Chris@13
|
1 <?php
|
Chris@13
|
2
|
Chris@13
|
3 namespace Drupal\Core\Security;
|
Chris@13
|
4
|
Chris@15
|
5 use Drupal\Component\Utility\UrlHelper;
|
Chris@15
|
6 use Symfony\Component\HttpFoundation\ParameterBag;
|
Chris@13
|
7 use Symfony\Component\HttpFoundation\Request;
|
Chris@13
|
8
|
Chris@13
|
9 /**
|
Chris@13
|
10 * Sanitizes user input.
|
Chris@13
|
11 */
|
Chris@13
|
12 class RequestSanitizer {
|
Chris@13
|
13
|
Chris@13
|
14 /**
|
Chris@13
|
15 * Request attribute to mark the request as sanitized.
|
Chris@13
|
16 */
|
Chris@13
|
17 const SANITIZED = '_drupal_request_sanitized';
|
Chris@13
|
18
|
Chris@13
|
19 /**
|
Chris@13
|
20 * The name of the setting that configures the whitelist.
|
Chris@13
|
21 */
|
Chris@13
|
22 const SANITIZE_WHITELIST = 'sanitize_input_whitelist';
|
Chris@13
|
23
|
Chris@13
|
24 /**
|
Chris@13
|
25 * The name of the setting that determines if sanitized keys are logged.
|
Chris@13
|
26 */
|
Chris@13
|
27 const SANITIZE_LOG = 'sanitize_input_logging';
|
Chris@13
|
28
|
Chris@13
|
29 /**
|
Chris@13
|
30 * Strips dangerous keys from user input.
|
Chris@13
|
31 *
|
Chris@13
|
32 * @param \Symfony\Component\HttpFoundation\Request $request
|
Chris@13
|
33 * The incoming request to sanitize.
|
Chris@13
|
34 * @param string[] $whitelist
|
Chris@13
|
35 * An array of keys to whitelist as safe. See default.settings.php.
|
Chris@13
|
36 * @param bool $log_sanitized_keys
|
Chris@16
|
37 * (optional) Set to TRUE to log keys that are sanitized.
|
Chris@13
|
38 *
|
Chris@13
|
39 * @return \Symfony\Component\HttpFoundation\Request
|
Chris@13
|
40 * The sanitized request.
|
Chris@13
|
41 */
|
Chris@13
|
42 public static function sanitize(Request $request, $whitelist, $log_sanitized_keys = FALSE) {
|
Chris@13
|
43 if (!$request->attributes->get(self::SANITIZED, FALSE)) {
|
Chris@15
|
44 $update_globals = FALSE;
|
Chris@15
|
45 $bags = [
|
Chris@15
|
46 'query' => 'Potentially unsafe keys removed from query string parameters (GET): %s',
|
Chris@15
|
47 'request' => 'Potentially unsafe keys removed from request body parameters (POST): %s',
|
Chris@15
|
48 'cookies' => 'Potentially unsafe keys removed from cookie parameters: %s',
|
Chris@15
|
49 ];
|
Chris@15
|
50 foreach ($bags as $bag => $message) {
|
Chris@15
|
51 if (static::processParameterBag($request->$bag, $whitelist, $log_sanitized_keys, $bag, $message)) {
|
Chris@15
|
52 $update_globals = TRUE;
|
Chris@15
|
53 }
|
Chris@13
|
54 }
|
Chris@15
|
55 if ($update_globals) {
|
Chris@13
|
56 $request->overrideGlobals();
|
Chris@13
|
57 }
|
Chris@13
|
58 $request->attributes->set(self::SANITIZED, TRUE);
|
Chris@13
|
59 }
|
Chris@13
|
60 return $request;
|
Chris@13
|
61 }
|
Chris@13
|
62
|
Chris@13
|
63 /**
|
Chris@15
|
64 * Processes a request parameter bag.
|
Chris@15
|
65 *
|
Chris@15
|
66 * @param \Symfony\Component\HttpFoundation\ParameterBag $bag
|
Chris@15
|
67 * The parameter bag to process.
|
Chris@15
|
68 * @param string[] $whitelist
|
Chris@15
|
69 * An array of keys to whitelist as safe.
|
Chris@15
|
70 * @param bool $log_sanitized_keys
|
Chris@15
|
71 * Set to TRUE to log keys that are sanitized.
|
Chris@15
|
72 * @param string $bag_name
|
Chris@15
|
73 * The request parameter bag name. Either 'query', 'request' or 'cookies'.
|
Chris@15
|
74 * @param string $message
|
Chris@15
|
75 * The message to log if the parameter bag contains keys that are removed.
|
Chris@15
|
76 * If the message contains %s that is replaced by a list of removed keys.
|
Chris@15
|
77 *
|
Chris@15
|
78 * @return bool
|
Chris@15
|
79 * TRUE if the parameter bag has been sanitized, FALSE if not.
|
Chris@15
|
80 */
|
Chris@15
|
81 protected static function processParameterBag(ParameterBag $bag, $whitelist, $log_sanitized_keys, $bag_name, $message) {
|
Chris@15
|
82 $sanitized = FALSE;
|
Chris@15
|
83 $sanitized_keys = [];
|
Chris@15
|
84 $bag->replace(static::stripDangerousValues($bag->all(), $whitelist, $sanitized_keys));
|
Chris@15
|
85 if (!empty($sanitized_keys)) {
|
Chris@15
|
86 $sanitized = TRUE;
|
Chris@15
|
87 if ($log_sanitized_keys) {
|
Chris@15
|
88 trigger_error(sprintf($message, implode(', ', $sanitized_keys)));
|
Chris@15
|
89 }
|
Chris@15
|
90 }
|
Chris@15
|
91
|
Chris@15
|
92 if ($bag->has('destination')) {
|
Chris@17
|
93 $destination = $bag->get('destination');
|
Chris@17
|
94 $destination_dangerous_keys = static::checkDestination($destination, $whitelist);
|
Chris@15
|
95 if (!empty($destination_dangerous_keys)) {
|
Chris@15
|
96 // The destination is removed rather than sanitized because the URL
|
Chris@15
|
97 // generator service is not available and this method is called very
|
Chris@15
|
98 // early in the bootstrap.
|
Chris@15
|
99 $bag->remove('destination');
|
Chris@15
|
100 $sanitized = TRUE;
|
Chris@15
|
101 if ($log_sanitized_keys) {
|
Chris@15
|
102 trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it contained the following keys: %s', $bag_name, implode(', ', $destination_dangerous_keys)));
|
Chris@15
|
103 }
|
Chris@15
|
104 }
|
Chris@17
|
105 // Sanitize the destination parameter (which is often used for redirects)
|
Chris@17
|
106 // to prevent open redirect attacks leading to other domains.
|
Chris@17
|
107 if (UrlHelper::isExternal($destination)) {
|
Chris@17
|
108 // The destination is removed because it is an external URL.
|
Chris@17
|
109 $bag->remove('destination');
|
Chris@17
|
110 $sanitized = TRUE;
|
Chris@17
|
111 if ($log_sanitized_keys) {
|
Chris@17
|
112 trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it points to an external URL.', $bag_name));
|
Chris@17
|
113 }
|
Chris@17
|
114 }
|
Chris@15
|
115 }
|
Chris@15
|
116 return $sanitized;
|
Chris@15
|
117 }
|
Chris@15
|
118
|
Chris@15
|
119 /**
|
Chris@15
|
120 * Checks a destination string to see if it is dangerous.
|
Chris@15
|
121 *
|
Chris@15
|
122 * @param string $destination
|
Chris@15
|
123 * The destination string to check.
|
Chris@15
|
124 * @param array $whitelist
|
Chris@15
|
125 * An array of keys to whitelist as safe.
|
Chris@15
|
126 *
|
Chris@15
|
127 * @return array
|
Chris@15
|
128 * The dangerous keys found in the destination parameter.
|
Chris@15
|
129 */
|
Chris@15
|
130 protected static function checkDestination($destination, array $whitelist) {
|
Chris@15
|
131 $dangerous_keys = [];
|
Chris@15
|
132 $parts = UrlHelper::parse($destination);
|
Chris@15
|
133 // If there is a query string, check its query parameters.
|
Chris@15
|
134 if (!empty($parts['query'])) {
|
Chris@15
|
135 static::stripDangerousValues($parts['query'], $whitelist, $dangerous_keys);
|
Chris@15
|
136 }
|
Chris@15
|
137 return $dangerous_keys;
|
Chris@15
|
138 }
|
Chris@15
|
139
|
Chris@15
|
140 /**
|
Chris@13
|
141 * Strips dangerous keys from $input.
|
Chris@13
|
142 *
|
Chris@13
|
143 * @param mixed $input
|
Chris@13
|
144 * The input to sanitize.
|
Chris@13
|
145 * @param string[] $whitelist
|
Chris@13
|
146 * An array of keys to whitelist as safe.
|
Chris@13
|
147 * @param string[] $sanitized_keys
|
Chris@13
|
148 * An array of keys that have been removed.
|
Chris@13
|
149 *
|
Chris@13
|
150 * @return mixed
|
Chris@13
|
151 * The sanitized input.
|
Chris@13
|
152 */
|
Chris@13
|
153 protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) {
|
Chris@13
|
154 if (is_array($input)) {
|
Chris@13
|
155 foreach ($input as $key => $value) {
|
Chris@13
|
156 if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
|
Chris@13
|
157 unset($input[$key]);
|
Chris@13
|
158 $sanitized_keys[] = $key;
|
Chris@13
|
159 }
|
Chris@13
|
160 else {
|
Chris@13
|
161 $input[$key] = static::stripDangerousValues($input[$key], $whitelist, $sanitized_keys);
|
Chris@13
|
162 }
|
Chris@13
|
163 }
|
Chris@13
|
164 }
|
Chris@13
|
165 return $input;
|
Chris@13
|
166 }
|
Chris@13
|
167
|
Chris@13
|
168 }
|