[SECURITY] Refactor security hardening code and disable unused stream wrappers
Ensure unwanted enviorment variables are removed from the actual global environment rather than just the `$_ENV` superglobal variable Disable stream wrappers, as this is an unexpected feature for most developers and can be exploited. For instance, `phar://` can be used to override any class and thus provide code execution (through `__wakeup` or `__costruct`, for instance). Not a complete solution, as `php://` can also be abused, but we can't disable it as it gets used _somewhere_ in our dependencies
This commit is contained in:
parent
556ac85061
commit
aef1fac536
@ -33,7 +33,7 @@ declare(strict_types = 1);
|
|||||||
|
|
||||||
use App\CacheKernel;
|
use App\CacheKernel;
|
||||||
use App\Kernel;
|
use App\Kernel;
|
||||||
use App\Util\Formatting;
|
use App\Core\Security;
|
||||||
use Symfony\Component\ErrorHandler\Debug;
|
use Symfony\Component\ErrorHandler\Debug;
|
||||||
use Symfony\Component\HttpFoundation\Request;
|
use Symfony\Component\HttpFoundation\Request;
|
||||||
|
|
||||||
@ -70,11 +70,9 @@ if ('prod' === $kernel->getEnvironment() || isset($_ENV['CONFIG_USE_CACHE_KERNEL
|
|||||||
}
|
}
|
||||||
|
|
||||||
$request = Request::createFromGlobals();
|
$request = Request::createFromGlobals();
|
||||||
$_ENV = array_filter(
|
|
||||||
$_ENV,
|
Security::harden();
|
||||||
fn (string $key) => Formatting::startsWith($key, ['HTTP', 'APP', 'CONFIG']) && $key !== 'APP_SECRET',
|
|
||||||
\ARRAY_FILTER_USE_KEY,
|
|
||||||
);
|
|
||||||
$response = $kernel->handle($request);
|
$response = $kernel->handle($request);
|
||||||
$response->send();
|
$response->send();
|
||||||
$kernel->terminate($request, $response);
|
$kernel->terminate($request, $response);
|
||||||
|
@ -37,8 +37,9 @@ declare(strict_types = 1);
|
|||||||
* @author Diogo Cordeiro <diogo@fc.up.pt>
|
* @author Diogo Cordeiro <diogo@fc.up.pt>
|
||||||
*
|
*
|
||||||
* GNU social 3
|
* GNU social 3
|
||||||
|
* @author Diogo Cordeiro <mail@diogo.site>
|
||||||
* @author Hugo Sales <hugo@hsal.es>
|
* @author Hugo Sales <hugo@hsal.es>
|
||||||
* @copyright 2018-2021 Free Software Foundation, Inc http://www.fsf.org
|
* @copyright 2018-2022 Free Software Foundation, Inc http://www.fsf.org
|
||||||
* @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
|
* @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
@ -33,7 +33,10 @@ declare(strict_types = 1);
|
|||||||
namespace App\Core;
|
namespace App\Core;
|
||||||
|
|
||||||
use App\Entity\LocalUser;
|
use App\Entity\LocalUser;
|
||||||
|
use App\Util\Common;
|
||||||
|
use App\Util\Formatting;
|
||||||
use BadMethodCallException;
|
use BadMethodCallException;
|
||||||
|
use Functional as F;
|
||||||
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
|
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
|
||||||
use Symfony\Component\Security\Core\Security as SymfonySecurity;
|
use Symfony\Component\Security\Core\Security as SymfonySecurity;
|
||||||
use Symfony\Component\Security\Http\Event\LoginFailureEvent;
|
use Symfony\Component\Security\Http\Event\LoginFailureEvent;
|
||||||
@ -76,6 +79,32 @@ class Security implements EventSubscriberInterface //implements AuthenticatorInt
|
|||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Harden running instance. Called once from `index.php`
|
||||||
|
*/
|
||||||
|
public static function harden(): void
|
||||||
|
{
|
||||||
|
// Remove sensitive information from the
|
||||||
|
[$_ENV, $to_remove] = F\partition(
|
||||||
|
$_ENV,
|
||||||
|
fn ($_, string $key) => Formatting::startsWith($key, ['HTTP', 'APP', 'CONFIG']) && $key !== 'APP_SECRET',
|
||||||
|
);
|
||||||
|
F\each($to_remove, fn (mixed $value, string $key) => putenv($key)); // Unset
|
||||||
|
// Disable stream wrappers, that could be used in things like
|
||||||
|
// `file_get_contents('https://gnu.org')`. This is done
|
||||||
|
// because this is a unexpected feature for most developers,
|
||||||
|
// and some wrappers can be abused. For instance, `phar://`
|
||||||
|
// can be used to essentially override any class when such a
|
||||||
|
// file is opened and thus provide code execution to an
|
||||||
|
// attacker. Not a complete solution, since `file://`,
|
||||||
|
// `php://` and `glob://` get used _somewhere_, so we can't
|
||||||
|
// disable them
|
||||||
|
F\each(
|
||||||
|
['http', 'https', 'ftp', 'ftps', 'compress.zlib', 'data', 'phar'], // Making this configurable might be a nice feature, but it's tricky because this happens before general initialization
|
||||||
|
fn (string $protocol) => \stream_wrapper_unregister($protocol)
|
||||||
|
);;
|
||||||
|
}
|
||||||
|
|
||||||
public static function __callStatic(string $name, array $args)
|
public static function __callStatic(string $name, array $args)
|
||||||
{
|
{
|
||||||
if (method_exists(self::$security, $name)) {
|
if (method_exists(self::$security, $name)) {
|
||||||
|
Loading…
Reference in New Issue
Block a user