Jingga/phpOMS
1
0
Fork 0
mirror of https://github.com/Karaka-Management/phpOMS.git synced 2026-01-12 18:18:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a7451d330d
phpOMS/Security/Guard.php
Dennis Eichhorn a7451d330d Went through todos
2024-05-02 22:54:40 +00:00

195 lines
4.6 KiB
PHP
Executable File
Raw Blame History

<?php
/**
* Jingga
*
* PHP Version 8.2
*
* @package phpOMS\Security
* @copyright Dennis Eichhorn
* @license OMS License 2.0
* @version 1.0.0
* @link https://jingga.app
*/
declare(strict_types=1);
namespace phpOMS\Security;
use phpOMS\System\File\FileUtils;
/**
* Php code security class.
*
* This can be used to guard against certain vulnerabilities
*
* @package phpOMS\Security
* @license OMS License 2.0
* @link https://jingga.app
* @since 1.0.0
*/
final class Guard
{
/**
* Base path for the application
*
* @var string
* @since 1.0.0
*/
public static string $BASE_PATH = __DIR__ . '/../../';
/**
* Make sure a path is part of a base path
*
* This can be used to verify if a path goes outside of the allowed path bounds
*
* @param string $path Path to check
* @param string $base Base path
*
* @return bool
*
* @since 1.0.0
*/
public static function isSafePath(string $path, string $base = '') : bool
{
return \str_starts_with(
FileUtils::absolute($path),
FileUtils::absolute(empty($base) ? self::$BASE_PATH : $base)
);
}
/**
* Remove slashes from a string or array
*
* @template T of string|array
*
* @param T $data Data to unslash
*
* @return (T is string ? string : array)
*
* @since 1.0.0
*/
public static function unslash(string | array $data) : string|array
{
if (\is_array($data)) {
$result = [];
foreach ($data as $key => $value) {
$result[$key] = \is_string($value) || \is_array($value)
? self::unslash($value)
: $value;
}
return $result;
} elseif (\is_string($data)) {
return \stripslashes($data);
}
return $data;
}
/**
* Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
*
* @param string $string String to check
*
* @return bool
*
* @since 1.0.0
*/
public static function isShellSafe(string $string) : bool
{
if (\escapeshellcmd($string) !== $string
|| !\in_array(\escapeshellarg($string), ["'{$string}'", "\"{$string}\""])
) {
return false;
}
$length = \strlen($string);
for ($i = 0; $i < $length; ++$i) {
$c = $string[$i];
if (!\ctype_alnum($c) && \strpos('@_-.', $c) === false) {
return false;
}
}
return true;
}
public static function isSafeFile(string $path) : bool
{
$tmp = \strtolower($path);
if (\str_ends_with($tmp, '.csv')) {
return self::isSafeXml($path);
} elseif (\str_ends_with($tmp, '.xml')) {
return self::isSafeCsv($path);
}
return true;
}
public static function isSafeXml(string $path) : bool
{
$maxEntityDepth = 7;
$xml = \file_get_contents($path);
// Detect injections
$injectionPatterns = [
'/<!ENTITY\s+%(\w+)\s+"(.+)">/',
'/<!ENTITY\s+%(\w+)\s+SYSTEM\s+"(.+)">/',
'/<!ENTITY\s+(\w+)\s+"(.+)">/',
'/<!DOCTYPE\s+(.+)\s+SYSTEM\s+"(.+)">/'
];
foreach ($injectionPatterns as $pattern) {
if (\preg_match($pattern, $xml) !== false) {
return false;
}
}
$reader = new \XMLReader();
$reader->XML($xml);
$reader->setParserProperty(\XMLReader::SUBST_ENTITIES, true);
$foundBillionLaughsAttack = false;
$entityCount = 0;
while ($reader->read()) {
if ($reader->nodeType === \XMLReader::ENTITY_REF) {
++$entityCount;
if ($entityCount > $maxEntityDepth) {
$foundBillionLaughsAttack = true;
break;
}
}
}
return !$foundBillionLaughsAttack;
}
public static function isSafeCsv(string $path) : bool
{
$input = \fopen($path, 'r');
if (!$input) {
return true;
}
while (($row = \fgetcsv($input)) !== false) {
foreach ($row as &$cell) {
if (\preg_match('/^[\x00-\x08\x0B\x0C\x0E-\x1F]+/', $cell) !== false) {
return false;
}
if (\in_array($cell[0] ?? '', ['=', '+', '-', '@'])) {
return false;
}
}
}
\fclose($input);
return true;
}
}
Reference in New Issue View Git Blame Copy Permalink