search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
weekly back-to-dev release 5.0dev
[moodle.git] / lib / classes / files / curl_security_helper.php
blob26e07bab6ae3e5a5e6f781580d00ba061d50c955
1 <?php
2 // This file is part of Moodle - http://moodle.org/
3 //
4 // Moodle is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // Moodle is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License
15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>.
16
17 /**
18 * Contains a class providing functions used to check the allowed/blocked host/ports for curl.
19 *
20 * @package core
21 * @copyright 2016 Jake Dallimore
22 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
23 * @author Jake Dallimore <jrhdallimore@gmail.com>
24 */
25
26 namespace core\files;
27 use core\ip_utils;
28
29 defined('MOODLE_INTERNAL') || exit();
30
31 /**
32 * Host and port checking for curl.
33 *
34 * This class provides a means to check URL/host/port against the system-level cURL security entries.
35 * It does not provide a means to add URLs, hosts or ports to the allowed/blocked lists; this is configured manually
36 * via the site admin section of Moodle (See: 'Site admin' > 'Security' > 'HTTP Security').
37 *
38 * This class is currently used by the 'curl' wrapper class in lib/filelib.php.
39 * Depends on:
40 * core\ip_utils (several functions)
41 * moodlelib (clean_param)
42 *
43 * @package core
44 * @copyright 2016 Jake Dallimore
45 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
46 * @author Jake Dallimore <jrhdallimore@gmail.com>
47 */
48 class curl_security_helper extends curl_security_helper_base {
49 /**
50 * @var array of supported transport schemes and their respective default ports.
51 */
52 protected $transportschemes = [
53 'http' => 80,
54 'https' => 443
55 ];
56
57 /**
58 * Checks whether the given URL is blocked by checking its address and port number against the allow/block lists.
59 * The behaviour of this function can be classified as strict, as it returns true for URLs which are invalid or
60 * could not be parsed, as well as those valid URLs which were found in the blocklist.
61 *
62 * @param string $urlstring the URL to check.
63 * @param int $notused There used to be an optional parameter $maxredirects for a short while here, not used any more.
64 * @return bool true if the URL is blocked or invalid and false if the URL is not blocked.
65 */
66 public function url_is_blocked($urlstring, $notused = null) {
67
68 if ($notused !== null) {
69 debugging('The $maxredirects parameter of curl_security_helper::url_is_blocked() has been dropped!', DEBUG_DEVELOPER);
70 }
71
72 // If no config data is present, then all hosts/ports are allowed.
73 if (!$this->is_enabled()) {
74 return false;
75 }
76
77 // Try to parse the URL to get the 'host' and 'port' components.
78 try {
79 $url = new \moodle_url($urlstring);
80 $parsed['scheme'] = $url->get_scheme();
81 $parsed['host'] = $url->get_host();
82 $parsed['port'] = $url->get_port();
83 } catch (\moodle_exception $e) {
84 // Moodle exception is thrown if the $urlstring is invalid. Treat as blocked.
85 return true;
86 }
87
88 // The port will be empty unless explicitly set in the $url (uncommon), so try to infer it from the supported schemes.
89 if (!$parsed['port'] && $parsed['scheme'] && isset($this->transportschemes[$parsed['scheme']])) {
90 $parsed['port'] = $this->transportschemes[$parsed['scheme']];
91 }
92
93 if ($parsed['port'] && $parsed['host']) {
94 // Check the host and port against the allow/block entries.
95 return $this->host_is_blocked($parsed['host']) || $this->port_is_blocked($parsed['port']);
96 }
97 return true;
98 }
99
100 /**
101 * Returns a string message describing a blocked URL. E.g. 'This URL is blocked'.
102 *
103 * @return string the string error.
104 */
105 public function get_blocked_url_string() {
106 return get_string('curlsecurityurlblocked', 'admin');
107 }
108
109 /**
110 * Checks whether the host portion of a url is blocked.
111 * The host portion may be a FQDN, IPv4 address or a IPv6 address wrapped in square brackets, as per standard URL notation.
112 * E.g.
113 * images.example.com
114 * 127.0.0.1
115 * [0.0.0.0.0.0.0.1]
116 * The method logic is as follows:
117 * 1. Check the host component against the list of IPv4/IPv6 addresses and ranges.
118 * - This will perform a DNS forward lookup if required.
119 * 2. Check the host component against the list of domain names and wildcard domain names.
120 * - This will perform a DNS reverse lookup if required.
121 *
122 * The behaviour of this function can be classified as strict, as it returns true for hosts which are invalid or
123 * could not be parsed, as well as those valid URLs which were found in the blocklist.
124 *
125 * @param string $host the host component of the URL to check against the blocklist.
126 * @return bool true if the host is both valid and blocked, false otherwise.
127 */
128 protected function host_is_blocked($host) {
129 if (!$this->is_enabled() || empty($host) || !is_string($host)) {
130 return false;
131 }
132
133 // Fix for square brackets in the 'host' portion of the URL (only occurs if an IPv6 address is specified).
134 $host = str_replace(array('[', ']'), '', $host); // RFC3986, section 3.2.2.
135 $blockedhosts = $this->get_blocked_hosts_by_category();
136
137 if (ip_utils::is_ip_address($host)) {
138 if ($this->address_explicitly_blocked($host)) {
139 return true;
140 }
141
142 // Only perform a reverse lookup if there is a point to it (i.e. we have rules to check against).
143 if ($blockedhosts['domain'] || $blockedhosts['domainwildcard']) {
144 // DNS reverse lookup - supports both IPv4 and IPv6 address formats.
145 $hostname = gethostbyaddr($host);
146 if ($hostname !== $host && $this->host_explicitly_blocked($hostname)) {
147 return true;
148 }
149 }
150 } else if (ip_utils::is_domain_name($host)) {
151 if ($this->host_explicitly_blocked($host)) {
152 return true;
153 }
154
155 // Only perform a forward lookup if there are IP rules to check against.
156 if ($blockedhosts['ipv4'] || $blockedhosts['ipv6']) {
157 // DNS forward lookup - returns a list of only IPv4 addresses!
158 $hostips = $this->get_host_list_by_name($host);
159
160 // If we don't get a valid record, bail (so cURL is never called).
161 if (!$hostips) {
162 return true;
163 }
164
165 // If any of the returned IPs are in the blocklist, block the request.
166 foreach ($hostips as $hostip) {
167 if ($this->address_explicitly_blocked($hostip)) {
168 return true;
169 }
170 }
171 }
172 } else {
173 // Was not something we consider to be a valid IP or domain name, block it.
174 return true;
175 }
176
177 return false;
178 }
179
180 /**
181 * Retrieve all hosts for a domain name.
182 *
183 * @param string $param
184 * @return array An array of IPs associated with the host name.
185 */
186 protected function get_host_list_by_name($host) {
187 return ($hostips = gethostbynamel($host)) ? $hostips : [];
188 }
189
190 /**
191 * Checks whether the given port is blocked, as determined by its absence on the ports allowlist.
192 * Ports are assumed to be blocked unless found in the allowlist.
193 *
194 * @param integer|string $port the port to check against the ports allowlist.
195 * @return bool true if the port is blocked, false otherwise.
196 */
197 protected function port_is_blocked($port) {
198 $portnum = intval($port);
199 // Intentionally block port 0 and below and check the int cast was valid.
200 if (empty($port) || (string)$portnum !== (string)$port || $port < 0) {
201 return true;
202 }
203 $allowedports = $this->get_allowed_ports();
204 return !empty($allowedports) && !in_array($portnum, $allowedports);
205 }
206
207 /**
208 * Convenience method to check whether we have any entries in the host blocklist or ports allowlist admin settings.
209 * If no entries are found at all, the assumption is that the blocklist is disabled entirely.
210 *
211 * @return bool true if one or more entries exist, false otherwise.
212 */
213 public function is_enabled() {
214 return (!empty($this->get_allowed_ports()) || !empty($this->get_blocked_hosts()));
215 }
216
217 /**
218 * Checks whether the input address is blocked by at any of the IPv4 or IPv6 address rules.
219 *
220 * @param string $addr the ip address to check.
221 * @return bool true if the address is covered by an entry in the blocklist, false otherwise.
222 */
223 protected function address_explicitly_blocked($addr) {
224 $blockedhosts = $this->get_blocked_hosts_by_category();
225 $iphostsblocked = array_merge($blockedhosts['ipv4'], $blockedhosts['ipv6']);
226 return address_in_subnet($addr, implode(',', $iphostsblocked), true);
227 }
228
229 /**
230 * Checks whether the input hostname is blocked by any of the domain/wildcard rules.
231 *
232 * @param string $host the hostname to check
233 * @return bool true if the host is covered by an entry in the blocklist, false otherwise.
234 */
235 protected function host_explicitly_blocked($host) {
236 $blockedhosts = $this->get_blocked_hosts_by_category();
237 $domainhostsblocked = array_merge($blockedhosts['domain'], $blockedhosts['domainwildcard']);
238 return ip_utils::is_domain_in_allowed_list($host, $domainhostsblocked);
239 }
240
241 /**
242 * Helper to get all entries from the admin setting, as an array, sorted by classification.
243 * Classifications include 'ipv4', 'ipv6', 'domain', 'domainwildcard'.
244 *
245 * @return array of host/domain/ip entries from the 'curlsecurityblockedhosts' config.
246 */
247 protected function get_blocked_hosts_by_category() {
248 // For each of the admin setting entries, check and place in the correct section of the config array.
249 $config = ['ipv6' => [], 'ipv4' => [], 'domain' => [], 'domainwildcard' => []];
250 $entries = $this->get_blocked_hosts();
251 foreach ($entries as $entry) {
252 if (ip_utils::is_ipv6_address($entry) || ip_utils::is_ipv6_range($entry)) {
253 $config['ipv6'][] = $entry;
254 } else if (ip_utils::is_ipv4_address($entry) || ip_utils::is_ipv4_range($entry)) {
255 $config['ipv4'][] = $entry;
256 } else if (ip_utils::is_domain_name($entry)) {
257 $config['domain'][] = $entry;
258 } else if (ip_utils::is_domain_matching_pattern($entry)) {
259 $config['domainwildcard'][] = $entry;
260 }
261 }
262 return $config;
263 }
264
265 /**
266 * Helper that returns the allowed ports, as defined in the 'curlsecurityallowedport' setting.
267 *
268 * @return array the array of allowed ports.
269 */
270 protected function get_allowed_ports() {
271 global $CFG;
272 if (!isset($CFG->curlsecurityallowedport)) {
273 return [];
274 }
275 return array_filter(array_map('trim', explode("\n", $CFG->curlsecurityallowedport)), function($entry) {
276 return !empty($entry);
277 });
278 }
279
280 /**
281 * Helper that returns the blocked hosts, as defined in the 'curlsecurityblockedhosts' setting.
282 *
283 * @return array the array of blocked host entries.
284 */
285 protected function get_blocked_hosts() {
286 global $CFG;
287 if (!isset($CFG->curlsecurityblockedhosts)) {
288 return [];
289 }
290 return array_filter(array_map('trim', explode("\n", $CFG->curlsecurityblockedhosts)), function($entry) {
291 return !empty($entry);
292 });
293 }
294 }
Read-only mirror of the Moodle CVS