Strona główna Odkrywaj Pomoc
Zaloguj się
kevin
/
gilles-acezat
1
0
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Drzewo: 1a177c21bb
Gałęzie Tagi
gilles-acezat
/
system
/
src
/
Grav
/
Common
/
Security.php

Security.php 4.8 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158 
  1. <?php
    2. 

  2. /**
    3. 

  3.  * @package    Grav.Common
    4. 

  4.  *
    5. 

  5.  * @copyright  Copyright (C) 2015 - 2018 Trilby Media, LLC. All rights reserved.
    6. 

  6.  * @license    MIT License; see LICENSE file for details.
    7. 

  7.  */
    8. 

  8. 

  9. namespace Grav\Common;
    10. 

  10. 

  11. class Security
    12. 

  12. {
    13. 

  13. 

  14.     public static function detectXssFromPages($pages, callable $status = null)
    15. 

  15.     {
    16. 

  16.         $routes = $pages->routes();
    17. 

  17. 

  18.         // Remove duplicate for homepage
    19. 

  19.         unset($routes['/']);
    20. 

  20. 

  21.         $list = [];
    22. 

  22. 

  23. //        // This needs Symfony 4.1 to work
    24. 

  24. //        $status && $status([
    25. 

  25. //            'type' => 'count',
    26. 

  26. //            'steps' => count($routes),
    27. 

  27. //        ]);
    28. 

  28. 

  29.         foreach ($routes as $path) {
    30. 

  30. 

  31.             $status && $status([
    32. 

  32.                 'type' => 'progress',
    33. 

  33.             ]);
    34. 

  34. 

  35.             try {
    36. 

  36.                 $page = $pages->get($path);
    37. 

  37. 

  38.                 // call the content to load/cache it
    39. 

  39.                 $header = (array) $page->header();
    40. 

  40.                 $content = $page->value('content');
    41. 

  41. 

  42.                 $data = ['header' => $header, 'content' => $content];
    43. 

  43.                 $results = Security::detectXssFromArray($data);
    44. 

  44. 

  45.                 if (!empty($results)) {
    46. 

  46.                     $list[$page->filePathClean()] = $results;
    47. 

  47.                 }
    48. 

  48. 

  49.             } catch (\Exception $e) {
    50. 

  50.                 continue;
    51. 

  51.             }
    52. 

  52.         }
    53. 

  53. 

  54.         return $list;
    55. 

  55.     }
    56. 

  56. 

  57.     /**
    58. 

  58.      * @param array $array      Array such as $_POST or $_GET
    59. 

  59.      * @param string $prefix    Prefix for returned values.
    60. 

  60.      * @return array            Returns flatten list of potentially dangerous input values, such as 'data.content'.
    61. 

  61.      */
    62. 

  62.     public static function detectXssFromArray(array $array, $prefix = '')
    63. 

  63.     {
    64. 

  64.         $list = [];
    65. 

  65. 

  66.         foreach ($array as $key => $value) {
    67. 

  67.             if (\is_array($value)) {
    68. 

  68.                 $list[] = static::detectXssFromArray($value, $prefix . $key . '.');
    69. 

  69.             }
    70. 

  70.             if ($result = static::detectXss($value)) {
    71. 

  71.                 $list[] = [$prefix . $key => $result];
    72. 

  72.             }
    73. 

  73.         }
    74. 

  74. 

  75.         if (!empty($list)) {
    76. 

  76.             return array_merge(...$list);
    77. 

  77.         }
    78. 

  78. 

  79.         return $list;
    80. 

  80.     }
    81. 

  81. 

  82.     /**
    83. 

  83.      * Determine if string potentially has a XSS attack. This simple function does not catch all XSS and it is likely to
    84. 

  84.      * return false positives because of it tags all potentially dangerous HTML tags and attributes without looking into
    85. 

  85.      * their content.
    86. 

  86.      *
    87. 

  87.      * @param string $string The string to run XSS detection logic on
    88. 

  88.      * @return boolean|string       Type of XSS vector if the given `$string` may contain XSS, false otherwise.
    89. 

  89.      *
    90. 

  90.      * Copies the code from: https://github.com/symphonycms/xssfilter/blob/master/extension.driver.php#L138
    91. 

  91.      */
    92. 

  92.     public static function detectXss($string)
    93. 

  93.     {
    94. 

  94.         // Skip any null or non string values
    95. 

  95.         if (null === $string || !\is_string($string) || empty($string)) {
    96. 

  96.             return false;
    97. 

  97.         }
    98. 

  98. 

  99.         // Keep a copy of the original string before cleaning up
    100. 

  100.         $orig = $string;
    101. 

  101. 

  102.         // URL decode
    103. 

  103.         $string = urldecode($string);
    104. 

  104. 

  105.         // Convert Hexadecimals
    106. 

  106.         $string = (string)preg_replace_callback('!(&#|\\\)[xX]([0-9a-fA-F]+);?!u', function($m) {
    107. 

  107.             return \chr(hexdec($m[2]));
    108. 

  108.         }, $string);
    109. 

  109. 

  110.         // Clean up entities
    111. 

  111.         $string = preg_replace('!(&#0+[0-9]+)!u','$1;', $string);
    112. 

  112. 

  113.         // Decode entities
    114. 

  114.         $string = html_entity_decode($string, ENT_NOQUOTES, 'UTF-8');
    115. 

  115. 

  116.         // Strip whitespace characters
    117. 

  117.         $string = preg_replace('!\s!u','', $string);
    118. 

  118. 

  119.         $config = Grav::instance()['config'];
    120. 

  120. 

  121.         $dangerous_tags = $config->get('security.xss_dangerous_tags');
    122. 

  122.         $dangerous_tags = array_map('preg_quote', array_map("trim", $dangerous_tags));
    123. 

  123. 

  124.         $enabled_rules = $config->get('security.xss_enabled');
    125. 

  125. 

  126.         // Set the patterns we'll test against
    127. 

  127.         $patterns = [
    128. 

  128.             // Match any attribute starting with "on" or xmlns
    129. 

  129.             'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])(\son|\sxmlns)[a-z].*=>?#iUu',
    130. 

  130. 

  131.             // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
    132. 

  132.             'invalid_protocols' => '#((java|live|vb)script|mocha|feed|data):.*?#iUu',
    133. 

  133. 

  134.             // Match -moz-bindings
    135. 

  135.             'moz_binding' => '#-moz-binding[a-z\x00-\x20]*:#u',
    136. 

  136. 

  137.             // Match style attributes
    138. 

  138.             'html_inline_styles' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(style=[^>]*(url\:|x\:expression).*)>?#iUu',
    139. 

  139. 

  140.             // Match potentially dangerous tags
    141. 

  141.             'dangerous_tags' => '#</*(' . implode('|', $dangerous_tags ) . ')[^>]*>?#ui'
    142. 

  142.         ];
    143. 

  143. 

  144. 

  145.         // Iterate over rules and return label if fail
    146. 

  146.         foreach ((array) $patterns as $name => $regex) {
    147. 

  147.             if ($enabled_rules[$name] === true) {
    148. 

  148. 

  149.                 if (preg_match($regex, $string) || preg_match($regex, $orig)) {
    150. 

  150.                     return $name;
    151. 

  151.                 }
    152. 

  152. 

  153.             }
    154. 

  154.         }
    155. 

  155. 

  156.         return false;
    157. 

  157.     }
    158. 

  158. }
    159.