+        $units = ['B', 'KB', 'MB', 'GB', 'TB', 'PB', 'EB', 'ZB', 'YB'];
 
-        if ($sizeInBytes == 0) {
-            return '0 '.$units[1];
-        }
+        $index = min(count($units) - 1, floor(log(abs($sizeInBytes), 1024)));
 
-        for ($i = 0; $sizeInBytes > 1024; $i++) {
-            $sizeInBytes /= 1024;
-        }
-
-        return round($sizeInBytes, 2).' '.$units[$i];
+        return sprintf("%s %s", round(num: abs($sizeInBytes) / (1024 ** $index), precision: 2), $units[$index]);
     }
 
     public static function getMimeType(string $path): string

tests/Support/FileTest.php

@@ -7,9 +7,17 @@
     expect(File::getHumanReadableSize(100))->toEqual('100 B');
     expect(File::getHumanReadableSize(1000))->toEqual('1000 B');
     expect(File::getHumanReadableSize(10000))->toEqual('9.77 KB');
+    expect(File::getHumanReadableSize(10000))->toEqual('9.77 KB');
+    expect(File::getHumanReadableSize(-10000))->toEqual('9.77 KB');
     $this->assertEquals('976.56 KB', File::getHumanReadableSize(1_000_000));
     $this->assertEquals('9.54 MB', File::getHumanReadableSize(10_000_000));
     $this->assertEquals('9.31 GB', File::getHumanReadableSize(10_000_000_000));
+    $this->assertEquals('9.09 TB', File::getHumanReadableSize(10_000_000_000_000));
+    $this->assertEquals('8.88 PB', File::getHumanReadableSize(10_000_000_000_000_000));
+    $this->assertEquals('86.74 EB', File::getHumanReadableSize(100_000_000_000_000_000_000));
+    $this->assertEquals('84.7 ZB', File::getHumanReadableSize(100_000_000_000_000_000_000_000));
+    $this->assertEquals('82.72 YB', File::getHumanReadableSize(100_000_000_000_000_000_000_000_000));
+    $this->assertEquals('82.72 YB', File::getHumanReadableSize(-100_000_000_000_000_000_000_000_000));
 });
 
 it('can determine the mime type of a file', function () {