Implement proper whitelist

PhpGt · Dec 15, 2018 · 45b3243 · 45b3243
1 parent 097d2fb
commit 45b3243
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 30 deletions.
diff --git a/src/Protection.php b/src/Protection.php
@@ -5,19 +5,33 @@ class Protection {
 	/**
 	 * Pass in an optional whitelist to allow the specified globals to remain set. This is
 	 * useful for tools like XDebug which require access to the $_COOKIE superglobal.
+	 *
+	 * The first parameter is the contents of the $GLOBALS superglobal.
+	 *
+	 * The second parameter is a 2D array describing which keys to whitelist
+	 * within each GLOBAL. For example: ["_ENV" => ["keepThis", "andKeepThis"]]
 	 */
 	public static function removeGlobals(
 		array &$globalsToDeregister,
-		string...$whiteList
+		array $whiteList = []
 	):array {
 		$keep = [];
 
-		foreach($whiteList as $whiteListKey) {
-			if(!isset($globalsToDeregister[$whiteListKey])) {
+		foreach($whiteList as $globalName => $keysToKeep) {
+			if(!isset($globalsToDeregister[$globalName])) {
 				continue;
 			}
 
-			$keep[$whiteListKey] = $globalsToDeregister[$whiteListKey];
+			$keep[$globalName] = [];
+			$thisGlobal = $globalsToDeregister[$globalName];
+
+			foreach($keysToKeep as $key) {
+				if(!isset($thisGlobal[$key])) {
+					continue;
+				}
+
+				$keep[$globalName][$key] = $thisGlobal[$key];
+			}
 		}
 
 		$globalsToDeregister = $keep;

diff --git a/test/unit/ProtectionTest.php b/test/unit/ProtectionTest.php
@@ -8,15 +8,16 @@
 
 class ProtectionTest extends TestCase {
 	public function testRemoveGlobals() {
-		$testGlobals = [
+		$globals = [
 			"_ENV" => [
 				"somekey" => "somevalue",
 			]
 		];
-		self::assertArrayHasKey("somekey", $testGlobals["_ENV"]);
-		Protection::removeGlobals($testGlobals);
-		self::assertArrayNotHasKey("_ENV", $testGlobals);
-		self::assertNotNull($testGlobals);
+
+		self::assertArrayHasKey("somekey", $globals["_ENV"]);
+		Protection::removeGlobals($globals);
+		self::assertArrayNotHasKey("_ENV", $globals);
+		self::assertNotNull($globals);
 	}
 
 	public function testOverride() {
@@ -27,13 +28,19 @@ public function testOverride() {
 		$files = [];
 		$cookie = [];
 		$session = [];
-		$testGlobals = [
+		$globals = [
 			"_ENV" => $env,
 		];
-		self::assertEquals("somevalue", $testGlobals["_ENV"]["somekey"]);
+
+		self::assertEquals(
+			"somevalue",
+			$globals["_ENV"]["somekey"]
+		);
+
 		self::assertEquals("somevalue", $env["somekey"]);
+
 		Protection::overrideInternals(
-			$testGlobals,
+			$globals,
 			$env,
 			$server,
 			$get,
@@ -55,15 +62,19 @@ public function testWhitelist() {
 		$files = [];
 		$cookie = [];
 		$session = [];
-		$testGlobals = [
+		$globals = [
 			"_ENV" => $env,
 		];
 		Protection::removeGlobals(
-			$env,
-			"anotherkey"
+			$globals,
+			[
+				"_ENV" => [
+					"anotherkey",
+				],
+			]
 		);
 		Protection::overrideInternals(
-			$testGlobals,
+			$globals,
 			$env,
 			$server,
 			$get,
@@ -86,7 +97,7 @@ public function testWhitelistMany() {
 		$files = [];
 		$cookie = [];
 		$session = [];
-		$testGlobals = [
+		$globals = [
 			"_ENV" => $env,
 			"_SERVER" => $server,
 			"_GET" => $get,
@@ -95,22 +106,23 @@ public function testWhitelistMany() {
 
 		Protection::removeGlobals($env);
 		Protection::removeGlobals($server);
-		$getToKeep = Protection::removeGlobals(
-			$get,
-			"date",
-			"name"
-		);
-		$postToKeep = Protection::removeGlobals(
-			$post,
-			"postkey2",
-			"this-does-not-exist"
+		$fixedGlobals = Protection::removeGlobals(
+			$globals,
+			[
+				"_GET" => [
+					"date",
+					"name"
+				],
+				"_POST" => [
+					"postkey2",
+					"this-does-not-exist"
+				],
+			]
+
 		);
 
 		Protection::overrideInternals(
-			[
-				"_GET" => $getToKeep,
-				"_POST" => $postToKeep,
-			],
+			$fixedGlobals,
 			$env,
 			$server,
 			$get,