Set harder security constraints

phpcs-errors:0 phpunit-status:successful phpstan-errors:665
2020-11-25 17:01:46 +01:00
parent 4ca50fe6ab
commit 0756a58821
3 changed files with 76 additions and 1 deletions
--- a/composer.json
+++ b/composer.json
@@ -5,6 +5,7 @@
        "phpstan/phpstan": "^0.12.57",
        "phpstan/phpstan-strict-rules": "^0.12.5",
        "ergebnis/phpstan-rules": "^0.15.3",
-        "phpstan/phpstan-deprecation-rules": "^0.12.5"
+        "phpstan/phpstan-deprecation-rules": "^0.12.5",
+        "spaze/phpstan-disallowed-calls": "^1.0"
    }
 }
--- a/phpstan.neon
+++ b/phpstan.neon
@@ -10,3 +10,56 @@ parameters:
    ignoreErrors:
        - '#Class MDDBConnectionImpossible not found.#'
        - '#Class MDMysqliExpectedError not found.#'
+    bootstrapFiles:
+        - inc/constants.php
+    excludes_analyse:
+        - classes/MDAllowedValueSets/l18n
+    disallowedFunctionCalls:
+        -
+            function: 'ini_alter()'
+            message: 'use ini_set instead'
+        -
+            function: 'diskfreespace()'
+            message: 'use disk_free_space instead'
+        -
+            function: 'php_sapi_name()'
+            message: 'use PHP_SAPI instead'
+        -
+            function: 'set_file_buffer()'
+            message: 'use stream_set_write_buffer instead'
+        - function: 'dl()'
+        - function: 'opcache_get_status()'
+        - function: 'phpinfo()'
+        - function: 'parse_ini_file()'
+        - function: 'show_source()'
+        - function: 'highlight_file()'
+        - function: 'php_uname()'
+        - function: 'phpcredits()'
+        - function: 'php_strip_whitespace()'
+        - function: 'popen()'
+        - function: 'pclose()'
+        - function: 'virtual()'
+        - function: 'passthru()'
+        - function: 'proc_close()'
+        - function: 'proc_get_status()'
+        - function: 'proc_nice()'
+        - function: 'proc_open()'
+        - function: 'proc_terminate()'
+        - function: 'system()'
+        - function: 'get_current_user()'
+        - function: 'getmyuid()'
+        - function: 'getmygid()'
+        - function: 'getmypid()'
+        - function: 'getmyinode()'
+        - function: 'getlastmod()'
+        - function: 'putenv()'
+        - function: 'chgrp()'
+        - function: 'chgrp()'
+        - function: 'lchgrp()'
+        - function: 'lchown()'
+        - function: 'link()'
+        - function: 'linkinfo()'
+        - function: 'symlink()'
+includes:
+    - classes/MD_QA/rules/phpstan-rules.neon
+    - vendor/spaze/phpstan-disallowed-calls/extension.neon
--- a/public/security.php
+++ b/public/security.php
@@ -0,0 +1,21 @@
+<?PHP
+/**
+ * Generates a CSV template based on the field list provided for CSVXML.
+ *
+ * @author Joshua Ramon Enslin <joshua@museum-digital.de>
+ */
+declare(strict_types = 1);
+require_once __DIR__ . "/../functions/functions.php";
+
+header("Content-type: text/plain");
+echo MD_JAIL::check_server_setup([
+    "shell_access_whitelist"    => [],
+    "sys_function_whitelist"    => ["getenv"],
+    "file_function_whitelist"   => [],
+    "file_uploads"              => true,
+    "allow_url_fopen"           => false,
+    "max_input_vars"            => 100, // Default: 1000
+    "max_input_nesting_level"   => 10, // Default: 1000
+    "post_max_size"             => "4M",
+    "curl"                      => false,
+]);