[civicrm-core.git] / CRM / Core / IDS.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 5                                                  |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2018                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
 */

/**
 *
 * @package CRM
 * @copyright CiviCRM LLC (c) 2004-2018
 */
class CRM_Core_IDS {

  /**
   * Define the threshold for the ids reactions.
   */
  private $threshold = array(
    'log' => 25,
    'warn' => 50,
    'kick' => 75,
  );

  /**
   * @var string
   */
  private $path;

  /**
   * Check function.
   *
   * This function includes the IDS vendor parts and runs the
   * detection routines on the request array.
   *
   * @param array $route
   *
   * @return bool
   */
  public function check($route) {
    if (CRM_Core_Permission::check('skip IDS check')) {
      return NULL;
    }

    // lets bypass a few civicrm urls from this check
    $skip = array('civicrm/admin/setting/updateConfigBackend', 'civicrm/admin/messageTemplates');
    CRM_Utils_Hook::idsException($skip);
    $this->path = $route['path'];
    if (in_array($this->path, $skip)) {
      return NULL;
    }

    $init = self::create(self::createRouteConfig($route));

    // Add request url and user agent.
    $_REQUEST['IDS_request_uri'] = $_SERVER['REQUEST_URI'];
    if (isset($_SERVER['HTTP_USER_AGENT'])) {
      $_REQUEST['IDS_user_agent'] = $_SERVER['HTTP_USER_AGENT'];
    }

    require_once 'IDS/Monitor.php';
    $ids = new \IDS_Monitor($_REQUEST, $init);

    $result = $ids->run();
    if (!$result->isEmpty()) {
      $this->react($result);
    }

    return TRUE;
  }

  /**
   * Create a new PHPIDS configuration object.
   *
   * @param array $config
   *   PHPIDS configuration array (per INI format).
   * @return \IDS_Init
   */
  protected static function create($config) {
    require_once 'IDS/Init.php';
    $init = \IDS_Init::init(NULL);
    $init->setConfig($config, TRUE);

    // Cleanup
    $reflection = new \ReflectionProperty('IDS_Init', 'instances');
    $reflection->setAccessible(TRUE);
    $value = $reflection->getValue(NULL);
    unset($value[NULL]);
    $reflection->setValue(NULL, $value);

    return $init;
  }

  /**
   * Create conservative, minimalist IDS configuration.
   *
   * @return array
   */
  public static function createBaseConfig() {
    $config = \CRM_Core_Config::singleton();
    $tmpDir = empty($config->uploadDir) ? CIVICRM_TEMPLATE_COMPILEDIR : $config->uploadDir;
    global $civicrm_root;

    return array(
      'General' => array(
        'filter_type' => 'xml',
        'filter_path' => "{$civicrm_root}/packages/IDS/default_filter.xml",
        'tmp_path' => $tmpDir,
        'HTML_Purifier_Path' => 'IDS/vendors/htmlpurifier/HTMLPurifier.auto.php',
        'HTML_Purifier_Cache' => $tmpDir,
        'scan_keys' => '',
        'exceptions' => array('__utmz', '__utmc'),
      ),
    );
  }

  /**
   * Create the standard, general-purpose IDS configuration used by many pages.
   *
   * @return array
   */
  public static function createStandardConfig() {
    $excs = array(
      'widget_code',
      'html_message',
      'text_message',
      'body_html',
      'msg_html',
      'msg_text',
      'msg_subject',
      'description',
      'intro',
      'thankyou_text',
      'intro_text',
      'body_text',
      'footer_text',
      'thankyou_text',
      'tf_thankyou_text',
      'thankyou_footer',
      'thankyou_footer_text',
      'new_text',
      'renewal_text',
      'help_pre',
      'help_post',
      'confirm_title',
      'confirm_text',
      'confirm_footer_text',
      'confirm_email_text',
      'report_header',
      'report_footer',
      'data',
      'json',
      'instructions',
      'suggested_message',
      'page_text',
      'details',
    );

    $result = self::createBaseConfig();

    $result['General']['exceptions'] = array_merge(
      $result['General']['exceptions'],
      $excs
    );

    return $result;
  }

  /**
   * @param array $route
   * @return array
   */
  public static function createRouteConfig($route) {
    $config = \CRM_Core_IDS::createStandardConfig();
    foreach (array('json', 'html', 'exceptions') as $section) {
      if (isset($route['ids_arguments'][$section])) {
        if (!isset($config['General'][$section])) {
          $config['General'][$section] = array();
        }
        foreach ($route['ids_arguments'][$section] as $v) {
          $config['General'][$section][] = $v;
        }
        $config['General'][$section] = array_unique($config['General'][$section]);
      }
    }
    return $config;
  }

  /**
   * This function reacts on the values in the incoming results array.
   *
   * Depending on the impact value certain actions are
   * performed.
   *
   * @param IDS_Report $result
   *
   * @return bool
   */
  public function react(IDS_Report $result) {

    $impact = $result->getImpact();
    if ($impact >= $this->threshold['kick']) {
      $this->log($result, 3, $impact);
      $this->kick();
      return TRUE;
    }
    elseif ($impact >= $this->threshold['warn']) {
      $this->log($result, 2, $impact);
      $this->warn($result);
      return TRUE;
    }
    elseif ($impact >= $this->threshold['log']) {
      $this->log($result, 0, $impact);
      return TRUE;
    }
    else {
      return TRUE;
    }
  }

  /**
   * This function writes an entry about the intrusion to the database.
   *
   * @param array $result
   * @param int $reaction
   *
   * @return bool
   */
  private function log($result, $reaction = 0) {
    $ip = (isset($_SERVER['SERVER_ADDR']) &&
      $_SERVER['SERVER_ADDR'] != '127.0.0.1') ? $_SERVER['SERVER_ADDR'] : (
      isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : '127.0.0.1'
      );

    $data = array();
    $session = CRM_Core_Session::singleton();
    foreach ($result as $event) {
      $data[] = array(
        'name' => $event->getName(),
        'value' => stripslashes($event->getValue()),
        'page' => $_SERVER['REQUEST_URI'],
        'userid' => $session->get('userID'),
        'session' => session_id() ? session_id() : '0',
        'ip' => $ip,
        'reaction' => $reaction,
        'impact' => $result->getImpact(),
      );
    }

    CRM_Core_Error::debug_var('IDS Detector Details', $data);
    return TRUE;
  }

  /**
   * Warn about IDS.
   *
   * @param array $result
   *
   * @return array
   */
  private function warn($result) {
    return $result;
  }

  /**
   * Create an error that prevents the user from continuing.
   *
   * @throws \Exception
   */
  private function kick() {
    $session = CRM_Core_Session::singleton();
    $session->reset(2);

    $msg = ts('There is a validation error with your HTML input. Your activity is a bit suspicious, hence aborting');

    if (in_array(
      $this->path,
      array("civicrm/ajax/rest", "civicrm/api/json")
    )) {
      require_once "api/v3/utils.php";
      $error = civicrm_api3_create_error(
        $msg,
        array(
          'IP' => $_SERVER['REMOTE_ADDR'],
          'error_code' => 'IDS_KICK',
          'level' => 'security',
          'referer' => $_SERVER['HTTP_REFERER'],
          'reason' => 'XSS suspected',
        )
      );
      CRM_Utils_JSON::output($error);
    }
    CRM_Core_Error::fatal($msg);
  }

}
Commit	Line	Data
6a488035 TO	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
fee14197	4	\| CiviCRM version 5 \|
6a488035	5	+--------------------------------------------------------------------+
8c9251b3	6	\| Copyright CiviCRM LLC (c) 2004-2018 \|
6a488035 TO	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
d25dd0ee	26	*/
6a488035 TO	27
	28	/**
	29	*
	30	* @package CRM
8c9251b3	31	* @copyright CiviCRM LLC (c) 2004-2018
6a488035 TO	32	*/
	33	class CRM_Core_IDS {
	34
	35	/**
fe482240	36	* Define the threshold for the ids reactions.
6a488035 TO	37	*/
	38	private $threshold = array(
	39	'log' => 25,
	40	'warn' => 50,
	41	'kick' => 75,
	42	);
	43
	44	/**
7c877abd	45	* @var string
6a488035	46	*/
7c877abd	47	private $path;
6a488035 TO	48
6a488035 TO	49	/**
ea3ddccf	50	* Check function.
ea3ddccf	51	*
6a488035 TO	52	* This function includes the IDS vendor parts and runs the
	53	* detection routines on the request array.
	54	*
76adcecc	55	* @param array $route
6a488035	56	*
3bdca100	57	* @return bool
6a488035	58	*/
76adcecc TO	59	public function check($route) {
	60	if (CRM_Core_Permission::check('skip IDS check')) {
	61	return NULL;
	62	}
	63
6a488035	64	// lets bypass a few civicrm urls from this check
aa00da9b	65	$skip = array('civicrm/admin/setting/updateConfigBackend', 'civicrm/admin/messageTemplates');
aa00da9b	66	CRM_Utils_Hook::idsException($skip);
76adcecc	67	$this->path = $route['path'];
7c877abd	68	if (in_array($this->path, $skip)) {
3bdca100	69	return NULL;
6a488035 TO	70	}
6a488035 TO	71
36d4fa1b	72	$init = self::create(self::createRouteConfig($route));
76adcecc	73
ea3ddccf	74	// Add request url and user agent.
6a488035 TO	75	$_REQUEST['IDS_request_uri'] = $_SERVER['REQUEST_URI'];
	76	if (isset($_SERVER['HTTP_USER_AGENT'])) {
	77	$_REQUEST['IDS_user_agent'] = $_SERVER['HTTP_USER_AGENT'];
	78	}
	79
76adcecc TO	80	require_once 'IDS/Monitor.php';
76adcecc TO	81	$ids = new \IDS_Monitor($_REQUEST, $init);
6a488035 TO	82
	83	$result = $ids->run();
	84	if (!$result->isEmpty()) {
	85	$this->react($result);
	86	}
	87
	88	return TRUE;
	89	}
	90
	91	/**
76adcecc	92	* Create a new PHPIDS configuration object.
6a488035	93	*
76adcecc TO	94	* @param array $config
	95	* PHPIDS configuration array (per INI format).
	96	* @return \IDS_Init
6a488035	97	*/
76adcecc TO	98	protected static function create($config) {
	99	require_once 'IDS/Init.php';
	100	$init = \IDS_Init::init(NULL);
	101	$init->setConfig($config, TRUE);
6a488035	102
76adcecc TO	103	// Cleanup
	104	$reflection = new \ReflectionProperty('IDS_Init', 'instances');
	105	$reflection->setAccessible(TRUE);
	106	$value = $reflection->getValue(NULL);
	107	unset($value[NULL]);
	108	$reflection->setValue(NULL, $value);
6a488035	109
76adcecc	110	return $init;
6a488035 TO	111	}
6a488035 TO	112
b74c8634 TO	113	/**
	114	* Create conservative, minimalist IDS configuration.
	115	*
	116	* @return array
	117	*/
	118	public static function createBaseConfig() {
	119	$config = \CRM_Core_Config::singleton();
	120	$tmpDir = empty($config->uploadDir) ? CIVICRM_TEMPLATE_COMPILEDIR : $config->uploadDir;
	121	global $civicrm_root;
	122
	123	return array(
	124	'General' => array(
	125	'filter_type' => 'xml',
	126	'filter_path' => "{$civicrm_root}/packages/IDS/default_filter.xml",
	127	'tmp_path' => $tmpDir,
	128	'HTML_Purifier_Path' => 'IDS/vendors/htmlpurifier/HTMLPurifier.auto.php',
	129	'HTML_Purifier_Cache' => $tmpDir,
	130	'scan_keys' => '',
	131	'exceptions' => array('__utmz', '__utmc'),
	132	),
	133	);
	134	}
	135
	136	/**
	137	* Create the standard, general-purpose IDS configuration used by many pages.
	138	*
	139	* @return array
	140	*/
	141	public static function createStandardConfig() {
	142	$excs = array(
	143	'widget_code',
	144	'html_message',
	145	'text_message',
	146	'body_html',
	147	'msg_html',
	148	'msg_text',
	149	'msg_subject',
	150	'description',
	151	'intro',
	152	'thankyou_text',
	153	'intro_text',
	154	'body_text',
	155	'footer_text',
	156	'thankyou_text',
	157	'tf_thankyou_text',
	158	'thankyou_footer',
	159	'thankyou_footer_text',
	160	'new_text',
	161	'renewal_text',
	162	'help_pre',
	163	'help_post',
	164	'confirm_title',
	165	'confirm_text',
	166	'confirm_footer_text',
	167	'confirm_email_text',
	168	'report_header',
	169	'report_footer',
	170	'data',
	171	'json',
	172	'instructions',
	173	'suggested_message',
	174	'page_text',
	175	'details',
	176	);
177
178	$result = self::createBaseConfig();
179
180	$result['General']['exceptions'] = array_merge(
181	$result['General']['exceptions'],
182	$excs
183	);
184
185	return $result;
186	}
187
36d4fa1b TO	188	/**
	189	* @param array $route
	190	* @return array
	191	*/
	192	public static function createRouteConfig($route) {
	193	$config = \CRM_Core_IDS::createStandardConfig();
	194	foreach (array('json', 'html', 'exceptions') as $section) {
	195	if (isset($route['ids_arguments'][$section])) {
	196	if (!isset($config['General'][$section])) {
	197	$config['General'][$section] = array();
	198	}
	199	foreach ($route['ids_arguments'][$section] as $v) {
	200	$config['General'][$section][] = $v;
	201	}
	202	$config['General'][$section] = array_unique($config['General'][$section]);
	203	}
	204	}
	205	return $config;
	206	}
	207
6a488035	208	/**
ea3ddccf	209	* This function reacts on the values in the incoming results array.
6a488035 TO	210	*
	211	* Depending on the impact value certain actions are
	212	* performed.
	213	*
	214	* @param IDS_Report $result
	215	*
3bdca100	216	* @return bool
6a488035	217	*/
76adcecc	218	public function react(IDS_Report $result) {
6a488035 TO	219
	220	$impact = $result->getImpact();
	221	if ($impact >= $this->threshold['kick']) {
	222	$this->log($result, 3, $impact);
7c877abd	223	$this->kick();
6a488035 TO	224	return TRUE;
	225	}
	226	elseif ($impact >= $this->threshold['warn']) {
	227	$this->log($result, 2, $impact);
	228	$this->warn($result);
	229	return TRUE;
	230	}
	231	elseif ($impact >= $this->threshold['log']) {
	232	$this->log($result, 0, $impact);
	233	return TRUE;
	234	}
	235	else {
	236	return TRUE;
	237	}
	238	}
	239
	240	/**
ea3ddccf	241	* This function writes an entry about the intrusion to the database.
6a488035	242	*
c490a46a	243	* @param array $result
77b97be7 EM	244	* @param int $reaction
77b97be7 EM	245	*
3bdca100	246	* @return bool
6a488035 TO	247	*/
	248	private function log($result, $reaction = 0) {
	249	$ip = (isset($_SERVER['SERVER_ADDR']) &&
3bdca100	250	$_SERVER['SERVER_ADDR'] != '127.0.0.1') ? $_SERVER['SERVER_ADDR'] : (
3bdca100	251	isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : '127.0.0.1'
006389de	252	);
6a488035 TO	253
	254	$data = array();
	255	$session = CRM_Core_Session::singleton();
	256	foreach ($result as $event) {
	257	$data[] = array(
	258	'name' => $event->getName(),
	259	'value' => stripslashes($event->getValue()),
	260	'page' => $_SERVER['REQUEST_URI'],
	261	'userid' => $session->get('userID'),
	262	'session' => session_id() ? session_id() : '0',
	263	'ip' => $ip,
	264	'reaction' => $reaction,
	265	'impact' => $result->getImpact(),
	266	);
	267	}
	268
	269	CRM_Core_Error::debug_var('IDS Detector Details', $data);
	270	return TRUE;
	271	}
	272
	273	/**
ea3ddccf	274	* Warn about IDS.
	275	*
	276	* @param array $result
	277	*
	278	* @return array
6a488035 TO	279	*/
	280	private function warn($result) {
	281	return $result;
	282	}
	283
	284	/**
7c877abd	285	* Create an error that prevents the user from continuing.
ea3ddccf	286	*
ea3ddccf	287	* @throws \Exception
6a488035	288	*/
7c877abd	289	private function kick() {
6a488035 TO	290	$session = CRM_Core_Session::singleton();
	291	$session->reset(2);
	292
f3a27f08 DL	293	$msg = ts('There is a validation error with your HTML input. Your activity is a bit suspicious, hence aborting');
f3a27f08 DL	294
f3a27f08	295	if (in_array(
7c877abd	296	$this->path,
353ffa53 TO	297	array("civicrm/ajax/rest", "civicrm/api/json")
353ffa53 TO	298	)) {
f3a27f08 DL	299	require_once "api/v3/utils.php";
	300	$error = civicrm_api3_create_error(
	301	$msg,
6a488035 TO	302	array(
	303	'IP' => $_SERVER['REMOTE_ADDR'],
	304	'error_code' => 'IDS_KICK',
	305	'level' => 'security',
	306	'referer' => $_SERVER['HTTP_REFERER'],
	307	'reason' => 'XSS suspected',
	308	)
	309	);
ecdef330	310	CRM_Utils_JSON::output($error);
6a488035	311	}
f3a27f08	312	CRM_Core_Error::fatal($msg);
6a488035	313	}
96025800	314
6a488035	315	}