projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
(NFC) (dev/core#878) Simplify copyright header (CRM/*)
[civicrm-core.git] / CRM / Core / IDS.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
5 | |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
10 */
11
12 /**
13 *
14 * @package CRM
15 * @copyright CiviCRM LLC https://civicrm.org/licensing
16 */
17 class CRM_Core_IDS {
18
19 /**
20 * Define the threshold for the ids reactions.
21 * @var array
22 */
23 private $threshold = [
24 'log' => 25,
25 'warn' => 50,
26 'kick' => 75,
27 ];
28
29 /**
30 * @var string
31 */
32 private $path;
33
34 /**
35 * Check function.
36 *
37 * This function includes the IDS vendor parts and runs the
38 * detection routines on the request array.
39 *
40 * @param array $route
41 *
42 * @return bool
43 */
44 public function check($route) {
45 if (CRM_Core_Permission::check('skip IDS check')) {
46 return NULL;
47 }
48
49 // lets bypass a few civicrm urls from this check
50 $skip = ['civicrm/admin/setting/updateConfigBackend', 'civicrm/admin/messageTemplates'];
51 CRM_Utils_Hook::idsException($skip);
52 $this->path = $route['path'];
53 if (in_array($this->path, $skip)) {
54 return NULL;
55 }
56
57 $init = self::create(self::createRouteConfig($route));
58
59 // Add request url and user agent.
60 $_REQUEST['IDS_request_uri'] = $_SERVER['REQUEST_URI'];
61 if (isset($_SERVER['HTTP_USER_AGENT'])) {
62 $_REQUEST['IDS_user_agent'] = $_SERVER['HTTP_USER_AGENT'];
63 }
64
65 require_once 'IDS/Monitor.php';
66 $ids = new \IDS_Monitor($_REQUEST, $init);
67
68 $result = $ids->run();
69 if (!$result->isEmpty()) {
70 $this->react($result);
71 }
72
73 return TRUE;
74 }
75
76 /**
77 * Create a new PHPIDS configuration object.
78 *
79 * @param array $config
80 * PHPIDS configuration array (per INI format).
81 * @return \IDS_Init
82 */
83 protected static function create($config) {
84 require_once 'IDS/Init.php';
85 $init = \IDS_Init::init(NULL);
86 $init->setConfig($config, TRUE);
87
88 // Cleanup
89 $reflection = new \ReflectionProperty('IDS_Init', 'instances');
90 $reflection->setAccessible(TRUE);
91 $value = $reflection->getValue(NULL);
92 unset($value[NULL]);
93 $reflection->setValue(NULL, $value);
94
95 return $init;
96 }
97
98 /**
99 * Create conservative, minimalist IDS configuration.
100 *
101 * @return array
102 */
103 public static function createBaseConfig() {
104 $config = \CRM_Core_Config::singleton();
105 $tmpDir = empty($config->uploadDir) ? Civi::paths()->getVariable('civicrm.compile', 'path') : $config->uploadDir;
106 global $civicrm_root;
107
108 return [
109 'General' => [
110 'filter_type' => 'xml',
111 'filter_path' => "{$civicrm_root}/packages/IDS/default_filter.xml",
112 'tmp_path' => $tmpDir,
113 'HTML_Purifier_Path' => $civicrm_root . 'packages/IDS/vendors/htmlpurifier/HTMLPurifier.auto.php',
114 'HTML_Purifier_Cache' => $tmpDir,
115 'scan_keys' => '',
116 'exceptions' => ['__utmz', '__utmc'],
117 ],
118 ];
119 }
120
121 /**
122 * Create the standard, general-purpose IDS configuration used by many pages.
123 *
124 * @return array
125 */
126 public static function createStandardConfig() {
127 $excs = [
128 'widget_code',
129 'html_message',
130 'text_message',
131 'body_html',
132 'msg_html',
133 'msg_text',
134 'msg_subject',
135 'description',
136 'intro',
137 'thankyou_text',
138 'intro_text',
139 'body_text',
140 'footer_text',
141 'thankyou_text',
142 'tf_thankyou_text',
143 'thankyou_footer',
144 'thankyou_footer_text',
145 'new_text',
146 'renewal_text',
147 'help_pre',
148 'help_post',
149 'confirm_title',
150 'confirm_text',
151 'confirm_footer_text',
152 'confirm_email_text',
153 'report_header',
154 'report_footer',
155 'data',
156 'json',
157 'instructions',
158 'suggested_message',
159 'page_text',
160 'details',
161 ];
162
163 $result = self::createBaseConfig();
164
165 $result['General']['exceptions'] = array_merge(
166 $result['General']['exceptions'],
167 $excs
168 );
169
170 return $result;
171 }
172
173 /**
174 * @param array $route
175 * @return array
176 */
177 public static function createRouteConfig($route) {
178 $config = \CRM_Core_IDS::createStandardConfig();
179 foreach (['json', 'html', 'exceptions'] as $section) {
180 if (isset($route['ids_arguments'][$section])) {
181 if (!isset($config['General'][$section])) {
182 $config['General'][$section] = [];
183 }
184 foreach ($route['ids_arguments'][$section] as $v) {
185 $config['General'][$section][] = $v;
186 }
187 $config['General'][$section] = array_unique($config['General'][$section]);
188 }
189 }
190 return $config;
191 }
192
193 /**
194 * This function reacts on the values in the incoming results array.
195 *
196 * Depending on the impact value certain actions are
197 * performed.
198 *
199 * @param IDS_Report $result
200 *
201 * @return bool
202 */
203 public function react(IDS_Report $result) {
204
205 $impact = $result->getImpact();
206 if ($impact >= $this->threshold['kick']) {
207 $this->log($result, 3, $impact);
208 $this->kick();
209 return TRUE;
210 }
211 elseif ($impact >= $this->threshold['warn']) {
212 $this->log($result, 2, $impact);
213 $this->warn($result);
214 return TRUE;
215 }
216 elseif ($impact >= $this->threshold['log']) {
217 $this->log($result, 0, $impact);
218 return TRUE;
219 }
220 else {
221 return TRUE;
222 }
223 }
224
225 /**
226 * This function writes an entry about the intrusion to the database.
227 *
228 * @param array $result
229 * @param int $reaction
230 *
231 * @return bool
232 */
233 private function log($result, $reaction = 0) {
234 // Include X_FORWARD_FOR ip address if set as per IDS patten.
235 $ip = $_SERVER['REMOTE_ADDR'] . (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? ' (' . $_SERVER['HTTP_X_FORWARDED_FOR'] . ')' : '');
236
237 $data = [];
238 $session = CRM_Core_Session::singleton();
239 foreach ($result as $event) {
240 $data[] = [
241 'name' => $event->getName(),
242 'value' => stripslashes($event->getValue()),
243 'page' => $_SERVER['REQUEST_URI'],
244 'userid' => $session->get('userID'),
245 'session' => session_id() ? session_id() : '0',
246 'ip' => $ip,
247 'reaction' => $reaction,
248 'impact' => $result->getImpact(),
249 ];
250 }
251
252 CRM_Core_Error::debug_var('IDS Detector Details', $data);
253 return TRUE;
254 }
255
256 /**
257 * Warn about IDS.
258 *
259 * @param array $result
260 *
261 * @return array
262 */
263 private function warn($result) {
264 return $result;
265 }
266
267 /**
268 * Create an error that prevents the user from continuing.
269 *
270 * @throws \Exception
271 */
272 private function kick() {
273 $session = CRM_Core_Session::singleton();
274 $session->reset(2);
275
276 $msg = ts('There is a validation error with your HTML input. Your activity is a bit suspicious, hence aborting');
277
278 if (in_array(
279 $this->path,
280 ["civicrm/ajax/rest", "civicrm/api/json"]
281 )) {
282 require_once "api/v3/utils.php";
283 $error = civicrm_api3_create_error(
284 $msg,
285 [
286 'IP' => $_SERVER['REMOTE_ADDR'],
287 'error_code' => 'IDS_KICK',
288 'level' => 'security',
289 'referer' => $_SERVER['HTTP_REFERER'],
290 'reason' => 'XSS suspected',
291 ]
292 );
293 CRM_Utils_JSON::output($error);
294 }
295 CRM_Core_Error::fatal($msg);
296 }
297
298 }