update

web/app/Models/Backup.php

@@ -4,6 +4,7 @@ namespace App\Models;
 
 use App\Filament\Enums\BackupStatus;
 use App\Helpers;
+use App\ShellApi;
 use Dotenv\Dotenv;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
@@ -46,9 +47,9 @@ class Backup extends Model
         });
 
         static::deleting(function ($model) {
-           if (is_dir($model->path)) {
-               shell_exec('rm -rf ' . $model->path);
-           }
+           ShellApi::safeDelete($model->path,[
+               Storage::path('backups')
+           ]);
            if (Storage::disk('backups')->exists($model->filepath)) {
                Storage::disk('backups')->delete($model->filepath);
            }
@@ -129,7 +130,7 @@ class Backup extends Model
                     ];
                 }
 
-                shell_exec('rm -rf '.$this->path);
+                ShellApi::safeRmRf($this->path);
 
                 $this->size = filesize(Storage::disk('backups')->path($this->filepath));
                 $this->status = 'completed';

web/app/ShellApi.php

@@ -2,12 +2,24 @@
 
 namespace App;
 
+use Illuminate\Support\Str;
+
 class ShellApi
 {
-    public function safeRmRf($pathOrFile, $whiteListedPaths = [])
+    public static function safeDelete($pathOrFile, $whiteListedPaths = [])
     {
-        if (in_array($pathOrFile, $whiteListedPaths)) {
-            return false;
+        if (empty($whiteListedPaths)) {
+            throw new \Exception('Whitelist paths cannot be empty');
+        }
+
+        $errorsBag = [];
+        foreach ($whiteListedPaths as $whiteListedPath) {
+            if (!Str::of($pathOrFile)->startsWith($whiteListedPath)) {
+                $errorsBag[] = 'Cannot delete this path';
+            }
+        }
+        if (!empty($errorsBag)) {
+            throw new \Exception('Cannot delete this path');
         }
 
         $exec = shell_exec('rm -rf ' . $pathOrFile);