Skip to content

Commit

Permalink
update version, removed unrelated methods from ezQuery class to globa…
Browse files Browse the repository at this point in the history 
…l functions only

- added/tested two additional security related functions, `is_traversal` and `sanitize_path` to go along with `clean_string`
  • Loading branch information
@TheTechsTech
TheTechsTech committed Feb 22, 2021
1 parent a20e2b5 commit 1496813
Show file tree
Hide file tree
Showing 7 changed files with 138 additions and 127 deletions.
2 changes: 2 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -288,6 +288,8 @@ use function ezsql\functions\{
///
to_string,
clean_string,
is_traversal,
sanitize_path,
create_certificate,
///
column,
Expand Down
2 changes: 1 addition & 1 deletion lib/Constants.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
/**
* ezsqlModel Constants
*/
\defined('EZSQL_VERSION') or \define('EZSQL_VERSION', '5.1.0');
\defined('EZSQL_VERSION') or \define('EZSQL_VERSION', '5.1.1');
\defined('OBJECT') or \define('OBJECT', 'OBJECT');
\defined('ARRAY_A') or \define('ARRAY_A', 'ARRAY_A');
\defined('ARRAY_N') or \define('ARRAY_N', 'ARRAY_N');
Expand Down
148 changes: 113 additions & 35 deletions lib/ezFunctions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,40 +215,6 @@ function changingColumn(string $columnName, ...$datatype)
return column(\CHANGER, $columnName, ...$datatype);
}

/**
* Creates self signed certificate
*
* @param string $privatekeyFile
* @param string $certificateFile
* @param string $signingFile
* // param string $caCertificate
* @param string $ssl_path
* @param array $details - certificate details
*
* Example:
* array $details = [
* "countryName" => '',
* "stateOrProvinceName" => '',
* "localityName" => '',
* "organizationName" => '',
* "organizationalUnitName" => '',
* "commonName" => '',
* "emailAddress" => ''
* ];
*
* @return string certificate path
*/
function create_certificate(
string $privatekeyFile = 'certificate.key',
string $certificateFile = 'certificate.crt',
string $signingFile = 'certificate.csr',
// string $caCertificate = null,
string $ssl_path = null,
array $details = ["commonName" => "localhost"]
) {
return ezQuery::createCertificate($privatekeyFile, $certificateFile, $signingFile, $ssl_path, $details);
}

/**
* Creates an equality comparison expression with the given arguments.
*
Expand Down Expand Up @@ -600,7 +566,119 @@ function clearInstance()
*/
function clean_string(string $string)
{
return ezQuery::clean($string);
$patterns = array( // strip out:
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<[\/\!]*?[^<>]*?>@si', // HTML tags
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments
);

$string = \preg_replace($patterns, '', $string);
$string = \trim($string);
$string = \stripslashes($string);

return \htmlentities($string);
}

/**
* Check if path/filename is directory traversal attack.
*
* @param string $basePath base directory to check against
* @param string $filename will be preprocess with `sanitize_path()`
* @return boolean
*/
function is_traversal(string $basePath, string $filename)
{
if (\strpos(\urldecode($filename), '..') !== false)
return true;

$realBase = \rtrim(\realpath($basePath), _DS);
$userPath = $realBase . _DS . sanitize_path($filename);
$realUserPath = \realpath($userPath);
// Reassign with un-sanitized if file does not exits
if ($realUserPath === false)
$realUserPath = $filename;

return (\strpos($realUserPath, $realBase) !== 0);
}

/**
* Sanitize path to prevent directory traversal.
*
* Example:
*
* `sanitize_path("../../../../config.php");`
*
* Returns `config.php` without the path traversal
* @param string $path
* @return string
*/
function sanitize_path(string $path)
{
$file = \preg_replace("/\.[\.]+/", "", $path);
$file = \preg_replace("/^[\/]+/", "", $file);
$file = \preg_replace("/^[A-Za-z][:\|][\/]?/", "", $file);
return ($file);
}

/**
* Creates self signed certificate
*
* @param string $privatekeyFile
* @param string $certificateFile
* @param string $signingFile
* // param string $caCertificate
* @param string $ssl_path
* @param array $details - certificate details
*
* Example:
* array $details = [
* "countryName" => '',
* "stateOrProvinceName" => '',
* "localityName" => '',
* "organizationName" => '',
* "organizationalUnitName" => '',
* "commonName" => '',
* "emailAddress" => ''
* ];
*
* @return string certificate path
*/
function create_certificate(
string $privatekeyFile = 'certificate.key',
string $certificateFile = 'certificate.crt',
string $signingFile = 'certificate.csr',
// string $caCertificate = null,
string $ssl_path = null,
array $details = ["commonName" => "localhost"]
) {
if (empty($ssl_path)) {
$ssl_path = \getcwd();
$ssl_path = \preg_replace('/\\\/', \_DS, $ssl_path) . \_DS;
} else
$ssl_path = $ssl_path . \_DS;

$opensslConfig = array("config" => $ssl_path . 'openssl.cnf');

// Generate a new private (and public) key pair
$privatekey = \openssl_pkey_new($opensslConfig);

// Generate a certificate signing request
$csr = \openssl_csr_new($details, $privatekey, $opensslConfig);

// Create a self-signed certificate valid for 365 days
$sslcert = \openssl_csr_sign($csr, null, $privatekey, 365, $opensslConfig);

// Create key file. Note no passphrase
\openssl_pkey_export_to_file($privatekey, $ssl_path . $privatekeyFile, null, $opensslConfig);

// Create server certificate
\openssl_x509_export_to_file($sslcert, $ssl_path . $certificateFile, false);

// Create a signing request file
\openssl_csr_export_to_file($csr, $ssl_path . $signingFile);

return $ssl_path;
}

/**
Expand Down
76 changes: 0 additions & 76 deletions lib/ezQuery.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,82 +44,6 @@ public function __construct()
{
}

public static function clean($string)
{
$patterns = array( // strip out:
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<[\/\!]*?[^<>]*?>@si', // HTML tags
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments
);

$string = \preg_replace($patterns, '', $string);
$string = \trim($string);
$string = \stripslashes($string);

return \htmlentities($string);
}

/**
* Creates self signed certificate
*
* @param string $privatekeyFile
* @param string $certificateFile
* @param string $signingFile
* // param string $caCertificate
* @param string $ssl_path
* @param array $details - certificate details
*
* Example:
* array $details = [
* "countryName" => '',
* "stateOrProvinceName" => '',
* "localityName" => '',
* "organizationName" => '',
* "organizationalUnitName" => '',
* "commonName" => '',
* "emailAddress" => ''
* ];
*
* @return string certificate path
*/
public static function createCertificate(
string $privatekeyFile = 'certificate.key',
string $certificateFile = 'certificate.crt',
string $signingFile = 'certificate.csr',
// string $caCertificate = null,
string $ssl_path = null,
array $details = ["commonName" => "localhost"]
) {
if (empty($ssl_path)) {
$ssl_path = \getcwd();
$ssl_path = \preg_replace('/\\\/', \_DS, $ssl_path) . \_DS;
} else
$ssl_path = $ssl_path . \_DS;

$opensslConfig = array("config" => $ssl_path . 'openssl.cnf');

// Generate a new private (and public) key pair
$privatekey = \openssl_pkey_new($opensslConfig);

// Generate a certificate signing request
$csr = \openssl_csr_new($details, $privatekey, $opensslConfig);

// Create a self-signed certificate valid for 365 days
$sslcert = \openssl_csr_sign($csr, null, $privatekey, 365, $opensslConfig);

// Create key file. Note no passphrase
\openssl_pkey_export_to_file($privatekey, $ssl_path . $privatekeyFile, null, $opensslConfig);

// Create server certificate
\openssl_x509_export_to_file($sslcert, $ssl_path . $certificateFile, false);

// Create a signing request file
\openssl_csr_export_to_file($csr, $ssl_path . $signingFile);

return $ssl_path;
}

/**
* Return status of prepare function availability in shortcut method calls
*/
Expand Down
7 changes: 0 additions & 7 deletions lib/ezQueryInterface.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,6 @@
*/
interface ezQueryInterface
{
/**
* Clean input of XSS, html, javascript, etc...
* @param string $string
* @return string cleaned string
*/
public static function clean($string);

/**
* Turn on prepare function availability in ezQuery shortcut method calls
*/
Expand Down
22 changes: 21 additions & 1 deletion tests/ezFunctionsTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,10 @@
get_results,
table_setup,
set_table,
set_prefix
set_prefix,
clean_string,
is_traversal,
sanitize_path
};

class ezFunctionsTest extends EZTestCase
Expand All @@ -60,6 +63,23 @@ protected function setUp(): void
clearInstance();
}

public function testClean_string()
{
$this->assertEquals("' help", clean_string("<?php echo 'foo' >' help</php?>"));
}

public function testSanitize_path()
{
$this->assertEquals("config.php", sanitize_path("../../../../config.php"));
}

public function testis_traversal()
{
$this->assertEquals(true, is_traversal('/home', "../../../../config.php"));
$this->assertEquals(true, is_traversal(__DIR__, dirname(__DIR__), 8));
$this->assertEquals(false, is_traversal(__DIR__, 'Foo.php'));
}

public function testGetInstance()
{
$this->assertNull(getInstance());
Expand Down
8 changes: 1 addition & 7 deletions tests/ezQueryTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,7 @@
eq,
neq,
like,
in,
clean_string
in
};

class ezQueryTest extends EZTestCase
Expand All @@ -27,11 +26,6 @@ protected function tearDown(): void
$this->object = null;
}

public function testClean_string()
{
$this->assertEquals("' help", clean_string("<?php echo 'foo' >' help</php?>"));
}

public function testHaving()
{
$this->assertFalse($this->object->having(''));
Expand Down

0 comments on commit 1496813

Please sign in to comment.