refactor(filename): extract classes with single responsibilities

- Create namespace KaririCode\Sanitizer\Processor\Security\Filename
- Split FilenameSanitizer into specific classes:
  * ExtensionHandler: handling of extensions and validations
  * FilenameParser: parsing and splitting of filenames
  * BasenameSanitizer: sanitization of the base name
  * Configuration: configuration management
  * FilenameSanitizer: orchestration of the process

Author: walmir-silva

src/Processor/Domain/JsonSanitizer.php

@@ -5,12 +5,17 @@
 namespace KaririCode\Sanitizer\Processor\Domain;
 
 use KaririCode\Sanitizer\Processor\AbstractSanitizerProcessor;
+use KaririCode\Sanitizer\Trait\WhitespaceSanitizerTrait;
 
 class JsonSanitizer extends AbstractSanitizerProcessor
 {
+    use WhitespaceSanitizerTrait;
+
     public function process(mixed $input): string
     {
         $input = $this->guardAgainstNonString($input);
+        $input = $this->trimWhitespace($input);
+
         $decoded = json_decode($input, true);
         if (JSON_ERROR_NONE !== json_last_error()) {
             throw new \InvalidArgumentException('Invalid JSON input');

src/Processor/Domain/MarkdownSanitizer.php

@@ -5,16 +5,27 @@
 namespace KaririCode\Sanitizer\Processor\Domain;
 
 use KaririCode\Sanitizer\Processor\AbstractSanitizerProcessor;
+use KaririCode\Sanitizer\Trait\CharacterReplacementTrait;
+use KaririCode\Sanitizer\Trait\WhitespaceSanitizerTrait;
 
 class MarkdownSanitizer extends AbstractSanitizerProcessor
 {
+    use WhitespaceSanitizerTrait;
+    use CharacterReplacementTrait;
+
     public function process(mixed $input): string
     {
         $input = $this->guardAgainstNonString($input);
+        $input = $this->trimWhitespace($input);
+
         // Remove HTML tags, keeping Markdown intact
         $input = strip_tags($input);
+
         // Escape special Markdown characters
-        $input = preg_replace('/([*_`#])/', '\\\\$1', $input);
+        return $this->replaceMultipleCharacters(
+            $input,
+            ['*' => '\\*', '_' => '\\_', '`' => '\\`', '#' => '\\#']
+        );
 
         return $input;
     }

src/Processor/Security/Filename/BasenameSanitizer.php

@@ -0,0 +1,87 @@
+<?php
+
+declare(strict_types=1);
+
+namespace KaririCode\Sanitizer\Processor\Security\Filename;
+
+final class BasenameSanitizer
+{
+    public function __construct(
+        private readonly string $replacement = '_',
+        private readonly bool $toLowerCase = false,
+        private readonly int $maxLength = 255
+    ) {
+    }
+
+    public function sanitize(string $basename, bool $preserveDots = true): string
+    {
+        if ($preserveDots) {
+            return $this->sanitizePreservingDots($basename);
+        }
+
+        return $this->sanitizeWithoutDots($basename);
+    }
+
+    private function sanitizePreservingDots(string $basename): string
+    {
+        $parts = explode('.', $basename);
+        $sanitizedParts = array_map(
+            fn (string $part) => $this->sanitizePart($part),
+            $parts
+        );
+
+        $result = implode('.', $sanitizedParts);
+
+        return $this->finalizeBasename($result);
+    }
+
+    private function sanitizeWithoutDots(string $basename): string
+    {
+        $sanitized = preg_replace('/[^\p{L}\p{N}_\-\s]/u', $this->replacement, $basename);
+        $sanitized = str_replace([' ', '.', '-'], $this->replacement, $sanitized);
+        $sanitized = $this->normalizeReplacement($sanitized);
+
+        return $this->finalizeBasename($sanitized);
+    }
+
+    private function sanitizePart(string $part): string
+    {
+        $sanitized = preg_replace('/[^\p{L}\p{N}_\-\s]/u', $this->replacement, $part);
+        $sanitized = str_replace([' ', '-'], $this->replacement, $sanitized);
+
+        return $this->normalizeReplacement($sanitized);
+    }
+
+    private function normalizeReplacement(string $input): string
+    {
+        $normalized = preg_replace(
+            '/' . preg_quote($this->replacement, '/') . '{2,}/',
+            $this->replacement,
+            $input
+        );
+
+        return trim($normalized, $this->replacement);
+    }
+
+    private function finalizeBasename(string $basename): string
+    {
+        if ($this->toLowerCase) {
+            $basename = strtolower($basename);
+        }
+
+        return $this->truncateBasename($basename);
+    }
+
+    private function truncateBasename(string $basename): string
+    {
+        if (strlen($basename) <= $this->maxLength) {
+            return $basename;
+        }
+
+        if (false !== ($lastSpace = strrpos(substr($basename, 0, $this->maxLength), ' '))) {
+            return substr($basename, 0, $lastSpace);
+        }
+
+        return substr($basename, 0, $this->maxLength);
+    }
+}

src/Processor/Security/Filename/Configuration.php

@@ -0,0 +1,90 @@
+<?php
+
+declare(strict_types=1);
+
+namespace KaririCode\Sanitizer\Processor\Security\Filename;
+
+final class Configuration
+{
+    private string $replacement = '_';
+    private bool $preserveExtension = true;
+    private int $maxLength = 255;
+    private bool $toLowerCase = false;
+    private array $allowedExtensions = [];
+    private bool $blockDangerousExtensions = true;
+
+    public function configure(array $options): void
+    {
+        $this->configureBasicOptions($options);
+        $this->configureExtensionOptions($options);
+        $this->configureSecurityOptions($options);
+    }
+
+    private function configureBasicOptions(array $options): void
+    {
+        if (isset($options['replacement']) && $this->isValidReplacement($options['replacement'])) {
+            $this->replacement = $options['replacement'];
+        }
+
+        if (isset($options['preserveExtension'])) {
+            $this->preserveExtension = (bool) $options['preserveExtension'];
+        }
+
+        if (isset($options['maxLength']) && $options['maxLength'] > 0) {
+            $this->maxLength = (int) $options['maxLength'];
+        }
+
+        if (isset($options['toLowerCase'])) {
+            $this->toLowerCase = (bool) $options['toLowerCase'];
+        }
+    }
+
+    private function configureExtensionOptions(array $options): void
+    {
+        if (isset($options['allowedExtensions']) && is_array($options['allowedExtensions'])) {
+            $this->allowedExtensions = array_map('strtolower', $options['allowedExtensions']);
+        }
+    }
+
+    private function configureSecurityOptions(array $options): void
+    {
+        if (isset($options['blockDangerousExtensions'])) {
+            $this->blockDangerousExtensions = (bool) $options['blockDangerousExtensions'];
+        }
+    }
+
+    private function isValidReplacement(string $replacement): bool
+    {
+        return 1 === strlen($replacement) && 1 === preg_match('/^[\w\-]$/', $replacement);
+    }
+
+    public function getReplacement(): string
+    {
+        return $this->replacement;
+    }
+
+    public function isPreserveExtension(): bool
+    {
+        return $this->preserveExtension;
+    }
+
+    public function getMaxLength(): int
+    {
+        return $this->maxLength;
+    }
+
+    public function isToLowerCase(): bool
+    {
+        return $this->toLowerCase;
+    }
+
+    public function getAllowedExtensions(): array
+    {
+        return $this->allowedExtensions;
+    }
+
+    public function isBlockDangerousExtensions(): bool
+    {
+        return $this->blockDangerousExtensions;
+    }
+}

src/Processor/Security/Filename/ExtensionHandler.php

@@ -0,0 +1,81 @@
+<?php
+
+declare(strict_types=1);
+
+namespace KaririCode\Sanitizer\Processor\Security\Filename;
+
+final class ExtensionHandler
+{
+    private const DANGEROUS_EXTENSIONS = [
+        'php', 'phtml', 'phar', 'php3', 'php4', 'php5', 'php7', 'pht',
+        'exe', 'bat', 'cmd', 'sh', 'cgi', 'pl', 'py',
+        'asp', 'aspx', 'jsp', 'jspx',
+    ];
+    private const COMPOUND_EXTENSIONS = [
+        '.tar.gz',
+        '.tar.bz2',
+        '.tar.xz',
+    ];
+
+    private bool $blockDangerousExtensions;
+    private array $allowedExtensions;
+
+    public function __construct(bool $blockDangerousExtensions = true, array $allowedExtensions = [])
+    {
+        $this->blockDangerousExtensions = $blockDangerousExtensions;
+        $this->allowedExtensions = array_map('strtolower', $allowedExtensions);
+    }
+
+    public function sanitizeExtension(string $extension): string
+    {
+        if ('' === $extension) {
+            return '';
+        }
+
+        $extension = strtolower($extension);
+        $extension = ltrim($extension, '.');
+
+        $parts = explode('.', $extension);
+        $lastPart = end($parts);
+
+        if ($this->isDangerousExtension($lastPart)) {
+            return '';
+        }
+
+        if ($this->hasAllowedExtensionsRestriction() && !$this->isAllowedExtension($lastPart)) {
+            return '';
+        }
+
+        return '.' . $extension;
+    }
+
+    public function isCompoundExtension(string $filename): bool
+    {
+        foreach (self::COMPOUND_EXTENSIONS as $ext) {
+            if (str_ends_with(strtolower($filename), $ext)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    private function isDangerousExtension(string $extension): bool
+    {
+        if (!$this->blockDangerousExtensions) {
+            return false;
+        }
+
+        return in_array(strtolower($extension), self::DANGEROUS_EXTENSIONS, true);
+    }
+
+    private function hasAllowedExtensionsRestriction(): bool
+    {
+        return !empty($this->allowedExtensions);
+    }
+
+    private function isAllowedExtension(string $extension): bool
+    {
+        return in_array($extension, $this->allowedExtensions, true);
+    }
+}

src/Processor/Security/Filename/FilenameParser.php

@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace KaririCode\Sanitizer\Processor\Security\Filename;
+
+final class FilenameParser
+{
+    public function __construct(
+        private readonly ExtensionHandler $extensionHandler
+    ) {
+    }
+
+    public function splitFilename(string $filename, bool $preserveExtension): array
+    {
+        if (!$preserveExtension) {
+            return [$filename, ''];
+        }
+
+        $lastDotPosition = strrpos($filename, '.');
+        if (false === $lastDotPosition) {
+            return [$filename, ''];
+        }
+
+        $basename = substr($filename, 0, $lastDotPosition);
+        $extension = substr($filename, $lastDotPosition);
+
+        if ($this->shouldHandleCompoundExtension($filename, $basename)) {
+            $previousDotPosition = strrpos($basename, '.');
+            $basename = substr($filename, 0, $previousDotPosition);
+            $extension = substr($filename, $previousDotPosition);
+        }
+
+        return [$basename, $extension];
+    }
+
+    private function shouldHandleCompoundExtension(string $filename, string $basename): bool
+    {
+        $previousDotPosition = strrpos($basename, '.');
+
+        return false !== $previousDotPosition && $this->extensionHandler->isCompoundExtension($filename);
+    }
+}