From 3d1f32f7dd55ab99eaa676dea82b648e3ec613dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=8Ceslav=20Przywara?= Date: Tue, 11 Apr 2023 19:27:18 +0200 Subject: [PATCH 1/4] Bump version to 0.20.1 --- CHANGELOG.md | 2 ++ bc-security.php | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 67f7a1b..d9a8084 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ # BC Security Changelog +## Version 0.20.1 (????-??-??) + ## Version 0.20.0 (2023-03-31) This release brings a new feature: __external blocklist__. This feature has its own module named _External Blocklist_. To keep the naming consistent, _IP Blacklist_ module has been renamed to _Internal Blocklist_. diff --git a/bc-security.php b/bc-security.php index 7c5a690..a27cbc9 100644 --- a/bc-security.php +++ b/bc-security.php @@ -4,7 +4,7 @@ * Plugin Name: BC Security * Plugin URI: https://github.com/chesio/bc-security * Description: Helps keeping WordPress websites secure. - * Version: 0.20.0 + * Version: 0.20.1 * Author: Česlav Przywara * Author URI: https://www.chesio.com * Requires PHP: 7.3 From e3af6969bcbb4cdab260221179a7dfc9f671437e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=8Ceslav=20Przywara?= Date: Tue, 11 Apr 2023 19:28:59 +0200 Subject: [PATCH 2/4] Validate IP addresses to avoid potential security issues Fixes #138. --- CHANGELOG.md | 2 + classes/BlueChip/Security/Setup/IpAddress.php | 21 ++++++-- .../Cases/Setup/IpAddressValidationTest.php | 50 +++++++++++++++++++ 3 files changed, 70 insertions(+), 3 deletions(-) create mode 100644 tests/unit/src/Cases/Setup/IpAddressValidationTest.php diff --git a/CHANGELOG.md b/CHANGELOG.md index d9a8084..3a2d1ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ## Version 0.20.1 (????-??-??) +* Validate IP addresses to avoid potential security issues [#138](https://github.com/chesio/bc-security/issues/138). + ## Version 0.20.0 (2023-03-31) This release brings a new feature: __external blocklist__. This feature has its own module named _External Blocklist_. To keep the naming consistent, _IP Blacklist_ module has been renamed to _Internal Blocklist_. diff --git a/classes/BlueChip/Security/Setup/IpAddress.php b/classes/BlueChip/Security/Setup/IpAddress.php index c313311..d7dddfc 100644 --- a/classes/BlueChip/Security/Setup/IpAddress.php +++ b/classes/BlueChip/Security/Setup/IpAddress.php @@ -53,7 +53,7 @@ public static function get(string $type): string } if (isset($_SERVER[$type])) { - return self::getFirst($_SERVER[$type]); + return self::parseFrom($_SERVER[$type]); } // Not found: try to fall back to direct address if proxy has been requested. @@ -64,7 +64,7 @@ public static function get(string $type): string // // Client can itself send HTTP_X_FORWARDED_FOR header fooling us // regarding which IP should be banned. - return self::getFirst($_SERVER[self::REMOTE_ADDR]); + return self::parseFrom($_SERVER[self::REMOTE_ADDR]); } return ''; @@ -91,7 +91,13 @@ public static function getRaw(string $type): string */ public static function getServer(): string { - return isset($_SERVER['SERVER_ADDR']) ? self::getFirst($_SERVER['SERVER_ADDR']) : ''; + return array_key_exists('SERVER_ADDR', $_SERVER) ? self::parseFrom($_SERVER['SERVER_ADDR']) : ''; + } + + + private static function parseFrom(string $maybe_list_of_ip_addresses): string + { + return self::validate(self::getFirst($maybe_list_of_ip_addresses)) ?? ''; } @@ -108,4 +114,13 @@ private static function getFirst(string $ip_addresses): string $ips = \array_map('trim', \explode(',', $ip_addresses)); return $ips[0]; } + + + /** + * Validate given $ip_address, return null if invalid. + */ + private static function validate(string $ip_address): ?string + { + return \filter_var($ip_address, FILTER_VALIDATE_IP, FILTER_NULL_ON_FAILURE); + } } diff --git a/tests/unit/src/Cases/Setup/IpAddressValidationTest.php b/tests/unit/src/Cases/Setup/IpAddressValidationTest.php new file mode 100644 index 0000000..7e2c947 --- /dev/null +++ b/tests/unit/src/Cases/Setup/IpAddressValidationTest.php @@ -0,0 +1,50 @@ +23.23.23.23'; + // Invalid IP with valid format + $_SERVER[IpAddress::HTTP_X_REAL_IP] = '256.256.256.256'; + } + + + protected function tearDown(): void + { + unset($_SERVER[IpAddress::REMOTE_ADDR]); + unset($_SERVER[IpAddress::HTTP_X_FORWARDED_FOR]); + unset($_SERVER[IpAddress::HTTP_X_REAL_IP]); + + parent::tearDown(); + } + + + public function provideRemoteAddressGetterData(): array + { + return [ + 'valid IP' => [IpAddress::REMOTE_ADDR, '23.23.23.23'], + 'Cross-Site Scripting attempt' => [IpAddress::HTTP_X_FORWARDED_FOR, ''], + 'Invalid IP with valid format' => [IpAddress::HTTP_X_REAL_IP, ''], + ]; + } + + + /** + * @dataProvider provideRemoteAddressGetterData + */ + public function testRemoteAddressGetter(string $connection_type, ?string $ip_address): void + { + $this->assertSame($ip_address, IpAddress::get($connection_type)); + } +} From a76afb65b4215d325b3036f69dd8d01ac7263d38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=8Ceslav=20Przywara?= Date: Tue, 11 Apr 2023 19:31:04 +0200 Subject: [PATCH 3/4] Update list of supported PHP versions in PHP version check Fixes #137. --- CHANGELOG.md | 1 + .../Security/Modules/Checklist/Checks/PhpVersionSupported.php | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a2d1ca..1fc5878 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Version 0.20.1 (????-??-??) * Validate IP addresses to avoid potential security issues [#138](https://github.com/chesio/bc-security/issues/138). +* List of supported PHP versions for PHP version check has been updated to include PHP 8.2 and exclude PHP 7.4 [#137](https://github.com/chesio/bc-security/issues/137). ## Version 0.20.0 (2023-03-31) diff --git a/classes/BlueChip/Security/Modules/Checklist/Checks/PhpVersionSupported.php b/classes/BlueChip/Security/Modules/Checklist/Checks/PhpVersionSupported.php index ef015c1..8bb3ecd 100644 --- a/classes/BlueChip/Security/Modules/Checklist/Checks/PhpVersionSupported.php +++ b/classes/BlueChip/Security/Modules/Checklist/Checks/PhpVersionSupported.php @@ -8,11 +8,13 @@ class PhpVersionSupported extends Checklist\BasicCheck { /** * @var array List of supported PHP versions and their end-of-life dates + * + * @link https://www.php.net/supported-versions.php */ private const SUPPORTED_VERSIONS = [ - '7.4' => '2022-11-28', '8.0' => '2023-11-26', '8.1' => '2024-11-25', + '8.2' => '2025-12-08', ]; From 273c6205087bab0a89c8fdc0285dba74dc7c28dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=8Ceslav=20Przywara?= Date: Tue, 11 Apr 2023 19:32:22 +0200 Subject: [PATCH 4/4] Finish preparation for release of version 0.20.1 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1fc5878..945be29 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # BC Security Changelog -## Version 0.20.1 (????-??-??) +## Version 0.20.1 (2023-04-11) * Validate IP addresses to avoid potential security issues [#138](https://github.com/chesio/bc-security/issues/138). * List of supported PHP versions for PHP version check has been updated to include PHP 8.2 and exclude PHP 7.4 [#137](https://github.com/chesio/bc-security/issues/137).