phorge-phorge/src/infrastructure/env/PhabricatorEnv.php

<?php

/*
 * Copyright 2012 Facebook, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

/**
 * @task uri URI Validation
 */
final class PhabricatorEnv {
  private static $env;

  private static $requiredClasses = array(
    'metamta.differential.reply-handler' => 'PhabricatorMailReplyHandler',
  );

  public static function setEnvConfig(array $config) {
    self::$env = $config;
  }

  public static function getEnvConfig($key, $default = null) {
    return idx(self::$env, $key, $default);
  }

  public static function newObjectFromConfig($key, $args = array()) {
    $class = self::getEnvConfig($key);
    $object = newv($class, $args);
    $instanceof = idx(self::$requiredClasses, $key);
    if (!($object instanceof $instanceof)) {
      throw new Exception("Config setting '$key' must be an instance of ".
        "'$instanceof', is '".get_class($object)."'.");
    }
    return $object;
  }

  public static function envConfigExists($key) {
    return array_key_exists($key, self::$env);
  }

  public static function getURI($path) {
    return rtrim(self::getEnvConfig('phabricator.base-uri'), '/').$path;
  }

  public static function getProductionURI($path) {
    // If we're passed a URI which already has a domain, simply return it
    // unmodified. In particular, files may have URIs which point to a CDN
    // domain.
    $uri = new PhutilURI($path);
    if ($uri->getDomain()) {
      return $path;
    }

    $production_domain = self::getEnvConfig('phabricator.production-uri');
    if (!$production_domain) {
      $production_domain = self::getEnvConfig('phabricator.base-uri');
    }
    return rtrim($production_domain, '/').$path;
  }

  public static function getCDNURI($path) {
    $alt = self::getEnvConfig('security.alternate-file-domain');
    if (!$alt) {
      $alt = self::getEnvConfig('phabricator.base-uri');
    }
    $uri = new PhutilURI($alt);
    $uri->setPath($path);
    return (string)$uri;
  }

  public static function getAllConfigKeys() {
    return self::$env;
  }

  public static function getDoclink($resource) {
    return 'http://phabricator.com/docs/phabricator/'.$resource;
  }


/* -(  URI Validation  )----------------------------------------------------- */


  /**
   * Detect if a URI satisfies either @{method:isValidLocalWebResource} or
   * @{method:isValidRemoteWebResource}, i.e. is a page on this server or the
   * URI of some other resource which has a valid protocol. This rejects
   * garbage URIs and URIs with protocols which do not appear in the
   * ##uri.allowed-protocols## configuration, notably 'javascript:' URIs.
   *
   * NOTE: This method is generally intended to reject URIs which it may be
   * unsafe to put in an "href" link attribute.
   *
   * @param string URI to test.
   * @return bool True if the URI identifies a web resource.
   * @task uri
   */
  public static function isValidWebResource($uri) {
    return self::isValidLocalWebResource($uri) ||
           self::isValidRemoteWebResource($uri);
  }


  /**
   * Detect if a URI identifies some page on this server.
   *
   * NOTE: This method is generally intended to reject URIs which it may be
   * unsafe to issue a "Location:" redirect to.
   *
   * @param string URI to test.
   * @return bool True if the URI identifies a local page.
   * @task uri
   */
  public static function isValidLocalWebResource($uri) {
    $uri = (string)$uri;

    if (!strlen($uri)) {
      return false;
    }

    if (preg_match('/\s/', $uri)) {
      // PHP hasn't been vulnerable to header injection attacks for a bunch of
      // years, but we can safely reject these anyway since they're never valid.
      return false;
    }

    // Valid URIs must begin with '/', followed by the end of the string or some
    // other non-'/' character. This rejects protocol-relative URIs like
    // "//evil.com/evil_stuff/".
    return (bool)preg_match('@^/([^/]|$)@', $uri);
  }


  /**
   * Detect if a URI identifies some valid remote resource.
   *
   * @param string URI to test.
   * @return bool True if a URI idenfies a remote resource with an allowed
   *              protocol.
   * @task uri
   */
  public static function isValidRemoteWebResource($uri) {
    $uri = (string)$uri;

    $proto = id(new PhutilURI($uri))->getProtocol();
    if (!$proto) {
      return false;
    }

    $allowed = self::getEnvConfig('uri.allowed-protocols');
    if (empty($allowed[$proto])) {
      return false;
    }

    return true;
  }

}
Javelin integration. 2011-01-25 20:57:47 +01:00			`<?php`

			`/*`
Lock down accepted next URI values for redirect after login Summary: I locked this down a little bit recently, but make double-extra-super-sure that we aren't sending the user anywhere suspicious or open-redirecty. This also locks down protocol-relative URIs (//evil.com/path) although I don't think any browsers do bad stuff with them in this context, and header injection URIs (although I don't think any of the modern PHP runtimes are vulnerable). Test Plan: - Ran tests. - Hit redirect page with valid and invalid next URIs; was punted to / for invalid ones and to the right place for valid ones. Reviewers: btrahan, jungejason Reviewed By: btrahan CC: arice, aran, epriestley, btrahan Differential Revision: https://secure.phabricator.com/D1369 2012-01-12 01:07:36 +01:00			`* Copyright 2012 Facebook, Inc.`
Javelin integration. 2011-01-25 20:57:47 +01:00			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

Lock down accepted next URI values for redirect after login Summary: I locked this down a little bit recently, but make double-extra-super-sure that we aren't sending the user anywhere suspicious or open-redirecty. This also locks down protocol-relative URIs (//evil.com/path) although I don't think any browsers do bad stuff with them in this context, and header injection URIs (although I don't think any of the modern PHP runtimes are vulnerable). Test Plan: - Ran tests. - Hit redirect page with valid and invalid next URIs; was punted to / for invalid ones and to the right place for valid ones. Reviewers: btrahan, jungejason Reviewed By: btrahan CC: arice, aran, epriestley, btrahan Differential Revision: https://secure.phabricator.com/D1369 2012-01-12 01:07:36 +01:00			`/**`
			`* @task uri URI Validation`
			`*/`
PhabricatorEnv 'infratructure' -> 'infrastructure' (rofl) Recaptcha Email Login / Forgot Password Password Reset 2011-01-31 20:55:26 +01:00			`final class PhabricatorEnv {`
			`private static $env;`

Require valid class for certain config settings Summary: It is now possible to set config setting requiring class of certain implementation to something completely else. The consequence is that your Phabricator may stop working after update because you didn't implement some new method. This diff validates the class upon usage. It throws exception which is better than fatal thrown currently after calling undefined method. Better solution would be to validate classes when setting the config but it would be too expensive - respective class definitions would have to be loaded and checked by reflection. I was also thinking about some check script but nobody would run it after changing config. The same behavior should be implemented for these settings: - metamta.mail-adapter - metamta.maniphest.reply-handler - metamta.differential.reply-handler - metamta.diffusion.reply-handler - storage.engine-selector - search.engine-selector - differential.field-selector - maniphest.custom-task-extensions-class - aphront.default-application-configuration-class - controller.oauth-registration Test Plan: Send comment, verify that it pass. Change `metamta.differential.reply-handler` to incompatible class, verify that sending comment shows nice red exception. Set `metamta.differential.reply-handler` to empty string, verify that it throws. Reviewers: epriestley, btrahan Reviewed By: epriestley CC: aran, epriestley Differential Revision: https://secure.phabricator.com/D1919 2012-03-15 20:15:23 +01:00			`private static $requiredClasses = array(`
			`'metamta.differential.reply-handler' => 'PhabricatorMailReplyHandler',`
			`);`

PhabricatorEnv 'infratructure' -> 'infrastructure' (rofl) Recaptcha Email Login / Forgot Password Password Reset 2011-01-31 20:55:26 +01:00			`public static function setEnvConfig(array $config) {`
			`self::$env = $config;`
			`}`

			`public static function getEnvConfig($key, $default = null) {`
			`return idx(self::$env, $key, $default);`
Javelin integration. 2011-01-25 20:57:47 +01:00			`}`
PhabricatorEnv 'infratructure' -> 'infrastructure' (rofl) Recaptcha Email Login / Forgot Password Password Reset 2011-01-31 20:55:26 +01:00
Require valid class for certain config settings Summary: It is now possible to set config setting requiring class of certain implementation to something completely else. The consequence is that your Phabricator may stop working after update because you didn't implement some new method. This diff validates the class upon usage. It throws exception which is better than fatal thrown currently after calling undefined method. Better solution would be to validate classes when setting the config but it would be too expensive - respective class definitions would have to be loaded and checked by reflection. I was also thinking about some check script but nobody would run it after changing config. The same behavior should be implemented for these settings: - metamta.mail-adapter - metamta.maniphest.reply-handler - metamta.differential.reply-handler - metamta.diffusion.reply-handler - storage.engine-selector - search.engine-selector - differential.field-selector - maniphest.custom-task-extensions-class - aphront.default-application-configuration-class - controller.oauth-registration Test Plan: Send comment, verify that it pass. Change `metamta.differential.reply-handler` to incompatible class, verify that sending comment shows nice red exception. Set `metamta.differential.reply-handler` to empty string, verify that it throws. Reviewers: epriestley, btrahan Reviewed By: epriestley CC: aran, epriestley Differential Revision: https://secure.phabricator.com/D1919 2012-03-15 20:15:23 +01:00			`public static function newObjectFromConfig($key, $args = array()) {`
			`$class = self::getEnvConfig($key);`
			`$object = newv($class, $args);`
			`$instanceof = idx(self::$requiredClasses, $key);`
			`if (!($object instanceof $instanceof)) {`
			`throw new Exception("Config setting '$key' must be an instance of ".`
			`"'$instanceof', is '".get_class($object)."'.");`
			`}`
			`return $object;`
			`}`

Correct a mask config value Summary: The correct name of this key is 'github.application-secret', not 'github.secret'. Make DarkConsole check that all the masked keys exist to prevent this from happening again. This isn't super important since this is just intended to protected against casual security lapses (taking a screenshot with DarkCnosole's "Config" tab open, for instance) but it's easy to check for so it seems worthwhile to get right. Test Plan: Loaded page without the actual config file change, got an exception. Fixed the config, reloaded the page, good news goats (really trying to get this to catch on since goats are adorable). Reviewed By: aran Reviewers: tuomaspelkonen, jungejason, aran CC: aran Differential Revision: 189 2011-04-30 07:20:52 +02:00			`public static function envConfigExists($key) {`
			`return array_key_exists($key, self::$env);`
			`}`

PhabricatorEnv 'infratructure' -> 'infrastructure' (rofl) Recaptcha Email Login / Forgot Password Password Reset 2011-01-31 20:55:26 +01:00			`public static function getURI($path) {`
			`return rtrim(self::getEnvConfig('phabricator.base-uri'), '/').$path;`
			`}`
Fix some issues caught by HipHop, and work around some issues caused by HipHop. 2011-02-27 05:57:21 +01:00
Don't send sandbox URIs in Herald messages. 2011-04-04 23:22:16 +02:00			`public static function getProductionURI($path) {`
Fix production file links for some alt-domain configurations Summary: We sometimes call PhabricatorEnv::getProductionURI($file->getBestURI()) or similar, but this may currently cause us to construct a URI like this: http://domain.com/http://cdn-domain.com/file/data/xxx/yyy/name.jpg Instead, if the provided URI has a domain already, leave it unmodified. Test Plan: Attached a file to a task; got an email with a valid URI instead of an invalid URI. Reviewers: btrahan Reviewed By: btrahan CC: Makinde, aran, epriestley Differential Revision: https://secure.phabricator.com/D1622 2012-02-16 02:06:36 +01:00			`// If we're passed a URI which already has a domain, simply return it`
			`// unmodified. In particular, files may have URIs which point to a CDN`
			`// domain.`
			`$uri = new PhutilURI($path);`
			`if ($uri->getDomain()) {`
			`return $path;`
Don't send sandbox URIs in Herald messages. 2011-04-04 23:22:16 +02:00			`}`
Fix production file links for some alt-domain configurations Summary: We sometimes call PhabricatorEnv::getProductionURI($file->getBestURI()) or similar, but this may currently cause us to construct a URI like this: http://domain.com/http://cdn-domain.com/file/data/xxx/yyy/name.jpg Instead, if the provided URI has a domain already, leave it unmodified. Test Plan: Attached a file to a task; got an email with a valid URI instead of an invalid URI. Reviewers: btrahan Reviewed By: btrahan CC: Makinde, aran, epriestley Differential Revision: https://secure.phabricator.com/D1622 2012-02-16 02:06:36 +01:00
			`$production_domain = self::getEnvConfig('phabricator.production-uri');`
			`if (!$production_domain) {`
			`$production_domain = self::getEnvConfig('phabricator.base-uri');`
			`}`
			`return rtrim($production_domain, '/').$path;`
Don't send sandbox URIs in Herald messages. 2011-04-04 23:22:16 +02:00			`}`

Move ALL files to serve from the alternate file domain, not just files without "Content-Disposition: attachment" Summary: We currently serve some files off the primary domain (with "Content-Disposition: attachment" + a CSRF check) and some files off the alternate domain (without either). This is not sufficient, because some UAs (like the iPad) ignore "Content-Disposition: attachment". So there's an attack that goes like this: - Alice uploads xss.html - Alice says to Bob "hey download this file on your iPad" - Bob clicks "Download" on Phabricator on his iPad, gets XSS'd. NOTE: This removes the CSRF check for downloading files. The check is nice to have but only raises the barrier to entry slightly. Between iPad / sniffing / flash bytecode attacks, single-domain installs are simply insecure. We could restore the check at some point in conjunction with a derived authentication cookie (i.e., a mini-session-token which is only useful for downloading files), but that's a lot of complexity to drop all at once. (Because files are now authenticated only by knowing the PHID and secret key, this also fixes the "no profile pictures in public feed while logged out" issue.) Test Plan: Viewed, info'd, and downloaded files Reviewers: btrahan, arice, alok Reviewed By: arice CC: aran, epriestley Maniphest Tasks: T843 Differential Revision: https://secure.phabricator.com/D1608 2012-02-14 23:52:27 +01:00			`public static function getCDNURI($path) {`
			`$alt = self::getEnvConfig('security.alternate-file-domain');`
			`if (!$alt) {`
			`$alt = self::getEnvConfig('phabricator.base-uri');`
			`}`
			`$uri = new PhutilURI($alt);`
			`$uri->setPath($path);`
			`return (string)$uri;`
			`}`

Add a "Config" plugin to DarkConsole. Summary: This plugin lets you see how the host is configured at runtime. Test Plan: Reviewers: CC: 2011-02-12 01:48:43 +01:00			`public static function getAllConfigKeys() {`
			`return self::$env;`
			`}`
PhabricatorEnv 'infratructure' -> 'infrastructure' (rofl) Recaptcha Email Login / Forgot Password Password Reset 2011-01-31 20:55:26 +01:00
Documentation: improve Diffusion documentation 2011-05-19 22:40:12 +02:00			`public static function getDoclink($resource) {`
			`return 'http://phabricator.com/docs/phabricator/'.$resource;`
			`}`

Lock down accepted next URI values for redirect after login Summary: I locked this down a little bit recently, but make double-extra-super-sure that we aren't sending the user anywhere suspicious or open-redirecty. This also locks down protocol-relative URIs (//evil.com/path) although I don't think any browsers do bad stuff with them in this context, and header injection URIs (although I don't think any of the modern PHP runtimes are vulnerable). Test Plan: - Ran tests. - Hit redirect page with valid and invalid next URIs; was punted to / for invalid ones and to the right place for valid ones. Reviewers: btrahan, jungejason Reviewed By: btrahan CC: arice, aran, epriestley, btrahan Differential Revision: https://secure.phabricator.com/D1369 2012-01-12 01:07:36 +01:00
			`/* -( URI Validation )----------------------------------------------------- */`


			`/**`
			`* Detect if a URI satisfies either @{method:isValidLocalWebResource} or`
			`* @{method:isValidRemoteWebResource}, i.e. is a page on this server or the`
			`* URI of some other resource which has a valid protocol. This rejects`
			`* garbage URIs and URIs with protocols which do not appear in the`
			`* ##uri.allowed-protocols## configuration, notably 'javascript:' URIs.`
			`*`
			`* NOTE: This method is generally intended to reject URIs which it may be`
			`* unsafe to put in an "href" link attribute.`
			`*`
			`* @param string URI to test.`
			`* @return bool True if the URI identifies a web resource.`
			`* @task uri`
			`*/`
			`public static function isValidWebResource($uri) {`
			`return self::isValidLocalWebResource($uri) \|\|`
			`self::isValidRemoteWebResource($uri);`
			`}`


			`/**`
			`* Detect if a URI identifies some page on this server.`
			`*`
			`* NOTE: This method is generally intended to reject URIs which it may be`
			`* unsafe to issue a "Location:" redirect to.`
			`*`
			`* @param string URI to test.`
			`* @return bool True if the URI identifies a local page.`
			`* @task uri`
			`*/`
			`public static function isValidLocalWebResource($uri) {`
			`$uri = (string)$uri;`

			`if (!strlen($uri)) {`
			`return false;`
			`}`

			`if (preg_match('/\s/', $uri)) {`
			`// PHP hasn't been vulnerable to header injection attacks for a bunch of`
			`// years, but we can safely reject these anyway since they're never valid.`
			`return false;`
			`}`

			`// Valid URIs must begin with '/', followed by the end of the string or some`
			`// other non-'/' character. This rejects protocol-relative URIs like`
			`// "//evil.com/evil_stuff/".`
			`return (bool)preg_match('@^/([^/]\|$)@', $uri);`
			`}`


			`/**`
			`* Detect if a URI identifies some valid remote resource.`
			`*`
			`* @param string URI to test.`
			`* @return bool True if a URI idenfies a remote resource with an allowed`
			`* protocol.`
			`* @task uri`
			`*/`
			`public static function isValidRemoteWebResource($uri) {`
			`$uri = (string)$uri;`

			`$proto = id(new PhutilURI($uri))->getProtocol();`
			`if (!$proto) {`
			`return false;`
			`}`

			`$allowed = self::getEnvConfig('uri.allowed-protocols');`
			`if (empty($allowed[$proto])) {`
			`return false;`
			`}`

			`return true;`
			`}`

Javelin integration. 2011-01-25 20:57:47 +01:00			`}`