33
2
mirror of https://github.com/joomla-extensions/jedchecker.git synced 2024-11-16 01:57:14 +00:00
jedchecker/administrator/components/com_jedchecker/libraries/rules/jexec.php

232 lines
5.3 KiB
PHP
Raw Normal View History

<?php
/**
2019-03-09 19:44:14 +00:00
* @package Joomla.JEDChecker
*
2019-03-10 16:09:42 +00:00
* @copyright Copyright (C) 2017 - 2019 Open Source Matters, Inc. All rights reserved.
* Copyright (C) 2008 - 2016 compojoom.com . All rights reserved.
2019-03-10 08:49:52 +00:00
* @author Daniel Dimitrov <daniel@compojoom.com>
* eaxs <support@projectfork.net>
*
2019-03-09 19:44:14 +00:00
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
defined('_JEXEC') or die('Restricted access');
use Joomla\CMS\Language\Text;
// Include the rule base class
2013-11-05 20:17:39 +00:00
require_once JPATH_COMPONENT_ADMINISTRATOR . '/models/rule.php';
/**
2013-11-05 20:17:39 +00:00
* class JedcheckerRulesJexec
*
* This class searches all files for the _JEXEC check
* which prevents direct file access.
*
2013-11-05 20:17:39 +00:00
* @since 1.0
*/
2013-11-05 20:17:39 +00:00
class JedcheckerRulesJexec extends JEDcheckerRule
{
2013-11-05 20:17:39 +00:00
/**
* The formal ID of this rule. For example: SE1.
*
* @var string
*/
protected $id = 'PH2';
/**
* The title or caption of this rule.
*
* @var string
*/
protected $title = 'COM_JEDCHECKER_RULE_PH2';
/**
* The description of this rule.
*
* @var string
*/
protected $description = 'COM_JEDCHECKER_RULE_PH2_DESC';
/**
* The ordering value to sort rules in the menu.
*
* @var integer
*/
public static $ordering = 600;
/**
* Regexp to match _JEXEC-like guard
*
* @var string
*/
protected $regex;
/**
* Regexp to match directories to skip
*
* @var string
*/
protected $regexExcludeFolders;
/**
* List of files related to libraries
*
* @var array
*/
protected $libFiles;
2013-11-05 20:17:39 +00:00
/**
* Initiates the file search and check
*
* @return void
*/
public function check()
{
2021-09-09 07:32:52 +00:00
$this->report->setDefaultSubtype($this->id);
2021-04-04 12:06:48 +00:00
$this->initJexec();
2013-11-05 20:17:39 +00:00
// Find all php files of the extension
$files = $this->files($this->basedir);
2013-11-05 20:17:39 +00:00
// Iterate through all files
foreach ($files as $file)
{
// Try to find the _JEXEC check in the file
if (!$this->find($file))
{
// Add as error to the report if it was not found
$this->report->addError($file, Text::_('COM_JEDCHECKER_ERROR_JEXEC_NOT_FOUND'));
2013-11-05 20:17:39 +00:00
}
}
}
/**
* Reads a file and searches for the _JEXEC statement
*
* @param string $file - The path to the file
*
* @return boolean True if the statement was found, otherwise False.
*/
protected function find($file)
{
2021-04-04 12:06:48 +00:00
// Load file and strip comments
$content = php_strip_whitespace($file);
2021-05-17 17:04:37 +00:00
// Strip BOM (it is checked separately)
$content = preg_replace('/^\xEF\xBB\xBF/', '', $content);
2021-04-04 12:06:48 +00:00
// Skip empty files
2021-11-16 17:00:36 +00:00
if ($content === '' || preg_match('#^\s*<\?php\s+$#', $content))
{
return true;
}
2021-04-04 12:06:48 +00:00
// Check guards
if (preg_match($this->regex, $content))
{
return true;
}
return false;
}
2013-11-05 20:17:39 +00:00
/**
2021-04-04 12:06:48 +00:00
* Prepare regexps aforehand
*
* @return void
*/
2021-04-04 12:06:48 +00:00
protected function initJexec()
{
2021-04-04 12:00:40 +00:00
// Generate regular expression to match JEXEC quard
2013-11-05 20:17:39 +00:00
$defines = $this->params->get('constants');
$defines = explode(',', $defines);
foreach ($defines as $i => $define)
2013-11-05 20:17:39 +00:00
{
$defines[$i] = preg_quote(trim($define), '#');
2013-11-05 20:17:39 +00:00
}
$this->regex
2021-11-16 17:00:36 +00:00
= '#^\s*' // at the beginning of the file
. '<\?php\s+' // there is an opening php tag
. '(?:declare ?\(strict_types ?= ?1 ?\) ?; ?)?' // optionally followed by declare(strict_types=1) directive
. '(?:namespace [0-9A-Za-z_\\\\]+ ?; ?)?' // optionally followed by namespace directive
. '(?:use [0-9A-Za-z_\\\\]+ ?(?:as [0-9A-Za-z_]+ ?)?; ?)*' // optionally followed by use directives
2021-10-26 12:12:02 +00:00
. '\\\\?defined ?\( ?' // followed by defined test
. '([\'"])(?:' . implode('|', $defines) . ')\1' // of any of given constant
. ' ?\) ?(?:or |\|\| ?)(?:die|exit)\b' // or exit
. '#i'; // (case insensitive)
// Generate regular expression to match excluded directories
$libfolders = $this->params->get('libfolders');
$libfolders = explode(',', $libfolders);
foreach ($libfolders as &$libfolder)
{
$libfolder = preg_quote(trim($libfolder), '#');
}
// Prepend libFolders with default Joomla's exclude list
$this->regexExcludeFolders = '#^(?:\.svn|CVS|\.DS_Store|__MACOSX|' . implode('|', $libfolders) . ')$#';
// Generate list of libraries fingerprint files
$libFiles = $this->params->get('libfiles');
$this->libFiles = array_map('trim', explode(',', $libFiles));
}
/**
* Collect php files to check (excluding external library directories)
*
* @param string $path The path of the folder to read.
* @param int $level The current hierarchy level.
*
* @return array
* @since 3.0
*/
protected function files($path, $level = 0)
{
$arr = array();
// Read the source directory
if ($handle = @opendir($path))
{
while (($file = readdir($handle)) !== false)
{
// Skip excluded directories
if ($file !== '.' && $file !== '..' && !preg_match($this->regexExcludeFolders, $file))
{
$fullpath = $path . '/' . $file;
if (is_dir($fullpath))
{
if ($level > 0)
{
// Detect and skip external library directories
foreach ($this->libFiles as $libFile)
{
if (is_file($fullpath . '/' . $libFile))
{
// Skip processing of this directory
continue 2;
}
}
}
$arr = array_merge($arr, $this->files($fullpath, $level + 1));
}
elseif (preg_match('/\.php$/', $file))
{
$arr[] = $fullpath;
}
}
}
closedir($handle);
}
return $arr;
2013-11-05 20:17:39 +00:00
}
}