diff --git a/src/Exceptions/RuleAlreadyExist.php b/src/Exceptions/RuleAlreadyExist.php index 1dc2fab..3995594 100644 --- a/src/Exceptions/RuleAlreadyExist.php +++ b/src/Exceptions/RuleAlreadyExist.php @@ -8,5 +8,5 @@ class RuleAlreadyExist extends Exception { /** * @var string */ - protected $message = 'The rule already exist in the file'; + protected $message = 'The rule already exists in the file'; } \ No newline at end of file diff --git a/src/RuleContent.php b/src/RuleContent.php index 61d339a..8b5b2f5 100644 --- a/src/RuleContent.php +++ b/src/RuleContent.php @@ -29,11 +29,15 @@ public function getContent() : array { $result = ''; $templateContent = implode( PHP_EOL, $this->content ); - foreach ( $this->templateVars as $var => $replacements ) { $tmp_result = $templateContent; foreach ( $replacements as $key => $replacement ) { - $tmp_result = str_replace( sprintf( '{{%s}}', $key ), $replacement, $tmp_result ); + if ( preg_match( '/.+\/.+/', $key ) ) { + $tmp_result = implode( PHP_EOL, $replacement ); + $tmp_result = str_replace( '{{file}}', $key, $tmp_result ); + } else { + $tmp_result = str_replace( sprintf( '{{%s}}', $key ), $replacement, $tmp_result ); + } } $result .= $tmp_result; } diff --git a/src/SubCommands/BlockAccessToSensitiveDirectories.php b/src/SubCommands/BlockAccessToSensitiveDirectories.php index dc1b2b2..2533da6 100644 --- a/src/SubCommands/BlockAccessToSensitiveDirectories.php +++ b/src/SubCommands/BlockAccessToSensitiveDirectories.php @@ -7,7 +7,7 @@ class BlockAccessToSensitiveDirectories extends SubCommand { public string $ruleName = 'BLOCK ACCESS TO SENSITIVE DIRECTORIES'; public string $successMessage = 'Block Access to Sensitive Directories rule has been deployed.'; public string $removalMessage= 'Block Access to Sensitive Directories rule has been removed.'; - + /** * @var string Default directories that we are going to protect */ @@ -16,18 +16,15 @@ class BlockAccessToSensitiveDirectories extends SubCommand { /** * @return array */ - public function getTemplateVars() : array { + public function getTemplateVars() { $directories = $this->commandArguments['directories'] ?? $this->sensitiveDirectories; - if (!empty($directories)) { - $directories = explode(',', $directories); - $directories = array_map('trim', $directories); - $directories_array = []; - + if ( ! empty( $directories ) ) { + $directories = explode( ',', $directories ); + $directories = array_map( 'trim', $directories ); return [ - ['directories' => implode('|', array_map('preg_quote', $directories))] + [ 'directories' => implode( '|', array_map( 'preg_quote', $directories ) ) ] ]; } - return []; } } \ No newline at end of file diff --git a/src/SubCommands/BlockAccessToSensitiveFiles.php b/src/SubCommands/BlockAccessToSensitiveFiles.php index 13e30e5..f153ed4 100644 --- a/src/SubCommands/BlockAccessToSensitiveFiles.php +++ b/src/SubCommands/BlockAccessToSensitiveFiles.php @@ -7,4 +7,29 @@ class BlockAccessToSensitiveFiles extends SubCommand { public string $ruleName = 'BLOCK ACCESS TO SENSITIVE FILES'; public string $successMessage = 'Block Access to Sensitive Files rule has been deployed.'; public string $removalMessage= 'Block Access to Sensitive Files rule has been removed.'; + + public function getTemplateVars() { + $files = isset( $this->commandArguments['files'] ) ? $this->commandArguments['files'] : 'readme.html,readme.txt,wp-config.php,nginx.conf,/wp-admin/install.php,/wp-admin/upgrade.php'; + if ( ! empty( $files ) ) { + $files = explode( ',', $files ); + $files = array_map( 'trim', $files ); + $files_array = []; + + foreach ( $files as $key => $value ) { + if ( preg_match( '/.+\/.+/', $value ) ) { + $file_with_directory = $this->setRuleContent( false, 'block_access_to_sensitive_files_with_directories' ); + if ( isset( $this->commandArguments['server'] ) && $this->commandArguments['server'] === 'nginx' ) { + $file = $value; + } else { + $file = preg_quote( ltrim( $value, '/' ) ); + } + $files_array[] = [ $file => $file_with_directory ]; + } else { + $files_array[] = [ 'file' => isset( $this->commandArguments['server'] ) && $this->commandArguments['server'] === 'nginx' ? preg_quote( $value ) : $value ]; + } + } + return $files_array; + } + return []; + } } \ No newline at end of file diff --git a/src/SubCommands/SubCommand.php b/src/SubCommands/SubCommand.php index ffd5757..d188df9 100644 --- a/src/SubCommands/SubCommand.php +++ b/src/SubCommands/SubCommand.php @@ -101,30 +101,37 @@ private function setFilePath() : string { /** * Reads rule template file. Depending on output type, returns an array * - * @return array + * @param boolean $loadVars Whether to load the template vars or not. + * @param boolean $template Template name to return instead of the loaded one. + * + * @return string|array */ - private function setRuleContent() : array { + protected function setRuleContent( bool $loadVars = true, bool|string $template = false ) : string|array { //Return an empty array in case when the executed command does not require a template - if($this->ruleTemplate === '') { + if($this->ruleTemplate === '' && ! $template ) { return []; } $templateFilePath = dirname(__DIR__) . DIRECTORY_SEPARATOR . 'Templates' . DIRECTORY_SEPARATOR . $this->serverType . DIRECTORY_SEPARATOR . - $this->ruleTemplate . '.tpl'; + ( $template ? $template : $this->ruleTemplate ) . '.tpl'; $result = []; $file = new \SplFileObject($templateFilePath); + while(!$file->eof()) { $result[] = rtrim($file->current(), "\n"); $file->next(); } unset($file); - //Combine templates and command arguments, if any - //This is used for block-access command - $result = new RuleContent( $result, $this->getTemplateVars() ); + if ( $loadVars ) { + //Combine templates and command arguments, if any + //This is used for block-access command + $result = new RuleContent( $result, $this->getTemplateVars() ); + $result = $result->getContent(); + } - return $result->getContent(); + return $result; } /** diff --git a/src/Templates/apache/block_access_to_sensitive_files_with_directories.tpl b/src/Templates/apache/block_access_to_sensitive_files_with_directories.tpl new file mode 100644 index 0000000..d6e0d12 --- /dev/null +++ b/src/Templates/apache/block_access_to_sensitive_files_with_directories.tpl @@ -0,0 +1,4 @@ + + RewriteEngine On + RewriteRule ^{{file}}$ - [F] + diff --git a/src/Templates/nginx/block_access_to_sensitive_directories.tpl b/src/Templates/nginx/block_access_to_sensitive_directories.tpl index 4257241..df35430 100644 --- a/src/Templates/nginx/block_access_to_sensitive_directories.tpl +++ b/src/Templates/nginx/block_access_to_sensitive_directories.tpl @@ -1,15 +1,3 @@ -location ~ ^.*/\.git/.*$ { - deny all; -} - -location ~ ^.*/\.svn/.*$ { - deny all; -} - -location ~ ^.*/vendors/.*$ { - deny all; -} - -location ~ ^.*/cache/.*$ { +location ~ ^.*/{{directories}}/.*$ { deny all; } \ No newline at end of file diff --git a/src/Templates/nginx/block_access_to_sensitive_files_with_directories.tpl b/src/Templates/nginx/block_access_to_sensitive_files_with_directories.tpl new file mode 100644 index 0000000..4625d04 --- /dev/null +++ b/src/Templates/nginx/block_access_to_sensitive_files_with_directories.tpl @@ -0,0 +1,3 @@ +location = {{file}} { + deny all; +}