Validate token names against an allowlist

Reject any token name that isn't strictly [A-Za-z0-9_-] rather than
denylisting separators. This covers traversal, absolute paths, and
Windows drive/UNC paths in one check, regardless of OS or encoding.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: jasonvarga

src/Tokens/FileTokenRepository.php

@@ -11,7 +11,7 @@ class FileTokenRepository extends TokenRepository
 {
     public function make(?string $token, string $handler, array $data = []): TokenContract
     {
-        if ($token && (str_contains($token, '/') || str_contains($token, '\\'))) {
+        if ($token && ! $this->isValidTokenName($token)) {
             $token = null;
         }
 
@@ -20,7 +20,7 @@ public function make(?string $token, string $handler, array $data = []): TokenCo
 
     public function find(string $token): ?TokenContract
     {
-        if (str_contains($token, '/') || str_contains($token, '\\')) {
+        if (! $this->isValidTokenName($token)) {
             return null;
         }
 
@@ -63,6 +63,11 @@ public function collectGarbage(): void
             ->each->delete();
     }
 
+    private function isValidTokenName(string $token): bool
+    {
+        return (bool) preg_match('/^[A-Za-z0-9_-]+$/', $token);
+    }
+
     private function makeFromPath(string $path): FileToken
     {
         $yaml = YAML::file($path)->parse();

tests/Tokens/TokenRepositoryTest.php

@@ -5,6 +5,7 @@
 use Facades\Statamic\Tokens\Generator;
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Collection;
+use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Test;
 use Statamic\Contracts\Tokens\Token;
 use Statamic\Facades\File;
@@ -138,11 +139,25 @@ public function it_prevents_path_traversal_in_find()
     }
 
     #[Test]
-    public function it_prevents_path_traversal_in_make()
+    #[DataProvider('invalidTokenNameProvider')]
+    public function it_rejects_invalid_token_names_in_make($token)
     {
         Generator::shouldReceive('generate')->once()->andReturn('generated-token');
 
-        $this->assertEquals('generated-token', $this->tokens->make('../evil', 'Handler')->token());
+        $this->assertEquals('generated-token', $this->tokens->make($token, 'Handler')->token());
+    }
+
+    public static function invalidTokenNameProvider()
+    {
+        return [
+            'parent traversal' => ['../evil'],
+            'backslash traversal' => ['..\\evil'],
+            'nested traversal' => ['foo/../../evil'],
+            'forward slash' => ['foo/evil'],
+            'dots only' => ['..'],
+            'absolute path' => ['/etc/passwd'],
+            'windows drive' => ['C:\\evil'],
+        ];
     }
 
     #[Test]