annotate core/lib/Drupal/Core/Security/RequestSanitizer.php @ 19:fa3358dc1485 tip

Add ndrum files
author Chris Cannam
date Wed, 28 Aug 2019 13:14:47 +0100
parents 129ea1e6d783
children
rev   line source
Chris@13 1 <?php
Chris@13 2
Chris@13 3 namespace Drupal\Core\Security;
Chris@13 4
Chris@15 5 use Drupal\Component\Utility\UrlHelper;
Chris@15 6 use Symfony\Component\HttpFoundation\ParameterBag;
Chris@13 7 use Symfony\Component\HttpFoundation\Request;
Chris@13 8
Chris@13 9 /**
Chris@13 10 * Sanitizes user input.
Chris@13 11 */
Chris@13 12 class RequestSanitizer {
Chris@13 13
Chris@13 14 /**
Chris@13 15 * Request attribute to mark the request as sanitized.
Chris@13 16 */
Chris@13 17 const SANITIZED = '_drupal_request_sanitized';
Chris@13 18
Chris@13 19 /**
Chris@13 20 * The name of the setting that configures the whitelist.
Chris@13 21 */
Chris@13 22 const SANITIZE_WHITELIST = 'sanitize_input_whitelist';
Chris@13 23
Chris@13 24 /**
Chris@13 25 * The name of the setting that determines if sanitized keys are logged.
Chris@13 26 */
Chris@13 27 const SANITIZE_LOG = 'sanitize_input_logging';
Chris@13 28
Chris@13 29 /**
Chris@13 30 * Strips dangerous keys from user input.
Chris@13 31 *
Chris@13 32 * @param \Symfony\Component\HttpFoundation\Request $request
Chris@13 33 * The incoming request to sanitize.
Chris@13 34 * @param string[] $whitelist
Chris@13 35 * An array of keys to whitelist as safe. See default.settings.php.
Chris@13 36 * @param bool $log_sanitized_keys
Chris@16 37 * (optional) Set to TRUE to log keys that are sanitized.
Chris@13 38 *
Chris@13 39 * @return \Symfony\Component\HttpFoundation\Request
Chris@13 40 * The sanitized request.
Chris@13 41 */
Chris@13 42 public static function sanitize(Request $request, $whitelist, $log_sanitized_keys = FALSE) {
Chris@13 43 if (!$request->attributes->get(self::SANITIZED, FALSE)) {
Chris@15 44 $update_globals = FALSE;
Chris@15 45 $bags = [
Chris@15 46 'query' => 'Potentially unsafe keys removed from query string parameters (GET): %s',
Chris@15 47 'request' => 'Potentially unsafe keys removed from request body parameters (POST): %s',
Chris@15 48 'cookies' => 'Potentially unsafe keys removed from cookie parameters: %s',
Chris@15 49 ];
Chris@15 50 foreach ($bags as $bag => $message) {
Chris@15 51 if (static::processParameterBag($request->$bag, $whitelist, $log_sanitized_keys, $bag, $message)) {
Chris@15 52 $update_globals = TRUE;
Chris@15 53 }
Chris@13 54 }
Chris@15 55 if ($update_globals) {
Chris@13 56 $request->overrideGlobals();
Chris@13 57 }
Chris@13 58 $request->attributes->set(self::SANITIZED, TRUE);
Chris@13 59 }
Chris@13 60 return $request;
Chris@13 61 }
Chris@13 62
Chris@13 63 /**
Chris@15 64 * Processes a request parameter bag.
Chris@15 65 *
Chris@15 66 * @param \Symfony\Component\HttpFoundation\ParameterBag $bag
Chris@15 67 * The parameter bag to process.
Chris@15 68 * @param string[] $whitelist
Chris@15 69 * An array of keys to whitelist as safe.
Chris@15 70 * @param bool $log_sanitized_keys
Chris@15 71 * Set to TRUE to log keys that are sanitized.
Chris@15 72 * @param string $bag_name
Chris@15 73 * The request parameter bag name. Either 'query', 'request' or 'cookies'.
Chris@15 74 * @param string $message
Chris@15 75 * The message to log if the parameter bag contains keys that are removed.
Chris@15 76 * If the message contains %s that is replaced by a list of removed keys.
Chris@15 77 *
Chris@15 78 * @return bool
Chris@15 79 * TRUE if the parameter bag has been sanitized, FALSE if not.
Chris@15 80 */
Chris@15 81 protected static function processParameterBag(ParameterBag $bag, $whitelist, $log_sanitized_keys, $bag_name, $message) {
Chris@15 82 $sanitized = FALSE;
Chris@15 83 $sanitized_keys = [];
Chris@15 84 $bag->replace(static::stripDangerousValues($bag->all(), $whitelist, $sanitized_keys));
Chris@15 85 if (!empty($sanitized_keys)) {
Chris@15 86 $sanitized = TRUE;
Chris@15 87 if ($log_sanitized_keys) {
Chris@15 88 trigger_error(sprintf($message, implode(', ', $sanitized_keys)));
Chris@15 89 }
Chris@15 90 }
Chris@15 91
Chris@15 92 if ($bag->has('destination')) {
Chris@17 93 $destination = $bag->get('destination');
Chris@17 94 $destination_dangerous_keys = static::checkDestination($destination, $whitelist);
Chris@15 95 if (!empty($destination_dangerous_keys)) {
Chris@15 96 // The destination is removed rather than sanitized because the URL
Chris@15 97 // generator service is not available and this method is called very
Chris@15 98 // early in the bootstrap.
Chris@15 99 $bag->remove('destination');
Chris@15 100 $sanitized = TRUE;
Chris@15 101 if ($log_sanitized_keys) {
Chris@15 102 trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it contained the following keys: %s', $bag_name, implode(', ', $destination_dangerous_keys)));
Chris@15 103 }
Chris@15 104 }
Chris@17 105 // Sanitize the destination parameter (which is often used for redirects)
Chris@17 106 // to prevent open redirect attacks leading to other domains.
Chris@17 107 if (UrlHelper::isExternal($destination)) {
Chris@17 108 // The destination is removed because it is an external URL.
Chris@17 109 $bag->remove('destination');
Chris@17 110 $sanitized = TRUE;
Chris@17 111 if ($log_sanitized_keys) {
Chris@17 112 trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it points to an external URL.', $bag_name));
Chris@17 113 }
Chris@17 114 }
Chris@15 115 }
Chris@15 116 return $sanitized;
Chris@15 117 }
Chris@15 118
Chris@15 119 /**
Chris@15 120 * Checks a destination string to see if it is dangerous.
Chris@15 121 *
Chris@15 122 * @param string $destination
Chris@15 123 * The destination string to check.
Chris@15 124 * @param array $whitelist
Chris@15 125 * An array of keys to whitelist as safe.
Chris@15 126 *
Chris@15 127 * @return array
Chris@15 128 * The dangerous keys found in the destination parameter.
Chris@15 129 */
Chris@15 130 protected static function checkDestination($destination, array $whitelist) {
Chris@15 131 $dangerous_keys = [];
Chris@15 132 $parts = UrlHelper::parse($destination);
Chris@15 133 // If there is a query string, check its query parameters.
Chris@15 134 if (!empty($parts['query'])) {
Chris@15 135 static::stripDangerousValues($parts['query'], $whitelist, $dangerous_keys);
Chris@15 136 }
Chris@15 137 return $dangerous_keys;
Chris@15 138 }
Chris@15 139
Chris@15 140 /**
Chris@13 141 * Strips dangerous keys from $input.
Chris@13 142 *
Chris@13 143 * @param mixed $input
Chris@13 144 * The input to sanitize.
Chris@13 145 * @param string[] $whitelist
Chris@13 146 * An array of keys to whitelist as safe.
Chris@13 147 * @param string[] $sanitized_keys
Chris@13 148 * An array of keys that have been removed.
Chris@13 149 *
Chris@13 150 * @return mixed
Chris@13 151 * The sanitized input.
Chris@13 152 */
Chris@13 153 protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) {
Chris@13 154 if (is_array($input)) {
Chris@13 155 foreach ($input as $key => $value) {
Chris@13 156 if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
Chris@13 157 unset($input[$key]);
Chris@13 158 $sanitized_keys[] = $key;
Chris@13 159 }
Chris@13 160 else {
Chris@13 161 $input[$key] = static::stripDangerousValues($input[$key], $whitelist, $sanitized_keys);
Chris@13 162 }
Chris@13 163 }
Chris@13 164 }
Chris@13 165 return $input;
Chris@13 166 }
Chris@13 167
Chris@13 168 }