From 45b32431cc45d736f54fda61f33c74d7f7407bd6 Mon Sep 17 00:00:00 2001 From: Greg Bowler Date: Sat, 15 Dec 2018 17:42:34 +0000 Subject: [PATCH] Implement proper whitelist --- src/Protection.php | 22 ++++++++++--- test/unit/ProtectionTest.php | 64 +++++++++++++++++++++--------------- 2 files changed, 56 insertions(+), 30 deletions(-) diff --git a/src/Protection.php b/src/Protection.php index 231de8c..09c9a6d 100644 --- a/src/Protection.php +++ b/src/Protection.php @@ -5,19 +5,33 @@ class Protection { /** * Pass in an optional whitelist to allow the specified globals to remain set. This is * useful for tools like XDebug which require access to the $_COOKIE superglobal. + * + * The first parameter is the contents of the $GLOBALS superglobal. + * + * The second parameter is a 2D array describing which keys to whitelist + * within each GLOBAL. For example: ["_ENV" => ["keepThis", "andKeepThis"]] */ public static function removeGlobals( array &$globalsToDeregister, - string...$whiteList + array $whiteList = [] ):array { $keep = []; - foreach($whiteList as $whiteListKey) { - if(!isset($globalsToDeregister[$whiteListKey])) { + foreach($whiteList as $globalName => $keysToKeep) { + if(!isset($globalsToDeregister[$globalName])) { continue; } - $keep[$whiteListKey] = $globalsToDeregister[$whiteListKey]; + $keep[$globalName] = []; + $thisGlobal = $globalsToDeregister[$globalName]; + + foreach($keysToKeep as $key) { + if(!isset($thisGlobal[$key])) { + continue; + } + + $keep[$globalName][$key] = $thisGlobal[$key]; + } } $globalsToDeregister = $keep; diff --git a/test/unit/ProtectionTest.php b/test/unit/ProtectionTest.php index 7bdba7b..f17beea 100644 --- a/test/unit/ProtectionTest.php +++ b/test/unit/ProtectionTest.php @@ -8,15 +8,16 @@ class ProtectionTest extends TestCase { public function testRemoveGlobals() { - $testGlobals = [ + $globals = [ "_ENV" => [ "somekey" => "somevalue", ] ]; - self::assertArrayHasKey("somekey", $testGlobals["_ENV"]); - Protection::removeGlobals($testGlobals); - self::assertArrayNotHasKey("_ENV", $testGlobals); - self::assertNotNull($testGlobals); + + self::assertArrayHasKey("somekey", $globals["_ENV"]); + Protection::removeGlobals($globals); + self::assertArrayNotHasKey("_ENV", $globals); + self::assertNotNull($globals); } public function testOverride() { @@ -27,13 +28,19 @@ public function testOverride() { $files = []; $cookie = []; $session = []; - $testGlobals = [ + $globals = [ "_ENV" => $env, ]; - self::assertEquals("somevalue", $testGlobals["_ENV"]["somekey"]); + + self::assertEquals( + "somevalue", + $globals["_ENV"]["somekey"] + ); + self::assertEquals("somevalue", $env["somekey"]); + Protection::overrideInternals( - $testGlobals, + $globals, $env, $server, $get, @@ -55,15 +62,19 @@ public function testWhitelist() { $files = []; $cookie = []; $session = []; - $testGlobals = [ + $globals = [ "_ENV" => $env, ]; Protection::removeGlobals( - $env, - "anotherkey" + $globals, + [ + "_ENV" => [ + "anotherkey", + ], + ] ); Protection::overrideInternals( - $testGlobals, + $globals, $env, $server, $get, @@ -86,7 +97,7 @@ public function testWhitelistMany() { $files = []; $cookie = []; $session = []; - $testGlobals = [ + $globals = [ "_ENV" => $env, "_SERVER" => $server, "_GET" => $get, @@ -95,22 +106,23 @@ public function testWhitelistMany() { Protection::removeGlobals($env); Protection::removeGlobals($server); - $getToKeep = Protection::removeGlobals( - $get, - "date", - "name" - ); - $postToKeep = Protection::removeGlobals( - $post, - "postkey2", - "this-does-not-exist" + $fixedGlobals = Protection::removeGlobals( + $globals, + [ + "_GET" => [ + "date", + "name" + ], + "_POST" => [ + "postkey2", + "this-does-not-exist" + ], + ] + ); Protection::overrideInternals( - [ - "_GET" => $getToKeep, - "_POST" => $postToKeep, - ], + $fixedGlobals, $env, $server, $get,