klevze/UploadShied
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden quarantine provisioning; enforce strict permissions and update Ansible and docs

Browse Source
This commit is contained in:
Gregor Klevže
2026-02-12 07:47:48 +01:00
parent 037b176892
commit 1768f61da1
44 changed files with 2587 additions and 698 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
detectors/ContentDetector.php Normal file
View File

@@ -0,0 +1,114 @@
<?php
declare(strict_types=1);
namespace UploadLogger\Detectors;
use UploadLogger\Core\Context;
use UploadLogger\Core\DetectorInterface;
use UploadLogger\Core\Config;
final class ContentDetector implements DetectorInterface
{
private ?Config $config;
public function __construct(?Config $config = null)
{
$this->config = $config;
}
public function getName(): string
{
return 'content';
}
/**
* @param array<string, mixed> $input
* @return array<string, mixed>
*/
public function detect(Context $context, array $input = []): array
{
$tmp = (string)($input['tmp'] ?? '');
$size = (int)($input['size'] ?? 0);
$realMime = (string)($input['real_mime'] ?? '');
$suspicious = false;
$reasons = [];
if ($tmp === '' || !is_file($tmp)) {
return ['suspicious' => false, 'reasons' => []];
}
// Determine limits from Config if provided, otherwise use defaults
$maxBytes = 8192;
$maxFilesize = 2 * 1024 * 1024;
$allowXmlEval = false;
$customPatterns = [];
if ($this->config instanceof Config) {
$maxBytes = (int)$this->config->get('detectors.content.sniff_max_bytes', $this->config->get('limits.sniff_max_bytes', $maxBytes));
$maxFilesize = (int)$this->config->get('detectors.content.sniff_max_filesize', $this->config->get('limits.sniff_max_filesize', $maxFilesize));
$allowXmlEval = (bool)$this->config->get('detectors.content.allow_xml_eval', false);
$customPatterns = (array)$this->config->get('detectors.content.custom_patterns', []);
}
if ($size <= 0) {
$size = @filesize($tmp) ?: 0;
}
if ($size <= 0 || $size > $maxFilesize) {
return ['suspicious' => false, 'reasons' => []];
}
$bytes = min($maxBytes, $size);
$maxlen = $bytes > 0 ? $bytes : null;
$head = @file_get_contents($tmp, false, null, 0, $maxlen);
if ($head === false || $head === '') {
return ['suspicious' => false, 'reasons' => []];
}
$scan = $head;
// Detect PHP open tags (avoid matching <?xml)
if (preg_match('/<\?php|<\?=|<\?(?!xml)/i', $scan)) {
$suspicious = true;
$reasons[] = 'php_tag';
}
// Built-in function patterns
$funcPatterns = [
'passthru\s*\(', 'system\s*\(', 'exec\s*\(', 'shell_exec\s*\(',
'proc_open\s*\(', 'popen\s*\(', 'pcntl_exec\s*\(',
];
foreach ($funcPatterns as $pat) {
if (preg_match('/' . $pat . '/i', $scan)) {
$suspicious = true;
$reasons[] = 'danger_func';
break;
}
}
// Base64/eval/assert patterns often indicate obfuscated payloads
if (preg_match('/base64_decode\s*\(|eval\s*\(|assert\s*\(/i', $scan)) {
$isXmlLike = preg_match('/xml|svg/i', $realMime);
if (!preg_match('/eval\s*\(/i', $scan) || !$isXmlLike || $allowXmlEval === true) {
$suspicious = true;
$reasons[] = 'obf_func';
}
}
// Custom patterns from config
foreach ($customPatterns as $p) {
try {
if (@preg_match($p, $scan)) {
$suspicious = true;
$reasons[] = 'custom_pattern';
}
} catch (\Throwable $e) {
// ignore invalid patterns
}
}
return ['suspicious' => $suspicious, 'reasons' => array_values(array_unique($reasons))];
}
}

66
detectors/FilenameDetector.php Normal file
View File

@@ -0,0 +1,66 @@
<?php
declare(strict_types=1);
namespace UploadLogger\Detectors;
use UploadLogger\Core\Context;
use UploadLogger\Core\DetectorInterface;
final class FilenameDetector implements DetectorInterface
{
public function getName(): string
{
return 'filename';
}
/**
* @param array<string, mixed> $input
* @return array<string, mixed>
*/
public function detect(Context $context, array $input = []): array
{
$name = (string)($input['name'] ?? '');
$origName = (string)($input['orig_name'] ?? $name);
$suspicious = false;
$reasons = [];
if ($origName !== $name || strpos($origName, '/') !== false || strpos($origName, '\\') !== false) {
$suspicious = true;
$reasons[] = 'bad_name';
}
if ($this->isSuspiciousFilename($name)) {
$suspicious = true;
$reasons[] = 'bad_name';
}
return [
'suspicious' => $suspicious,
'reasons' => $reasons,
];
}
private function isSuspiciousFilename(string $name): bool
{
$n = strtolower($name);
if (strpos($n, '../') !== false || strpos($n, '..\\') !== false || strpos($n, "\0") !== false) {
return true;
}
if (preg_match('/\.(php|phtml|phar|php\d|pl|cgi|sh|asp|aspx|jsp)$/i', $n)) {
return true;
}
if (preg_match('/\.(php|phtml|phar|php\d|pl|cgi|sh|asp|aspx|jsp)\./i', $n)) {
return true;
}
if (preg_match('/^\.(php|phtml|phar|php\d)/i', $n)) {
return true;
}
return false;
}
}

49
detectors/MimeDetector.php Normal file
View File

@@ -0,0 +1,49 @@
<?php
declare(strict_types=1);
namespace UploadLogger\Detectors;
use UploadLogger\Core\Context;
use UploadLogger\Core\DetectorInterface;
final class MimeDetector implements DetectorInterface
{
public function getName(): string
{
return 'mime_sniff';
}
/**
* @param array<string, mixed> $input
* @return array<string, mixed>
*/
public function detect(Context $context, array $input = []): array
{
$name = (string)($input['name'] ?? '');
$realMime = (string)($input['real_mime'] ?? 'unknown');
$suspicious = false;
$reasons = [];
if ($this->isFakeImage($name, $realMime)) {
$suspicious = true;
$reasons[] = 'fake_image';
}
return [
'suspicious' => $suspicious,
'reasons' => $reasons,
];
}
private function isFakeImage(string $name, string $realMime): bool
{
if (preg_match('/\.(png|jpe?g|gif|webp|bmp|ico|svg)$/i', $name)) {
if (!preg_match('/^image\//', $realMime)) {
return true;
}
}
return false;
}
}