mirror of
https://github.com/Karaka-Management/phpOMS.git
synced 2026-01-11 01:38:41 +00:00
118 lines
2.6 KiB
PHP
Executable File
118 lines
2.6 KiB
PHP
Executable File
<?php
|
|
/**
|
|
* Jingga
|
|
*
|
|
* PHP Version 8.2
|
|
*
|
|
* @package phpOMS\Security
|
|
* @copyright Dennis Eichhorn
|
|
* @license OMS License 2.0
|
|
* @version 1.0.0
|
|
* @link https://jingga.app
|
|
*/
|
|
declare(strict_types=1);
|
|
|
|
namespace phpOMS\Security;
|
|
|
|
use phpOMS\System\File\FileUtils;
|
|
|
|
/**
|
|
* Php code security class.
|
|
*
|
|
* This can be used to guard against certain vulnerabilities
|
|
*
|
|
* @package phpOMS\Security
|
|
* @license OMS License 2.0
|
|
* @link https://jingga.app
|
|
* @since 1.0.0
|
|
*/
|
|
final class Guard
|
|
{
|
|
/**
|
|
* Base path for the application
|
|
*
|
|
* @var string
|
|
* @since 1.0.0
|
|
*/
|
|
public static string $BASE_PATH = __DIR__ . '/../../';
|
|
|
|
/**
|
|
* Make sure a path is part of a base path
|
|
*
|
|
* This can be used to verify if a path goes outside of the allowed path bounds
|
|
*
|
|
* @param string $path Path to check
|
|
* @param string $base Base path
|
|
*
|
|
* @return bool
|
|
*
|
|
* @since 1.0.0
|
|
*/
|
|
public static function isSafePath(string $path, string $base = '') : bool
|
|
{
|
|
return \str_starts_with(
|
|
FileUtils::absolute($path),
|
|
FileUtils::absolute(empty($base) ? self::$BASE_PATH : $base)
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Remove slashes from a string or array
|
|
*
|
|
* @template T of string|array
|
|
*
|
|
* @param T $data Data to unslash
|
|
*
|
|
* @return (T is string ? string : array)
|
|
*
|
|
* @since 1.0.0
|
|
*/
|
|
public static function unslash(string | array $data) : string|array
|
|
{
|
|
if (\is_array($data)) {
|
|
$result = [];
|
|
foreach ($data as $key => $value) {
|
|
$result[$key] = \is_string($value) || \is_array($value)
|
|
? self::unslash($value)
|
|
: $value;
|
|
}
|
|
|
|
return $result;
|
|
} elseif (\is_string($data)) {
|
|
return \stripslashes($data);
|
|
}
|
|
|
|
return $data;
|
|
}
|
|
|
|
/**
|
|
* Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
|
|
*
|
|
* @param string $string String to check
|
|
*
|
|
* @return bool
|
|
*
|
|
* @since 1.0.0
|
|
*/
|
|
public static function isShellSafe(string $string) : bool
|
|
{
|
|
if (\escapeshellcmd($string) !== $string
|
|
|| !\in_array(\escapeshellarg($string), ["'{$string}'", "\"{$string}\""])
|
|
) {
|
|
return false;
|
|
}
|
|
|
|
$length = \strlen($string);
|
|
|
|
for ($i = 0; $i < $length; ++$i) {
|
|
$c = $string[$i];
|
|
|
|
if (!\ctype_alnum($c) && \strpos('@_-.', $c) === false) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
return true;
|
|
}
|
|
}
|