[civicrm-core.git] / CRM / Core / IDS.php

<?php
/*
 +--------------------------------------------------------------------+
 | CiviCRM version 4.7                                                |
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC (c) 2004-2017                                |
 +--------------------------------------------------------------------+
 | This file is a part of CiviCRM.                                    |
 |                                                                    |
 | CiviCRM is free software; you can copy, modify, and distribute it  |
 | under the terms of the GNU Affero General Public License           |
 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
 |                                                                    |
 | CiviCRM is distributed in the hope that it will be useful, but     |
 | WITHOUT ANY WARRANTY; without even the implied warranty of         |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
 | See the GNU Affero General Public License for more details.        |
 |                                                                    |
 | You should have received a copy of the GNU Affero General Public   |
 | License and the CiviCRM Licensing Exception along                  |
 | with this program; if not, contact CiviCRM LLC                     |
 | at info[AT]civicrm[DOT]org. If you have questions about the        |
 | GNU Affero General Public License or the licensing of CiviCRM,     |
 | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
 +--------------------------------------------------------------------+
 */

/**
 *
 * @package CRM
 * @copyright CiviCRM LLC (c) 2004-2017
 */
class CRM_Core_IDS {

  /**
   * Define the threshold for the ids reactions.
   */
  private $threshold = array(
    'log' => 25,
    'warn' => 50,
    'kick' => 75,
  );

  /**
   * @var string
   */
  private $path;

  /**
   * Check function.
   *
   * This function includes the IDS vendor parts and runs the
   * detection routines on the request array.
   *
   * @param array $args
   *   List of path parts.
   *
   * @return bool
   */
  public function check($args) {
    // lets bypass a few civicrm urls from this check
    $skip = array('civicrm/admin/setting/updateConfigBackend', 'civicrm/admin/messageTemplates');
    CRM_Utils_Hook::idsException($skip);
    $this->path = implode('/', $args);
    if (in_array($this->path, $skip)) {
      return NULL;
    }

    // Add request url and user agent.
    $_REQUEST['IDS_request_uri'] = $_SERVER['REQUEST_URI'];
    if (isset($_SERVER['HTTP_USER_AGENT'])) {
      $_REQUEST['IDS_user_agent'] = $_SERVER['HTTP_USER_AGENT'];
    }

    $configFile = self::createConfigFile(FALSE);

    // init the PHPIDS and pass the REQUEST array
    require_once 'IDS/Init.php';
    try {
      $init = IDS_Init::init($configFile);
      $ids = new IDS_Monitor($_REQUEST, $init);
    }
    catch (Exception $e) {
      // might be an old stale copy of Config.IDS.ini
      // lets try to rebuild it again and see if it works
      $configFile = self::createConfigFile(TRUE);
      $init = IDS_Init::init($configFile);
      $ids = new IDS_Monitor($_REQUEST, $init);
    }

    $result = $ids->run();
    if (!$result->isEmpty()) {
      $this->react($result);
    }

    return TRUE;
  }

  /**
   * Create the default config file for the IDS system.
   *
   * @param bool $force
   *   Should we recreate it irrespective if it exists or not.
   *
   * @return string
   *   the full path to the config file
   */
  public static function createConfigFile($force = FALSE) {
    $config = CRM_Core_Config::singleton();
    $configFile = $config->configAndLogDir . 'Config.IDS.ini';
    if (!$force && file_exists($configFile)) {
      return $configFile;
    }

    // also clear the stat cache in case we are upgrading
    clearstatcache();

    $config = self::createStandardConfig();
    $contents = "\n";
    $lineTpl = "    %-19s = %s\n";
    foreach ($config as $section => $fields) {
      $contents .= "[$section]\n";
      foreach ($fields as $key => $value) {
        if ($key === 'scan_keys' && $value == '') {
          $value = 'false';
        }

        if (is_array($value)) {
          foreach ($value as $v) {
            $contents .= sprintf($lineTpl, $key . '[]', $v);
          }
        }
        else {
          $contents .= sprintf($lineTpl, $key, $value);
        }
      }
    }

    if (file_put_contents($configFile, $contents) === FALSE) {
      CRM_Core_Error::movedSiteError($configFile);
    }

    // also create the .htaccess file so we prevent the reading of the log and ini files
    // via a browser, CRM-3875
    CRM_Utils_File::restrictAccess($config->configAndLogDir);

    return $configFile;
  }

  /**
   * Create conservative, minimalist IDS configuration.
   *
   * @return array
   */
  public static function createBaseConfig() {
    $config = \CRM_Core_Config::singleton();
    $tmpDir = empty($config->uploadDir) ? CIVICRM_TEMPLATE_COMPILEDIR : $config->uploadDir;
    global $civicrm_root;

    return array(
      'General' => array(
        'filter_type' => 'xml',
        'filter_path' => "{$civicrm_root}/packages/IDS/default_filter.xml",
        'tmp_path' => $tmpDir,
        'HTML_Purifier_Path' => 'IDS/vendors/htmlpurifier/HTMLPurifier.auto.php',
        'HTML_Purifier_Cache' => $tmpDir,
        'scan_keys' => '',
        'exceptions' => array('__utmz', '__utmc'),
      ),
    );
  }

  /**
   * Create the standard, general-purpose IDS configuration used by many pages.
   *
   * @return array
   */
  public static function createStandardConfig() {
    $excs = array(
      'widget_code',
      'html_message',
      'text_message',
      'body_html',
      'msg_html',
      'msg_text',
      'msg_subject',
      'description',
      'intro',
      'thankyou_text',
      'intro_text',
      'body_text',
      'footer_text',
      'thankyou_text',
      'tf_thankyou_text',
      'thankyou_footer',
      'thankyou_footer_text',
      'new_text',
      'renewal_text',
      'help_pre',
      'help_post',
      'confirm_title',
      'confirm_text',
      'confirm_footer_text',
      'confirm_email_text',
      'report_header',
      'report_footer',
      'data',
      'json',
      'instructions',
      'suggested_message',
      'page_text',
      'details',
    );

    $result = self::createBaseConfig();

    $result['General']['exceptions'] = array_merge(
      $result['General']['exceptions'],
      $excs
    );

    return $result;
  }

  /**
   * This function reacts on the values in the incoming results array.
   *
   * Depending on the impact value certain actions are
   * performed.
   *
   * @param IDS_Report $result
   *
   * @return bool
   */
  private function react(IDS_Report $result) {

    $impact = $result->getImpact();
    if ($impact >= $this->threshold['kick']) {
      $this->log($result, 3, $impact);
      $this->kick();
      return TRUE;
    }
    elseif ($impact >= $this->threshold['warn']) {
      $this->log($result, 2, $impact);
      $this->warn($result);
      return TRUE;
    }
    elseif ($impact >= $this->threshold['log']) {
      $this->log($result, 0, $impact);
      return TRUE;
    }
    else {
      return TRUE;
    }
  }

  /**
   * This function writes an entry about the intrusion to the database.
   *
   * @param array $result
   * @param int $reaction
   *
   * @return bool
   */
  private function log($result, $reaction = 0) {
    $ip = (isset($_SERVER['SERVER_ADDR']) &&
      $_SERVER['SERVER_ADDR'] != '127.0.0.1') ? $_SERVER['SERVER_ADDR'] : (
      isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : '127.0.0.1'
      );

    $data = array();
    $session = CRM_Core_Session::singleton();
    foreach ($result as $event) {
      $data[] = array(
        'name' => $event->getName(),
        'value' => stripslashes($event->getValue()),
        'page' => $_SERVER['REQUEST_URI'],
        'userid' => $session->get('userID'),
        'session' => session_id() ? session_id() : '0',
        'ip' => $ip,
        'reaction' => $reaction,
        'impact' => $result->getImpact(),
      );
    }

    CRM_Core_Error::debug_var('IDS Detector Details', $data);
    return TRUE;
  }

  /**
   * Warn about IDS.
   *
   * @param array $result
   *
   * @return array
   */
  private function warn($result) {
    return $result;
  }

  /**
   * Create an error that prevents the user from continuing.
   *
   * @throws \Exception
   */
  private function kick() {
    $session = CRM_Core_Session::singleton();
    $session->reset(2);

    $msg = ts('There is a validation error with your HTML input. Your activity is a bit suspicious, hence aborting');

    if (in_array(
      $this->path,
      array("civicrm/ajax/rest", "civicrm/api/json")
    )) {
      require_once "api/v3/utils.php";
      $error = civicrm_api3_create_error(
        $msg,
        array(
          'IP' => $_SERVER['REMOTE_ADDR'],
          'error_code' => 'IDS_KICK',
          'level' => 'security',
          'referer' => $_SERVER['HTTP_REFERER'],
          'reason' => 'XSS suspected',
        )
      );
      CRM_Utils_JSON::output($error);
    }
    CRM_Core_Error::fatal($msg);
  }

}
Commit	Line	Data
6a488035 TO	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
7e9e8871	4	\| CiviCRM version 4.7 \|
6a488035	5	+--------------------------------------------------------------------+
0f03f337	6	\| Copyright CiviCRM LLC (c) 2004-2017 \|
6a488035 TO	7	+--------------------------------------------------------------------+
	8	\| This file is a part of CiviCRM. \|
	9	\| \|
	10	\| CiviCRM is free software; you can copy, modify, and distribute it \|
	11	\| under the terms of the GNU Affero General Public License \|
	12	\| Version 3, 19 November 2007 and the CiviCRM Licensing Exception. \|
	13	\| \|
	14	\| CiviCRM is distributed in the hope that it will be useful, but \|
	15	\| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	16	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. \|
	17	\| See the GNU Affero General Public License for more details. \|
	18	\| \|
	19	\| You should have received a copy of the GNU Affero General Public \|
	20	\| License and the CiviCRM Licensing Exception along \|
	21	\| with this program; if not, contact CiviCRM LLC \|
	22	\| at info[AT]civicrm[DOT]org. If you have questions about the \|
	23	\| GNU Affero General Public License or the licensing of CiviCRM, \|
	24	\| see the CiviCRM license FAQ at http://civicrm.org/licensing \|
	25	+--------------------------------------------------------------------+
d25dd0ee	26	*/
6a488035 TO	27
	28	/**
	29	*
	30	* @package CRM
0f03f337	31	* @copyright CiviCRM LLC (c) 2004-2017
6a488035 TO	32	*/
	33	class CRM_Core_IDS {
	34
	35	/**
fe482240	36	* Define the threshold for the ids reactions.
6a488035 TO	37	*/
	38	private $threshold = array(
	39	'log' => 25,
	40	'warn' => 50,
	41	'kick' => 75,
	42	);
	43
	44	/**
7c877abd	45	* @var string
6a488035	46	*/
7c877abd	47	private $path;
6a488035 TO	48
6a488035 TO	49	/**
ea3ddccf	50	* Check function.
ea3ddccf	51	*
6a488035 TO	52	* This function includes the IDS vendor parts and runs the
	53	* detection routines on the request array.
	54	*
7c877abd CW	55	* @param array $args
7c877abd CW	56	* List of path parts.
6a488035	57	*
3bdca100	58	* @return bool
6a488035	59	*/
7c877abd	60	public function check($args) {
6a488035	61	// lets bypass a few civicrm urls from this check
aa00da9b	62	$skip = array('civicrm/admin/setting/updateConfigBackend', 'civicrm/admin/messageTemplates');
aa00da9b	63	CRM_Utils_Hook::idsException($skip);
7c877abd CW	64	$this->path = implode('/', $args);
7c877abd CW	65	if (in_array($this->path, $skip)) {
3bdca100	66	return NULL;
6a488035 TO	67	}
6a488035 TO	68
ea3ddccf	69	// Add request url and user agent.
6a488035 TO	70	$_REQUEST['IDS_request_uri'] = $_SERVER['REQUEST_URI'];
	71	if (isset($_SERVER['HTTP_USER_AGENT'])) {
	72	$_REQUEST['IDS_user_agent'] = $_SERVER['HTTP_USER_AGENT'];
	73	}
	74
	75	$configFile = self::createConfigFile(FALSE);
	76
	77	// init the PHPIDS and pass the REQUEST array
	78	require_once 'IDS/Init.php';
	79	try {
	80	$init = IDS_Init::init($configFile);
353ffa53	81	$ids = new IDS_Monitor($_REQUEST, $init);
0db6c3e1 TO	82	}
0db6c3e1 TO	83	catch (Exception $e) {
6a488035 TO	84	// might be an old stale copy of Config.IDS.ini
	85	// lets try to rebuild it again and see if it works
	86	$configFile = self::createConfigFile(TRUE);
	87	$init = IDS_Init::init($configFile);
353ffa53	88	$ids = new IDS_Monitor($_REQUEST, $init);
6a488035 TO	89	}
	90
	91	$result = $ids->run();
	92	if (!$result->isEmpty()) {
	93	$this->react($result);
	94	}
	95
	96	return TRUE;
	97	}
	98
	99	/**
fe482240	100	* Create the default config file for the IDS system.
6a488035	101	*
6a0b768e TO	102	* @param bool $force
6a0b768e TO	103	* Should we recreate it irrespective if it exists or not.
6a488035	104	*
a6c01b45 CW	105	* @return string
a6c01b45 CW	106	* the full path to the config file
6a488035	107	*/
00be9182	108	public static function createConfigFile($force = FALSE) {
6a488035 TO	109	$config = CRM_Core_Config::singleton();
	110	$configFile = $config->configAndLogDir . 'Config.IDS.ini';
	111	if (!$force && file_exists($configFile)) {
	112	return $configFile;
	113	}
	114
6a488035 TO	115	// also clear the stat cache in case we are upgrading
	116	clearstatcache();
	117
b74c8634 TO	118	$config = self::createStandardConfig();
	119	$contents = "\n";
	120	$lineTpl = " %-19s = %s\n";
	121	foreach ($config as $section => $fields) {
	122	$contents .= "[$section]\n";
	123	foreach ($fields as $key => $value) {
	124	if ($key === 'scan_keys' && $value == '') {
	125	$value = 'false';
	126	}
	127
	128	if (is_array($value)) {
	129	foreach ($value as $v) {
	130	$contents .= sprintf($lineTpl, $key . '[]', $v);
	131	}
	132	}
	133	else {
	134	$contents .= sprintf($lineTpl, $key, $value);
	135	}
	136	}
	137	}
	138
6a488035 TO	139	if (file_put_contents($configFile, $contents) === FALSE) {
	140	CRM_Core_Error::movedSiteError($configFile);
	141	}
	142
6a488035 TO	143	// also create the .htaccess file so we prevent the reading of the log and ini files
	144	// via a browser, CRM-3875
	145	CRM_Utils_File::restrictAccess($config->configAndLogDir);
	146
	147	return $configFile;
	148	}
	149
b74c8634 TO	150	/**
	151	* Create conservative, minimalist IDS configuration.
	152	*
	153	* @return array
	154	*/
	155	public static function createBaseConfig() {
	156	$config = \CRM_Core_Config::singleton();
	157	$tmpDir = empty($config->uploadDir) ? CIVICRM_TEMPLATE_COMPILEDIR : $config->uploadDir;
	158	global $civicrm_root;
	159
	160	return array(
	161	'General' => array(
	162	'filter_type' => 'xml',
	163	'filter_path' => "{$civicrm_root}/packages/IDS/default_filter.xml",
	164	'tmp_path' => $tmpDir,
	165	'HTML_Purifier_Path' => 'IDS/vendors/htmlpurifier/HTMLPurifier.auto.php',
	166	'HTML_Purifier_Cache' => $tmpDir,
	167	'scan_keys' => '',
	168	'exceptions' => array('__utmz', '__utmc'),
	169	),
	170	);
	171	}
	172
	173	/**
	174	* Create the standard, general-purpose IDS configuration used by many pages.
	175	*
	176	* @return array
	177	*/
	178	public static function createStandardConfig() {
	179	$excs = array(
	180	'widget_code',
	181	'html_message',
	182	'text_message',
	183	'body_html',
	184	'msg_html',
	185	'msg_text',
	186	'msg_subject',
	187	'description',
	188	'intro',
	189	'thankyou_text',
	190	'intro_text',
	191	'body_text',
	192	'footer_text',
	193	'thankyou_text',
	194	'tf_thankyou_text',
	195	'thankyou_footer',
	196	'thankyou_footer_text',
	197	'new_text',
	198	'renewal_text',
	199	'help_pre',
	200	'help_post',
	201	'confirm_title',
	202	'confirm_text',
	203	'confirm_footer_text',
	204	'confirm_email_text',
	205	'report_header',
	206	'report_footer',
	207	'data',
	208	'json',
	209	'instructions',
	210	'suggested_message',
	211	'page_text',
	212	'details',
	213	);
214
215	$result = self::createBaseConfig();
216
217	$result['General']['exceptions'] = array_merge(
218	$result['General']['exceptions'],
219	$excs
220	);
221
222	return $result;
223	}
224
6a488035	225	/**
ea3ddccf	226	* This function reacts on the values in the incoming results array.
6a488035 TO	227	*
	228	* Depending on the impact value certain actions are
	229	* performed.
	230	*
	231	* @param IDS_Report $result
	232	*
3bdca100	233	* @return bool
6a488035	234	*/
d3e86119	235	private function react(IDS_Report $result) {
6a488035 TO	236
	237	$impact = $result->getImpact();
	238	if ($impact >= $this->threshold['kick']) {
	239	$this->log($result, 3, $impact);
7c877abd	240	$this->kick();
6a488035 TO	241	return TRUE;
	242	}
	243	elseif ($impact >= $this->threshold['warn']) {
	244	$this->log($result, 2, $impact);
	245	$this->warn($result);
	246	return TRUE;
	247	}
	248	elseif ($impact >= $this->threshold['log']) {
	249	$this->log($result, 0, $impact);
	250	return TRUE;
	251	}
	252	else {
	253	return TRUE;
	254	}
	255	}
	256
	257	/**
ea3ddccf	258	* This function writes an entry about the intrusion to the database.
6a488035	259	*
c490a46a	260	* @param array $result
77b97be7 EM	261	* @param int $reaction
77b97be7 EM	262	*
3bdca100	263	* @return bool
6a488035 TO	264	*/
	265	private function log($result, $reaction = 0) {
	266	$ip = (isset($_SERVER['SERVER_ADDR']) &&
3bdca100	267	$_SERVER['SERVER_ADDR'] != '127.0.0.1') ? $_SERVER['SERVER_ADDR'] : (
3bdca100	268	isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : '127.0.0.1'
006389de	269	);
6a488035 TO	270
	271	$data = array();
	272	$session = CRM_Core_Session::singleton();
	273	foreach ($result as $event) {
	274	$data[] = array(
	275	'name' => $event->getName(),
	276	'value' => stripslashes($event->getValue()),
	277	'page' => $_SERVER['REQUEST_URI'],
	278	'userid' => $session->get('userID'),
	279	'session' => session_id() ? session_id() : '0',
	280	'ip' => $ip,
	281	'reaction' => $reaction,
	282	'impact' => $result->getImpact(),
	283	);
	284	}
	285
	286	CRM_Core_Error::debug_var('IDS Detector Details', $data);
	287	return TRUE;
	288	}
	289
	290	/**
ea3ddccf	291	* Warn about IDS.
	292	*
	293	* @param array $result
	294	*
	295	* @return array
6a488035 TO	296	*/
	297	private function warn($result) {
	298	return $result;
	299	}
	300
	301	/**
7c877abd	302	* Create an error that prevents the user from continuing.
ea3ddccf	303	*
ea3ddccf	304	* @throws \Exception
6a488035	305	*/
7c877abd	306	private function kick() {
6a488035 TO	307	$session = CRM_Core_Session::singleton();
	308	$session->reset(2);
	309
f3a27f08 DL	310	$msg = ts('There is a validation error with your HTML input. Your activity is a bit suspicious, hence aborting');
f3a27f08 DL	311
f3a27f08	312	if (in_array(
7c877abd	313	$this->path,
353ffa53 TO	314	array("civicrm/ajax/rest", "civicrm/api/json")
353ffa53 TO	315	)) {
f3a27f08 DL	316	require_once "api/v3/utils.php";
	317	$error = civicrm_api3_create_error(
	318	$msg,
6a488035 TO	319	array(
	320	'IP' => $_SERVER['REMOTE_ADDR'],
	321	'error_code' => 'IDS_KICK',
	322	'level' => 'security',
	323	'referer' => $_SERVER['HTTP_REFERER'],
	324	'reason' => 'XSS suspected',
	325	)
	326	);
ecdef330	327	CRM_Utils_JSON::output($error);
6a488035	328	}
f3a27f08	329	CRM_Core_Error::fatal($msg);
6a488035	330	}
96025800	331
6a488035	332	}