Merge pull request #25 from igorhrcek/issue-4.3

Fix sensitive directories/files functions
igorhrcek · Mar 21, 2022 · 201d1de · 201d1de
2 parents 0da90ca + dc9f3e2
commit 201d1de
Show file tree

Hide file tree

Showing 8 changed files with 61 additions and 33 deletions.
diff --git a/src/Exceptions/RuleAlreadyExist.php b/src/Exceptions/RuleAlreadyExist.php
@@ -8,5 +8,5 @@ class RuleAlreadyExist extends Exception {
     /**
      * @var string
      */
-    protected $message = 'The rule already exist in the file';
+    protected $message = 'The rule already exists in the file';
 }
diff --git a/src/RuleContent.php b/src/RuleContent.php
@@ -29,11 +29,15 @@ public function getContent() : array {
         $result = '';
         $templateContent = implode( PHP_EOL, $this->content );
 
-
         foreach ( $this->templateVars as $var => $replacements ) {
             $tmp_result = $templateContent;
             foreach ( $replacements as $key => $replacement ) {
-                $tmp_result = str_replace( sprintf( '{{%s}}', $key ), $replacement, $tmp_result );
+                if ( preg_match( '/.+\/.+/', $key ) ) {
+                    $tmp_result = implode( PHP_EOL, $replacement );
+                    $tmp_result = str_replace( '{{file}}', $key, $tmp_result );
+                } else {
+                    $tmp_result = str_replace( sprintf( '{{%s}}', $key ), $replacement, $tmp_result );
+                }
             }
             $result .= $tmp_result;
         }

diff --git a/src/SubCommands/BlockAccessToSensitiveDirectories.php b/src/SubCommands/BlockAccessToSensitiveDirectories.php
@@ -7,7 +7,7 @@ class BlockAccessToSensitiveDirectories extends SubCommand {
     public string $ruleName = 'BLOCK ACCESS TO SENSITIVE DIRECTORIES';
     public string $successMessage = 'Block Access to Sensitive Directories rule has been deployed.';
     public string $removalMessage= 'Block Access to Sensitive Directories rule has been removed.';
-
+  
     /**
      * @var string Default directories that we are going to protect
      */
@@ -16,18 +16,15 @@ class BlockAccessToSensitiveDirectories extends SubCommand {
     /**
      * @return array
      */
-    public function getTemplateVars() : array {
+    public function getTemplateVars() {
         $directories = $this->commandArguments['directories'] ?? $this->sensitiveDirectories;
-        if (!empty($directories)) {
-            $directories = explode(',', $directories);
-            $directories = array_map('trim', $directories);
-            $directories_array = [];
-
+        if ( ! empty( $directories ) ) {
+            $directories = explode( ',', $directories );
+            $directories = array_map( 'trim', $directories );
             return [
-                ['directories' => implode('|', array_map('preg_quote', $directories))]
+                [ 'directories' => implode( '|', array_map( 'preg_quote', $directories ) ) ]
             ];
         }
-
         return [];
     }
 }
diff --git a/src/SubCommands/BlockAccessToSensitiveFiles.php b/src/SubCommands/BlockAccessToSensitiveFiles.php
@@ -7,4 +7,29 @@ class BlockAccessToSensitiveFiles extends SubCommand {
     public string $ruleName = 'BLOCK ACCESS TO SENSITIVE FILES';
     public string $successMessage = 'Block Access to Sensitive Files rule has been deployed.';
     public string $removalMessage= 'Block Access to Sensitive Files rule has been removed.';
+
+    public function getTemplateVars() {
+        $files = isset( $this->commandArguments['files'] ) ? $this->commandArguments['files'] : 'readme.html,readme.txt,wp-config.php,nginx.conf,/wp-admin/install.php,/wp-admin/upgrade.php';
+        if ( ! empty( $files ) ) {
+            $files = explode( ',', $files );
+            $files = array_map( 'trim', $files );
+            $files_array = [];
+
+            foreach ( $files as $key => $value ) {
+                if ( preg_match( '/.+\/.+/', $value ) ) {
+                    $file_with_directory = $this->setRuleContent( false, 'block_access_to_sensitive_files_with_directories' );
+                    if ( isset( $this->commandArguments['server'] ) && $this->commandArguments['server'] === 'nginx' ) {
+                        $file = $value;
+                    } else {
+                        $file = preg_quote( ltrim( $value, '/' ) );
+                    }
+                    $files_array[] = [ $file => $file_with_directory ];
+                } else {
+                    $files_array[] = [ 'file' => isset( $this->commandArguments['server'] ) && $this->commandArguments['server'] === 'nginx' ? preg_quote( $value ) : $value ];
+                }
+            }
+            return $files_array;
+        }
+        return [];
+    }
 }
diff --git a/src/SubCommands/SubCommand.php b/src/SubCommands/SubCommand.php
@@ -101,30 +101,37 @@ private function setFilePath() : string {
     /**
      * Reads rule template file. Depending on output type, returns an array
      *
-     * @return array
+     * @param boolean $loadVars Whether to load the template vars or not.
+     * @param boolean $template Template name to return instead of the loaded one.
+     * 
+     * @return string|array
      */
-    private function setRuleContent() : array {
+    protected function setRuleContent( bool $loadVars = true, bool|string $template = false ) : string|array {
         //Return an empty array in case when the executed command does not require a template
-        if($this->ruleTemplate === '') {
+        if($this->ruleTemplate === '' && ! $template ) {
             return [];
         }
 
         $templateFilePath = dirname(__DIR__) . DIRECTORY_SEPARATOR . 'Templates' . DIRECTORY_SEPARATOR . $this->serverType . DIRECTORY_SEPARATOR .
-            $this->ruleTemplate . '.tpl';
+            ( $template ? $template : $this->ruleTemplate ) . '.tpl';
 
         $result = [];
         $file = new \SplFileObject($templateFilePath);
+
         while(!$file->eof()) {
             $result[] = rtrim($file->current(), "\n");
             $file->next();
         }
         unset($file);
 
-        //Combine templates and command arguments, if any
-        //This is used for block-access command
-        $result = new RuleContent( $result, $this->getTemplateVars() );
+        if ( $loadVars ) {
+            //Combine templates and command arguments, if any
+            //This is used for block-access command
+            $result = new RuleContent( $result, $this->getTemplateVars() );
+            $result = $result->getContent();
+        }
 
-        return $result->getContent();
+        return $result;
     }
 
     /**

diff --git a/src/Templates/apache/block_access_to_sensitive_files_with_directories.tpl b/src/Templates/apache/block_access_to_sensitive_files_with_directories.tpl
@@ -0,0 +1,4 @@
+<IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteRule ^{{file}}$ - [F]
+</IfModule>
diff --git a/src/Templates/nginx/block_access_to_sensitive_directories.tpl b/src/Templates/nginx/block_access_to_sensitive_directories.tpl
@@ -1,15 +1,3 @@
-location ~ ^.*/\.git/.*$ {
-    deny all;
-}
-
-location ~ ^.*/\.svn/.*$ {
-    deny all;
-}
-
-location ~ ^.*/vendors/.*$ {
-    deny all;
-}
-
-location ~ ^.*/cache/.*$ {
+location ~ ^.*/{{directories}}/.*$ {
     deny all;
 }
diff --git a/src/Templates/nginx/block_access_to_sensitive_files_with_directories.tpl b/src/Templates/nginx/block_access_to_sensitive_files_with_directories.tpl
@@ -0,0 +1,3 @@
+location = {{file}} {
+    deny all;
+}