joomla/Component-Builder
39
25
Fork 11
Code Issues 78 Pull Requests Projects 4 Wiki Activity

Added more security to the composer vendor folder. Added the SFTP get helper classes, and adapted the compiler to use SFTP

Browse Source
This commit is contained in:
Llewellyn van der Merwe
2018-02-18 00:47:01 +02:00
parent 9055c560f8
commit c3156642b2
28 changed files with 642 additions and 723 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
admin/helpers/compiler.php
View File

@ -318,17 +318,35 @@ class Compiler extends Infusion
// make sure we have the correct file
if (JFile::exists($xml_update_server_path) && isset($this->componentData->update_server))
{
// Get the basic encription.
$basickey = ComponentbuilderHelper::getCryptKey('basic');
// Get the encription object.
$basic = new FOFEncryptAes($basickey, 128);
if (!empty($this->componentData->update_server) && $basickey && !is_numeric($this->componentData->update_server) && $this->componentData->update_server === base64_encode(base64_decode($this->componentData->update_server, true)))
// use FTP
if ($this->componentData->update_server_protocol == 1)
{
// basic decript data update_server.
$this->componentData->update_server = rtrim($basic->decryptString($this->componentData->update_server), "\0");
// Get the basic encription.
$basickey = ComponentbuilderHelper::getCryptKey('basic');
// Get the encription object.
$basic = new FOFEncryptAes($basickey, 128);
if (!empty($this->componentData->update_server) && $basickey && !is_numeric($this->componentData->update_server) && $this->componentData->update_server === base64_encode(base64_decode($this->componentData->update_server, true)))
{
// basic decript data update_server.
$this->componentData->update_server = rtrim($basic->decryptString($this->componentData->update_server), "\0");
}
// now move the file
$this->moveFileToFtpServer($xml_update_server_path, $this->componentData->update_server);
}
// use SFTP
elseif ($this->componentData->update_server_protocol == 2)
{
if ($sftp = ComponentbuilderHelper::getSftp((int) $this->componentData->update_server))
{
// now move the file
if (!$sftp->put($sftp->remote_server_path . $this->updateServerFileName . '.xml', ComponentbuilderHelper::getFileContents($xml_update_server_path, null)))
{
$this->app->enqueueMessage(JText::sprintf('The <b>%s</b> file could not be moved to <b>%s</b> path on <b>%s</b> server.', $this->updateServerFileName . '.xml', $sftp->remote_server_path, $sftp->remote_server_name), 'Error');
}
// remove the local file
JFile::delete($xml_update_server_path);
}
}
// now move the file
$this->moveFileToFtpServer($xml_update_server_path, $this->componentData->update_server);
}
}
}
@ -499,17 +517,33 @@ class Compiler extends Infusion
// make sure we have the correct file
if (isset($this->componentData->sales_server))
{
// Get the basic encription.
$basickey = ComponentbuilderHelper::getCryptKey('basic');
// Get the encription object.
$basic = new FOFEncryptAes($basickey, 128);
if (!empty($this->componentData->sales_server) && $basickey && !is_numeric($this->componentData->sales_server) && $this->componentData->sales_server === base64_encode(base64_decode($this->componentData->sales_server, true)))
// use FTP
if ($this->componentData->sales_server_protocol == 1)
{
// basic decript data update_server.
$this->componentData->sales_server = rtrim($basic->decryptString($this->componentData->sales_server), "\0");
// Get the basic encription.
$basickey = ComponentbuilderHelper::getCryptKey('basic');
// Get the encription object.
$basic = new FOFEncryptAes($basickey, 128);
if (!empty($this->componentData->sales_server) && $basickey && !is_numeric($this->componentData->sales_server) && $this->componentData->sales_server === base64_encode(base64_decode($this->componentData->sales_server, true)))
{
// basic decript data sales_server.
$this->componentData->sales_server = rtrim($basic->decryptString($this->componentData->sales_server), "\0");
}
// now move the file
$this->moveFileToFtpServer($this->filepath, $this->componentData->sales_server, $this->componentSalesName . '.zip', false);
}
// use SFTP
elseif ($this->componentData->sales_server_protocol == 2)
{
if ($sftp = ComponentbuilderHelper::getSftp((int) $this->componentData->sales_server))
{
// now move the file
if (!$sftp->put($sftp->remote_server_path . $this->componentFolderName . '.zip', ComponentbuilderHelper::getFileContents($this->filepath, null)))
{
$this->app->enqueueMessage(JText::sprintf('The <b>%s</b> file could not be moved to <b>%s</b> path on <b>%s</b> server.', $this->componentFolderName . '.zip', $sftp->remote_server_path, $sftp->remote_server_name), 'Error');
}
}
}
// now move the file
$this->moveFileToFtpServer($this->filepath, $this->componentData->sales_server, $this->componentSalesName . '.zip', false);
}
}
// remove the component folder since we are done

36
admin/helpers/compiler/a_Get.php
View File

@ -1152,24 +1152,26 @@ class Get
// reset back to nowlang
$this->lang = $nowLang;
// add the update server details
if ($component->add_update_server == 1 && is_numeric($component->update_server) && $component->update_server > 0)
// add the update/sales server FTP details if that is the expected protocol
$serverArray = array('update_server','sales_server');
foreach($serverArray as $server)
{
$component->update_server = ComponentbuilderHelper::getVar('server', (int) $component->update_server, 'id', 'signature');
}
else
{
$component->update_server = 0;
}
// add the sales server details
if ($component->add_sales_server == 1 && is_numeric($component->sales_server) && $component->sales_server > 0)
{
$component->sales_server = ComponentbuilderHelper::getVar('server', (int) $component->sales_server, 'id', 'signature');
}
else
{
$component->sales_server = 0;
$component->add_sales_server = 0;
if ($component->{'add_'.$server} == 1 && is_numeric($component->{$server}) && $component->{$server} > 0)
{
// get the server protocol
$component->{$server.'_protocol'} = ComponentbuilderHelper::getVar('server', (int) $component->{$server}, 'id', 'protocol');
// load the FTP
if (1 == $component->{$server.'_protocol'})
{
$component->{$server} = ComponentbuilderHelper::getVar('server', (int) $component->{$server}, 'id', 'signature');
}
}
else
{
$component->{$server} = 0;
$component->{'add_'.$server} = 0;
$component->{$server.'_protocol'} = 0;
}
}
// set the ignore folders for repo if found
if (isset($component->toignore) && ComponentbuilderHelper::checkString($component->toignore))

154
admin/helpers/componentbuilder.php
View File

@ -1943,6 +1943,160 @@ abstract class ComponentbuilderHelper
return $none;
}
/**
* Load the Composer Vendors
**/
public static function composerAutoload()
{
// load the autoloader
require_once JPATH_ADMINISTRATOR.'/components/com_componentbuilder/helpers/vendor/autoload.php';
}
/**
* the SFTP object
**/
protected static $sftp = array();
/**
* get the sftp object
*
* @param int $serverID The server local id to use
*
* @return object on success with sftp power
**/
public static function getSftp($serverID)
{
// check if it was already set
if (!self::checkObject(self::$sftp[$serverID]))
{
// check if we have a server with that id
if ($server = self::getServerDetails($serverID, 2))
{
// make sure we have the composer classes loaded
self::composerAutoload();
// insure the port is set
$server->port = (isset($server->port) && is_int($server->port) && $server->port > 0) ? $server->port : 22;
// open the connection
self::$sftp[$serverID] = new phpseclib\Net\SFTP($server->host, $server->port);
// now login based on authentication type
switch($server->authentication)
{
case 1: // password
// now login
if (!self::$sftp[$serverID]->login($server->username, $server->password))
{
JFactory::getApplication()->enqueueMessage(JText::sprintf('COM_COMPONENTBUILDER_THE_LOGIN_TO_BSB_HAS_FAILED_PLEASE_CHECK_THAT_YOUR_USERNAME_AND_PASSWORD_ARE_CORRECT', $server->name), 'Error');
return false;
}
break;
case 2: // private key file
$rsa = new phpseclib\Crypt\RSA();
// check if we have a passprase
if (self::checkString($server->secret))
{
$rsa->setPassword($server->secret);
}
// now load the key file
if (!$rsa->loadKey(self::getFileContents($server->private, null)))
{
JFactory::getApplication()->enqueueMessage(JText::sprintf('COM_COMPONENTBUILDER_THE_PRIVATE_KEY_FILE_COULD_NOT_BE_LOADEDFOUND_FOR_BSB_SERVER', $server->name), 'Error');
return false;
}
// now login
if (!self::$sftp[$serverID]->login($server->username, $rsa))
{
JFactory::getApplication()->enqueueMessage(JText::sprintf('COM_COMPONENTBUILDER_THE_LOGIN_TO_BSB_HAS_FAILED_PLEASE_CHECK_THAT_YOUR_USERNAME_AND_PRIVATE_KEY_FILE_ARE_CORRECT', $server->name), 'Error');
return false;
}
break;
case 3: // both password and private key file
$rsa = new phpseclib\Crypt\RSA();
// check if we have a passphrase
if (self::checkString($server->secret))
{
$rsa->setPassword($server->secret);
}
// now load the key file
if (!$rsa->loadKey(self::getFileContents($server->private, null)))
{
JFactory::getApplication()->enqueueMessage(JText::sprintf('COM_COMPONENTBUILDER_THE_PRIVATE_KEY_FILE_COULD_NOT_BE_LOADEDFOUND_FOR_BSB_SERVER', $server->name), 'Error');
return false;
}
// now login
if (!self::$sftp[$serverID]->login($server->username, $server->password, $rsa))
{
JFactory::getApplication()->enqueueMessage(JText::sprintf('COM_COMPONENTBUILDER_THE_LOGIN_TO_BSB_HAS_FAILED_PLEASE_CHECK_THAT_YOUR_USERNAME_PASSWORD_AND_PRIVATE_KEY_FILE_ARE_CORRECT', $server->name), 'Error');
return false;
}
break;
}
// set some defaults
self::$sftp[$serverID]->remote_server_name = $server->name;
self::$sftp[$serverID]->remote_server_path = (self::checkString($server->path) && $server->path !== '/') ? $server->path : '';
}
else
{
JFactory::getApplication()->enqueueMessage(JText::sprintf('COM_COMPONENTBUILDER_THE_SERVER_DETAILS_FOR_BSB_COULD_NOT_BE_RETRIEVED', $serverID), 'Error');
return false;
}
}
// return the sftp object
return self::$sftp[$serverID];
}
/**
* get the server details
*
* @param int $serverID The server local id to use
* @param int $protocol The server protocol to use
*
* @return array on success with sftp server details
**/
protected static function getServerDetails($serverID, $protocol = 2)
{
if (is_int($serverID) && is_int($serverID))
{
// Get a db connection
$db = JFactory::getDbo();
// start the query
$query = $db->getQuery(true);
// select based to protocal
if (2 == $protocol)
{
$query->select($db->quoteName(array('name','authentication','username','host','password','path','port','private','secret')));
}
else
{
$query->select($db->quoteName(array('name','signature')));
}
$query->from($db->quoteName('#__componentbuilder_server'));
$query->where($db->quoteName('id') . ' = ' . (int) $serverID);
$query->where($db->quoteName('protocol') . ' = ' . (int) $protocol);
$db->setQuery($query);
$db->execute();
if ($db->getNumRows())
{
$server = $db->loadObject();
// Get the basic encryption.
$basickey = self::getCryptKey('basic');
// Get the encryption object.
$basic = new FOFEncryptAes($basickey, 128);
// unlock the needed fields
foreach($server as $name => $value)
{
if ($name !== 'name' && !empty($server->{$name}) && $basickey && !is_numeric($server->{$name}) && $server->{$name} === base64_encode(base64_decode($server->{$name}, true)))
{
// basic decrypt of data
$server->{$name} = rtrim($basic->decryptString($server->{$name}), "\0");
}
}
// return the server details
return $server;
}
}
return false;
}
/**
* Load the Component xml manifest.
**/

9
admin/helpers/vendor/.htaccess vendored Normal file
View File

@ -0,0 +1,9 @@
# Apache 2.4+
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
# Apache 2.0-2.2
<IfModule !mod_authz_core.c>
Deny from all
</IfModule>

2
admin/helpers/vendor/autoload.php vendored
View File

@ -4,4 +4,4 @@
require_once __DIR__ . '/composer/autoload_real.php';
return ComposerAutoloaderInitd317c2705193f17bc1491bacb879ddc5::getLoader();
return ComposerAutoloaderInite1af6c9ee1d0c9dfa4a8dcea26b35570::getLoader();

24
admin/helpers/vendor/composer/autoload_classmap.php vendored
View File

@ -6,4 +6,28 @@ $vendorDir = dirname(dirname(__FILE__));
$baseDir = dirname($vendorDir);
return array(
'phpseclib\\Crypt\\AES' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Crypt/AES.php',
'phpseclib\\Crypt\\Base' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Crypt/Base.php',
'phpseclib\\Crypt\\Blowfish' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Crypt/Blowfish.php',
'phpseclib\\Crypt\\DES' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Crypt/DES.php',
'phpseclib\\Crypt\\Hash' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Crypt/Hash.php',
'phpseclib\\Crypt\\RC2' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Crypt/RC2.php',
'phpseclib\\Crypt\\RC4' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Crypt/RC4.php',
'phpseclib\\Crypt\\RSA' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Crypt/RSA.php',
'phpseclib\\Crypt\\Random' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Crypt/Random.php',
'phpseclib\\Crypt\\Rijndael' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Crypt/Rijndael.php',
'phpseclib\\Crypt\\TripleDES' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Crypt/TripleDES.php',
'phpseclib\\Crypt\\Twofish' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Crypt/Twofish.php',
'phpseclib\\File\\ANSI' => $vendorDir . '/phpseclib/phpseclib/phpseclib/File/ANSI.php',
'phpseclib\\File\\ASN1' => $vendorDir . '/phpseclib/phpseclib/phpseclib/File/ASN1.php',
'phpseclib\\File\\ASN1\\Element' => $vendorDir . '/phpseclib/phpseclib/phpseclib/File/ASN1/Element.php',
'phpseclib\\File\\X509' => $vendorDir . '/phpseclib/phpseclib/phpseclib/File/X509.php',
'phpseclib\\Math\\BigInteger' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Math/BigInteger.php',
'phpseclib\\Net\\SCP' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Net/SCP.php',
'phpseclib\\Net\\SFTP' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Net/SFTP.php',
'phpseclib\\Net\\SFTP\\Stream' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Net/SFTP/Stream.php',
'phpseclib\\Net\\SSH1' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Net/SSH1.php',
'phpseclib\\Net\\SSH2' => $vendorDir . '/phpseclib/phpseclib/phpseclib/Net/SSH2.php',
'phpseclib\\System\\SSH\\Agent' => $vendorDir . '/phpseclib/phpseclib/phpseclib/System/SSH/Agent.php',
'phpseclib\\System\\SSH\\Agent\\Identity' => $vendorDir . '/phpseclib/phpseclib/phpseclib/System/SSH/Agent/Identity.php',
);

14
admin/helpers/vendor/composer/autoload_real.php vendored
View File

@ -2,7 +2,7 @@
// autoload_real.php @generated by Composer
class ComposerAutoloaderInitd317c2705193f17bc1491bacb879ddc5
class ComposerAutoloaderInite1af6c9ee1d0c9dfa4a8dcea26b35570
{
private static $loader;
@ -19,15 +19,15 @@ class ComposerAutoloaderInitd317c2705193f17bc1491bacb879ddc5
return self::$loader;
}
spl_autoload_register(array('ComposerAutoloaderInitd317c2705193f17bc1491bacb879ddc5', 'loadClassLoader'), true, true);
spl_autoload_register(array('ComposerAutoloaderInite1af6c9ee1d0c9dfa4a8dcea26b35570', 'loadClassLoader'), true, true);
self::$loader = $loader = new \Composer\Autoload\ClassLoader();
spl_autoload_unregister(array('ComposerAutoloaderInitd317c2705193f17bc1491bacb879ddc5', 'loadClassLoader'));
spl_autoload_unregister(array('ComposerAutoloaderInite1af6c9ee1d0c9dfa4a8dcea26b35570', 'loadClassLoader'));
$useStaticLoader = PHP_VERSION_ID >= 50600 && !defined('HHVM_VERSION') && (!function_exists('zend_loader_file_encoded') || !zend_loader_file_encoded());
if ($useStaticLoader) {
require_once __DIR__ . '/autoload_static.php';
call_user_func(\Composer\Autoload\ComposerStaticInitd317c2705193f17bc1491bacb879ddc5::getInitializer($loader));
call_user_func(\Composer\Autoload\ComposerStaticInite1af6c9ee1d0c9dfa4a8dcea26b35570::getInitializer($loader));
} else {
$map = require __DIR__ . '/autoload_namespaces.php';
foreach ($map as $namespace => $path) {
@ -48,19 +48,19 @@ class ComposerAutoloaderInitd317c2705193f17bc1491bacb879ddc5
$loader->register(true);
if ($useStaticLoader) {
$includeFiles = Composer\Autoload\ComposerStaticInitd317c2705193f17bc1491bacb879ddc5::$files;
$includeFiles = Composer\Autoload\ComposerStaticInite1af6c9ee1d0c9dfa4a8dcea26b35570::$files;
} else {
$includeFiles = require __DIR__ . '/autoload_files.php';
}
foreach ($includeFiles as $fileIdentifier => $file) {
composerRequired317c2705193f17bc1491bacb879ddc5($fileIdentifier, $file);
composerRequiree1af6c9ee1d0c9dfa4a8dcea26b35570($fileIdentifier, $file);
}
return $loader;
}
}
function composerRequired317c2705193f17bc1491bacb879ddc5($fileIdentifier, $file)
function composerRequiree1af6c9ee1d0c9dfa4a8dcea26b35570($fileIdentifier, $file)
{
if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
require $file;

34
admin/helpers/vendor/composer/autoload_static.php vendored
View File

@ -4,7 +4,7 @@
namespace Composer\Autoload;
class ComposerStaticInitd317c2705193f17bc1491bacb879ddc5
class ComposerStaticInite1af6c9ee1d0c9dfa4a8dcea26b35570
{
public static $files = array (
'decc78cc4436b1292c6c0d151b19445c' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/bootstrap.php',
@ -24,11 +24,39 @@ class ComposerStaticInitd317c2705193f17bc1491bacb879ddc5
),
);
public static $classMap = array (
'phpseclib\\Crypt\\AES' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Crypt/AES.php',
'phpseclib\\Crypt\\Base' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Crypt/Base.php',
'phpseclib\\Crypt\\Blowfish' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Crypt/Blowfish.php',
'phpseclib\\Crypt\\DES' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Crypt/DES.php',
'phpseclib\\Crypt\\Hash' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Crypt/Hash.php',
'phpseclib\\Crypt\\RC2' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Crypt/RC2.php',
'phpseclib\\Crypt\\RC4' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Crypt/RC4.php',
'phpseclib\\Crypt\\RSA' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Crypt/RSA.php',
'phpseclib\\Crypt\\Random' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Crypt/Random.php',
'phpseclib\\Crypt\\Rijndael' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Crypt/Rijndael.php',
'phpseclib\\Crypt\\TripleDES' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Crypt/TripleDES.php',
'phpseclib\\Crypt\\Twofish' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Crypt/Twofish.php',
'phpseclib\\File\\ANSI' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/File/ANSI.php',
'phpseclib\\File\\ASN1' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/File/ASN1.php',
'phpseclib\\File\\ASN1\\Element' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/File/ASN1/Element.php',
'phpseclib\\File\\X509' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/File/X509.php',
'phpseclib\\Math\\BigInteger' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Math/BigInteger.php',
'phpseclib\\Net\\SCP' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Net/SCP.php',
'phpseclib\\Net\\SFTP' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Net/SFTP.php',
'phpseclib\\Net\\SFTP\\Stream' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Net/SFTP/Stream.php',
'phpseclib\\Net\\SSH1' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Net/SSH1.php',
'phpseclib\\Net\\SSH2' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/Net/SSH2.php',
'phpseclib\\System\\SSH\\Agent' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/System/SSH/Agent.php',
'phpseclib\\System\\SSH\\Agent\\Identity' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/System/SSH/Agent/Identity.php',
);
public static function getInitializer(ClassLoader $loader)
{
return \Closure::bind(function () use ($loader) {
$loader->prefixLengthsPsr4 = ComposerStaticInitd317c2705193f17bc1491bacb879ddc5::$prefixLengthsPsr4;
$loader->prefixDirsPsr4 = ComposerStaticInitd317c2705193f17bc1491bacb879ddc5::$prefixDirsPsr4;
$loader->prefixLengthsPsr4 = ComposerStaticInite1af6c9ee1d0c9dfa4a8dcea26b35570::$prefixLengthsPsr4;
$loader->prefixDirsPsr4 = ComposerStaticInite1af6c9ee1d0c9dfa4a8dcea26b35570::$prefixDirsPsr4;
$loader->classMap = ComposerStaticInite1af6c9ee1d0c9dfa4a8dcea26b35570::$classMap;
}, null, ClassLoader::class);
}

8
admin/helpers/vendor/web.config vendored Normal file
View File

@ -0,0 +1,8 @@
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>