From 0756a58821e549f578b49235786a14d96fb8ea19 Mon Sep 17 00:00:00 2001 From: Joshua Ramon Enslin Date: Wed, 25 Nov 2020 17:01:46 +0100 Subject: [PATCH] Set harder security constraints phpcs-errors:0 phpunit-status:successful phpstan-errors:665 --- composer.json | 3 ++- phpstan.neon | 53 +++++++++++++++++++++++++++++++++++++++++++++ public/security.php | 21 ++++++++++++++++++ 3 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 public/security.php diff --git a/composer.json b/composer.json index aebb81a..76949bc 100644 --- a/composer.json +++ b/composer.json @@ -5,6 +5,7 @@ "phpstan/phpstan": "^0.12.57", "phpstan/phpstan-strict-rules": "^0.12.5", "ergebnis/phpstan-rules": "^0.15.3", - "phpstan/phpstan-deprecation-rules": "^0.12.5" + "phpstan/phpstan-deprecation-rules": "^0.12.5", + "spaze/phpstan-disallowed-calls": "^1.0" } } diff --git a/phpstan.neon b/phpstan.neon index 1202d7d..2c5cd26 100644 --- a/phpstan.neon +++ b/phpstan.neon @@ -10,3 +10,56 @@ parameters: ignoreErrors: - '#Class MDDBConnectionImpossible not found.#' - '#Class MDMysqliExpectedError not found.#' + bootstrapFiles: + - inc/constants.php + excludes_analyse: + - classes/MDAllowedValueSets/l18n + disallowedFunctionCalls: + - + function: 'ini_alter()' + message: 'use ini_set instead' + - + function: 'diskfreespace()' + message: 'use disk_free_space instead' + - + function: 'php_sapi_name()' + message: 'use PHP_SAPI instead' + - + function: 'set_file_buffer()' + message: 'use stream_set_write_buffer instead' + - function: 'dl()' + - function: 'opcache_get_status()' + - function: 'phpinfo()' + - function: 'parse_ini_file()' + - function: 'show_source()' + - function: 'highlight_file()' + - function: 'php_uname()' + - function: 'phpcredits()' + - function: 'php_strip_whitespace()' + - function: 'popen()' + - function: 'pclose()' + - function: 'virtual()' + - function: 'passthru()' + - function: 'proc_close()' + - function: 'proc_get_status()' + - function: 'proc_nice()' + - function: 'proc_open()' + - function: 'proc_terminate()' + - function: 'system()' + - function: 'get_current_user()' + - function: 'getmyuid()' + - function: 'getmygid()' + - function: 'getmypid()' + - function: 'getmyinode()' + - function: 'getlastmod()' + - function: 'putenv()' + - function: 'chgrp()' + - function: 'chgrp()' + - function: 'lchgrp()' + - function: 'lchown()' + - function: 'link()' + - function: 'linkinfo()' + - function: 'symlink()' +includes: + - classes/MD_QA/rules/phpstan-rules.neon + - vendor/spaze/phpstan-disallowed-calls/extension.neon diff --git a/public/security.php b/public/security.php new file mode 100644 index 0000000..90d37c6 --- /dev/null +++ b/public/security.php @@ -0,0 +1,21 @@ + + */ +declare(strict_types = 1); +require_once __DIR__ . "/../functions/functions.php"; + +header("Content-type: text/plain"); +echo MD_JAIL::check_server_setup([ + "shell_access_whitelist" => [], + "sys_function_whitelist" => ["getenv"], + "file_function_whitelist" => [], + "file_uploads" => true, + "allow_url_fopen" => false, + "max_input_vars" => 100, // Default: 1000 + "max_input_nesting_level" => 10, // Default: 1000 + "post_max_size" => "4M", + "curl" => false, +]);