updated core to 1.7.15
This commit is contained in:
@@ -1,17 +1,77 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* @package Grav.Common
|
||||
* @package Grav\Common
|
||||
*
|
||||
* @copyright Copyright (C) 2015 - 2018 Trilby Media, LLC. All rights reserved.
|
||||
* @copyright Copyright (c) 2015 - 2021 Trilby Media, LLC. All rights reserved.
|
||||
* @license MIT License; see LICENSE file for details.
|
||||
*/
|
||||
|
||||
namespace Grav\Common;
|
||||
|
||||
use enshrined\svgSanitize\Sanitizer;
|
||||
use Exception;
|
||||
use Grav\Common\Config\Config;
|
||||
use Grav\Common\Page\Pages;
|
||||
use function chr;
|
||||
use function count;
|
||||
use function is_array;
|
||||
use function is_string;
|
||||
|
||||
/**
|
||||
* Class Security
|
||||
* @package Grav\Common
|
||||
*/
|
||||
class Security
|
||||
{
|
||||
/**
|
||||
* Sanitize SVG string for XSS code
|
||||
*
|
||||
* @param string $svg
|
||||
* @return string
|
||||
*/
|
||||
public static function sanitizeSvgString(string $svg): string
|
||||
{
|
||||
if (Grav::instance()['config']->get('security.sanitize_svg')) {
|
||||
$sanitizer = new Sanitizer();
|
||||
$sanitized = $sanitizer->sanitize($svg);
|
||||
if (is_string($sanitized)) {
|
||||
$svg = $sanitized;
|
||||
}
|
||||
}
|
||||
|
||||
public static function detectXssFromPages($pages, callable $status = null)
|
||||
return $svg;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sanitize SVG for XSS code
|
||||
*
|
||||
* @param string $file
|
||||
* @return void
|
||||
*/
|
||||
public static function sanitizeSVG(string $file): void
|
||||
{
|
||||
if (file_exists($file) && Grav::instance()['config']->get('security.sanitize_svg')) {
|
||||
$sanitizer = new Sanitizer();
|
||||
$original_svg = file_get_contents($file);
|
||||
$clean_svg = $sanitizer->sanitize($original_svg);
|
||||
|
||||
// TODO: what to do with bad SVG files which return false?
|
||||
if ($clean_svg !== false && $clean_svg !== $original_svg) {
|
||||
file_put_contents($file, $clean_svg);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Detect XSS code in Grav pages
|
||||
*
|
||||
* @param Pages $pages
|
||||
* @param bool $route
|
||||
* @param callable|null $status
|
||||
* @return array
|
||||
*/
|
||||
public static function detectXssFromPages(Pages $pages, $route = true, callable $status = null)
|
||||
{
|
||||
$routes = $pages->routes();
|
||||
|
||||
@@ -20,14 +80,13 @@ class Security
|
||||
|
||||
$list = [];
|
||||
|
||||
// // This needs Symfony 4.1 to work
|
||||
// $status && $status([
|
||||
// 'type' => 'count',
|
||||
// 'steps' => count($routes),
|
||||
// ]);
|
||||
// This needs Symfony 4.1 to work
|
||||
$status && $status([
|
||||
'type' => 'count',
|
||||
'steps' => count($routes),
|
||||
]);
|
||||
|
||||
foreach ($routes as $path) {
|
||||
|
||||
$status && $status([
|
||||
'type' => 'progress',
|
||||
]);
|
||||
@@ -43,10 +102,13 @@ class Security
|
||||
$results = Security::detectXssFromArray($data);
|
||||
|
||||
if (!empty($results)) {
|
||||
$list[$page->filePathClean()] = $results;
|
||||
if ($route) {
|
||||
$list[$page->route()] = $results;
|
||||
} else {
|
||||
$list[$page->filePathClean()] = $results;
|
||||
}
|
||||
}
|
||||
|
||||
} catch (\Exception $e) {
|
||||
} catch (Exception $e) {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
@@ -55,19 +117,25 @@ class Security
|
||||
}
|
||||
|
||||
/**
|
||||
* Detect XSS in an array or strings such as $_POST or $_GET
|
||||
*
|
||||
* @param array $array Array such as $_POST or $_GET
|
||||
* @param array|null $options Extra options to be passed.
|
||||
* @param string $prefix Prefix for returned values.
|
||||
* @return array Returns flatten list of potentially dangerous input values, such as 'data.content'.
|
||||
*/
|
||||
public static function detectXssFromArray(array $array, $prefix = '')
|
||||
public static function detectXssFromArray(array $array, string $prefix = '', array $options = null)
|
||||
{
|
||||
$list = [];
|
||||
if (null === $options) {
|
||||
$options = static::getXssDefaults();
|
||||
}
|
||||
|
||||
$list = [];
|
||||
foreach ($array as $key => $value) {
|
||||
if (\is_array($value)) {
|
||||
$list[] = static::detectXssFromArray($value, $prefix . $key . '.');
|
||||
if (is_array($value)) {
|
||||
$list[] = static::detectXssFromArray($value, $prefix . $key . '.', $options);
|
||||
}
|
||||
if ($result = static::detectXss($value)) {
|
||||
if ($result = static::detectXss($value, $options)) {
|
||||
$list[] = [$prefix . $key => $result];
|
||||
}
|
||||
}
|
||||
@@ -81,19 +149,39 @@ class Security
|
||||
|
||||
/**
|
||||
* Determine if string potentially has a XSS attack. This simple function does not catch all XSS and it is likely to
|
||||
*
|
||||
* return false positives because of it tags all potentially dangerous HTML tags and attributes without looking into
|
||||
* their content.
|
||||
*
|
||||
* @param string $string The string to run XSS detection logic on
|
||||
* @return boolean|string Type of XSS vector if the given `$string` may contain XSS, false otherwise.
|
||||
* @param string|null $string The string to run XSS detection logic on
|
||||
* @param array|null $options
|
||||
* @return string|null Type of XSS vector if the given `$string` may contain XSS, false otherwise.
|
||||
*
|
||||
* Copies the code from: https://github.com/symphonycms/xssfilter/blob/master/extension.driver.php#L138
|
||||
*/
|
||||
public static function detectXss($string)
|
||||
public static function detectXss($string, array $options = null): ?string
|
||||
{
|
||||
// Skip any null or non string values
|
||||
if (null === $string || !\is_string($string) || empty($string)) {
|
||||
return false;
|
||||
if (null === $string || !is_string($string) || empty($string)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if (null === $options) {
|
||||
$options = static::getXssDefaults();
|
||||
}
|
||||
|
||||
$enabled_rules = (array)($options['enabled_rules'] ?? null);
|
||||
$dangerous_tags = (array)($options['dangerous_tags'] ?? null);
|
||||
if (!$dangerous_tags) {
|
||||
$enabled_rules['dangerous_tags'] = false;
|
||||
}
|
||||
$invalid_protocols = (array)($options['invalid_protocols'] ?? null);
|
||||
if (!$invalid_protocols) {
|
||||
$enabled_rules['invalid_protocols'] = false;
|
||||
}
|
||||
$enabled_rules = array_filter($enabled_rules, static function ($val) { return !empty($val); });
|
||||
if (!$enabled_rules) {
|
||||
return null;
|
||||
}
|
||||
|
||||
// Keep a copy of the original string before cleaning up
|
||||
@@ -103,33 +191,26 @@ class Security
|
||||
$string = urldecode($string);
|
||||
|
||||
// Convert Hexadecimals
|
||||
$string = (string)preg_replace_callback('!(&#|\\\)[xX]([0-9a-fA-F]+);?!u', function($m) {
|
||||
return \chr(hexdec($m[2]));
|
||||
$string = (string)preg_replace_callback('!(&#|\\\)[xX]([0-9a-fA-F]+);?!u', function ($m) {
|
||||
return chr(hexdec($m[2]));
|
||||
}, $string);
|
||||
|
||||
// Clean up entities
|
||||
$string = preg_replace('!(�+[0-9]+)!u','$1;', $string);
|
||||
$string = preg_replace('!(�+[0-9]+)!u', '$1;', $string);
|
||||
|
||||
// Decode entities
|
||||
$string = html_entity_decode($string, ENT_NOQUOTES, 'UTF-8');
|
||||
|
||||
// Strip whitespace characters
|
||||
$string = preg_replace('!\s!u','', $string);
|
||||
|
||||
$config = Grav::instance()['config'];
|
||||
|
||||
$dangerous_tags = $config->get('security.xss_dangerous_tags');
|
||||
$dangerous_tags = array_map('preg_quote', array_map("trim", $dangerous_tags));
|
||||
|
||||
$enabled_rules = $config->get('security.xss_enabled');
|
||||
$string = preg_replace('!\s!u', '', $string);
|
||||
|
||||
// Set the patterns we'll test against
|
||||
$patterns = [
|
||||
// Match any attribute starting with "on" or xmlns
|
||||
'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])(\son|\sxmlns)[a-z].*=>?#iUu',
|
||||
'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])([\s\/]on|\sxmlns)[a-z].*=>?#iUu',
|
||||
|
||||
// Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
|
||||
'invalid_protocols' => '#((java|live|vb)script|mocha|feed|data):.*?#iUu',
|
||||
'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . '):\S.*?#iUu',
|
||||
|
||||
// Match -moz-bindings
|
||||
'moz_binding' => '#-moz-binding[a-z\x00-\x20]*:#u',
|
||||
@@ -138,21 +219,30 @@ class Security
|
||||
'html_inline_styles' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(style=[^>]*(url\:|x\:expression).*)>?#iUu',
|
||||
|
||||
// Match potentially dangerous tags
|
||||
'dangerous_tags' => '#</*(' . implode('|', $dangerous_tags ) . ')[^>]*>?#ui'
|
||||
'dangerous_tags' => '#</*(' . implode('|', array_map('preg_quote', $dangerous_tags, ['#'])) . ')[^>]*>?#ui'
|
||||
];
|
||||
|
||||
|
||||
// Iterate over rules and return label if fail
|
||||
foreach ((array) $patterns as $name => $regex) {
|
||||
if ($enabled_rules[$name] === true) {
|
||||
|
||||
foreach ($patterns as $name => $regex) {
|
||||
if (!empty($enabled_rules[$name])) {
|
||||
if (preg_match($regex, $string) || preg_match($regex, $orig)) {
|
||||
return $name;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
public static function getXssDefaults(): array
|
||||
{
|
||||
/** @var Config $config */
|
||||
$config = Grav::instance()['config'];
|
||||
|
||||
return [
|
||||
'enabled_rules' => $config->get('security.xss_enabled'),
|
||||
'dangerous_tags' => array_map('trim', $config->get('security.xss_dangerous_tags')),
|
||||
'invalid_protocols' => array_map('trim', $config->get('security.xss_invalid_protocols')),
|
||||
];
|
||||
}
|
||||
}
|
||||
|
Reference in New Issue
Block a user