grahamcampbell / laravel-security Goto Github PK

View Code? Open in Web Editor NEW

227.0 15.0 30.0 399 KB

A wrapper of voku/anti-xss for Laravel

Home Page: https://gjcampbell.co.uk

License: MIT License

PHP 100.00%

hacktoberfest

laravel-security's Introduction

Laravel Security

Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core. Feel free to check out the change log, releases, security policy, license, code of conduct, and contribution guidelines.

Installation

This version requires PHP 8.0-8.3 and supports Laravel 9-11.

Security	L5.5	L5.6	L5.7	L5.8	L6	L7	L8	L9	L10	L11
5.1	✅	✅	✅	❌	❌	❌	❌	❌	❌	❌
6.2	✅	✅	✅	✅	✅	❌	❌	❌	❌	❌
7.1	✅	✅	✅	✅	✅	✅	❌	❌	❌	❌
8.0	❌	❌	❌	❌	✅	✅	❌	❌	❌	❌
9.1	❌	❌	❌	❌	✅	✅	✅	✅	❌	❌
10.0	❌	❌	❌	❌	❌	❌	✅	✅	❌	❌
11.2	❌	❌	❌	❌	❌	❌	❌	✅	✅	✅

To get the latest version, simply require the project using Composer:

$ composer require "graham-campbell/security:^11.2"

Once installed, if you are not using automatic package discovery, then you need to register the GrahamCampbell\Security\SecurityServiceProvider service provider in your config/app.php.

You can also optionally alias our facade:

        'Security' => GrahamCampbell\Security\Facades\Security::class,

Configuration

Laravel Security supports optional configuration.

To get started, you'll need to publish all vendor assets:

$ php artisan vendor:publish

This will create a config/security.php file in your app that you can modify to set your configuration. Also, make sure you check for changes to the original config file in this package between releases.

There are two config options:

Evil configuration

This option ('evil') defines the evil attributes and tags, which will always be stripped from the input.

Replacement string

This option ('replacement') defines the replacement string, which will be used to take the place of removed portions of strings where XSS was present.

Usage

Security

This is the class of most interest. It is bound to the ioc container as 'security' and can be accessed using the Facades\Security facade. There is one public method of interest.

The 'clean' method will parse a string removing XSS vulnerabilities, on a best effort basis.

Facades\Security

This facade will dynamically pass static method calls to the 'security' object in the ioc container which by default is the Security class.

SecurityServiceProvider

This class contains no public methods of interest. This class should be added to the providers array in config/app.php. This class will setup ioc bindings.

Further Information

You may see an example of implementation in Laravel Binput.

Security

If you discover a security vulnerability within this package, please send an email to [email protected]. All security vulnerabilities will be promptly addressed. You may view our full security policy here.

License

Laravel Security is licensed under The MIT License (MIT).

For Enterprise

Available as part of the Tidelift Subscription

The maintainers of graham-campbell/security and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. Learn more.

laravel-security's People

Contributors

Stargazers

Watchers

laravel-security's Issues

[Insight] Unused method, property, variable or parameter

in src/GrahamCampbell/Security/Classes/Security.php, line 47

This converted local variable is declared but never used. You should remove it.

            return $string;
        }

        $string = $this->checks($string);

        $converted = $string;

        $string = $this->neverAllowed($string);
        $string = $this->tags($string);
        $string = $this->compact($string);
        $string = $this->links($string);

Posted from SensioLabsInsight

PHP 5.4

Hello Graham,

I am trying to use your class under php 5.4, but i see in the composer.json file that you require php 5.5

Is php 5.5 really necessary as requirement?

I cannot install the lib with php 5.4. It gives me the following error on composer install

  Problem 1
    - graham-campbell/security v3.1.0 requires php >=5.5.9 -> your PHP version (5.4.22) does not satisfy that requirement.
    - graham-campbell/security 3.1.x-dev requires php >=5.5.9 -> your PHP version (5.4.22) does not satisfy that requirement.
    - Installation request for graham-campbell/security ~3.1 -> satisfiable by graham-campbell/security[3.1.x-dev, v3.1.0].

I manually downloaded the Security.php file from https://github.com/GrahamCampbell/Laravel-Security/blob/master/src/Security.php and its working fine on php 5.4

If php 5.5 is not really required, can you reduce the version to 5.4, so i can include this as dependency in my composer.json

Cheers :)

Package usage

Hi,

I don't understand how to use this package. i have installed, but i don't know where to use security facade, website link not working https://gjcampbell.co.uk/

Please guide me how to use this package.

Thanks,

[Proposal] Support For Other Encodings Besides UF8

It won't save a copy pasted doc it just saves blank I have to convert to utf8 for it to save, thus stripping most of the formatting. Let me know if I could help any further.

error when install

laravel 8
php 7.4

XSS Decoding Issue

The following payload successfully bypasses your filtering mechanisms:
http://jsfiddle.net/gVMLD/

As, Alex pointed out on twitter before that the filter is decoding certain entities. So, i tried to figure out more about the behaviour, and it seems like if we double encode a payload, it manages to bypass the filter, due to the fact that the filter is decoding the entities once, it is advised that the filter should not be encoding any html entities.

Bug reported by @rafaybaloch.

add removeEvilHtmlTags

Can you add method removeEvilHtmlTags ?

It's to authorize Iframe like Youtube.

$antiXss->removeEvilHtmlTags(array('iframe'));

XSS

This payload is bypassing your xss filters.
http://jsfiddle.net/y4mP4/1/

I get the error.

Symfony\Component\Debug\Exception\FatalErrorException
…/vendor/graham-campbell/security/src/GrahamCampbell/Security/Classes/Security.php106

syntax error, unexpected ')'

php version: 5.4.17.

Please fix it .

Question/Enhancement: Allow NULL value in Security::process()

Argument 1 passed to GrahamCampbellSecuritySecurity::process() must be of the type string, null given, called in /var/www/umb2b/vendor/graham-campbell/security/src/Security.php on line 82
The middleware Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull (Laravel 5.5) converts empty strings to NULL values. This forces you to define (sometimes messy) exceptions using Request::except() in order to use Security::*.
Is there a need for the type-hint string in process()?

XSS Issue

The following can get through the filter:

<a$href="data:text/html,%style=""3cscript>alert((1)</sstyle=""cript>" onerror=>hello

As you can see, there's multiple bugs in there which together leaves:

<a href="data:text/html,%3cscript>alert (1)</script>" />hello

Bug reported by @avlidienbrunn.

Support for Laravel 10

Hi Graham, can we get support for Laravel 10? Thanks

using percentages in text breaks the clean method

Hi Graham,

I've noticed that something seems to be broken with the parsing of % signs in text. I think this bug was introduced the last time you synced your package with codeIgniter.

Input: 100% received
Expected: 100% received
Actual: 100%received

Input: 100% better
Expected: 100% better
Actual: 100¾tter

It seems that because on line 103 spaces are removed from the input when a % sign is present in the string, 100% better => the urlDecodeSpaces method receives % be, and this gets converted to %be, and then converted by rawurldecode to ¾

I'm not sure what this part of the code is actually supposed to be doing so sadly I can't think of any way to fix it short of commenting it out.

[Suggestion] use middleware

i was thinking of making a middleware like one of the global input modifier that comes pre-installed with laravel , so here it is in case someone is after the same usability

<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\TransformsRequest;

class CleanEvilInput extends TransformsRequest
{
    /**
     * The attributes that should not be edited.
     *
     * @var array
     */
    protected $except = [];

    /**
     * Transform the given value.
     *
     * @param string $key
     * @param mixed  $value
     *
     * @return mixed
     */
    protected function transform($key, $value)
    {
        if (in_array($key, $this->except, true)) {
            return $value;
        }

        return is_string($value) && $value !== '' 
            ? app('security')->clean($value) 
            : $value;
    }
}

protected $middleware = [
    // ...
    \App\Http\Middleware\CleanEvilInput::class,
];

@GrahamCampbell i can make a PR if u want.

Vulnerabilities And Demo

Hi,

Recently, I worked with CodeIgniter's guys and we have added some changes in the CodeIgniter's xss_clean function. I found some bypasses and support has been added plus addition of some new naughty elements.

The details can be found here: bcit-ci/CodeIgniter#2667

Would you also please upgrade this Laravel-Security port? Thanks!

please add security clickjack

hey
i found https://github.com/getspooky/Laravel-Mitnick it have multi middleware and contain multi security like clickjack

Hello Graham

Any chance that I we might expect a 4.2 compatible version any time soon?

HTML filtering problem

Incorrect behaviour, if no config provided

PHP version: 8.0.9

Description
If the project doesn't have a security config, false positives are happening in some cases.
For example the string 'attribute1 <= 1 and attribute2 = 2' becomes 'attribute1 <= 1 and attribute2 '

How to reproduce
If the project doesn't have a security config, then a value from vendor/graham-campbell/security/config/security.php:26 is used. A small example, which emulates this situation.

        $query = 'attribute1 <= 1 and attribute2 = 2';
        $security = Security::create([
            'attributes' => null,
            'tags'       => null,
        ]);
        $cleanQuery= $security->clean($query);

        var_dump(html_entity_decode($cleanQuery));  // string(31) "attribute1 <= 1 and attribute2 "
        var_dump($query === html_entity_decode($cleanQuery));  // bool(false)

HHVM Compatability

12 tests currently fail on hhvm-nightly on travis.

THIS IS NOT AN ISSUE WITH THIS PACKAGE, BUT IS AN ISSUE WITH HHVM.

Expected output:

PHPUnit 4.2.2 by Sebastian Bergmann.

Configuration read from /home/travis/build/GrahamCampbell/Laravel-Security/phpunit.xml

....................................................

Time: 4.64 seconds, Memory: 15.75Mb

OK (52 tests, 53 assertions)

Actual output:

PHPUnit 4.2.2 by Sebastian Bergmann.

Configuration read from /home/travis/build/GrahamCampbell/Laravel-Security/phpunit.xml

.............F........F..F....FFFF....F.F.F...FF....

Time: 4.1 seconds, Memory: 19.87Mb

There were 12 failures:

1) GrahamCampbell\Tests\Security\SecurityTest::testCleanString with data set #9 ('<iframe/src="javascript:a=[alert&lpar;1&rpar;,confirm&#40;2&#41;,prompt%283%29];eval(a[0]);">', '&lt;iframe/src="[removed]a=[alert&#40;1&#41;,confirm&#40;2&#41;,prompt&#40;3&#41;];eval&#40;a[0]&#41;;"&gt;')

Failed asserting that two strings are equal.

--- Expected

+++ Actual

@@ @@

-'&lt;iframe/src="[removed]a=[alert&#40;1&#41;,confirm&#40;2&#41;,prompt&#40;3&#41;];eval&#40;a[0]&#41;;"&gt;'

+'&lt;iframe/src="[removed]a=[alert&lpar;1&rpar;,confirm&#40;2&#41;,prompt&#40;3&#41;];eval&#40;a[0]&#41;;"&gt;'

/home/travis/build/GrahamCampbell/Laravel-Security/tests/SecurityTest.php:222

2) GrahamCampbell\Tests\Security\SecurityTest::testCleanString with data set #18 ('<form/action=javascript&#x0003A;eval(setTimeout(confirm(1)))><input/type=submit>', '&lt;form/action=javascript&#x0003;A;eval&#40;setTimeout(confirm(1&#41;))&gt;&lt;input/type=submit>')

Failed asserting that two strings are equal.

--- Expected

+++ Actual

@@ @@

-'&lt;form/action=javascript&#x0003;A;eval&#40;setTimeout(confirm(1&#41;))&gt;&lt;input/type=submit>'

+'&lt;form/action=javascriptA;eval&#40;setTimeout(confirm(1&#41;))&gt;&lt;input/type=submit>'

/home/travis/build/GrahamCampbell/Laravel-Security/tests/SecurityTest.php:222

3) GrahamCampbell\Tests\Security\SecurityTest::testCleanString with data set #21 ('<object/type="text/x-scriptlet"/data="data:X,&#60script&#62setInterval&lpar;\'prompt(1)\',10&rpar;&#60/script&#62"></object>', '&lt;object/type="text/x-scriptlet"/data="data:X,[removed]setInterval(\'prompt&#40;1&#41;\',10;)[removed]"&gt;&lt;/object>')

Failed asserting that two strings are equal.

--- Expected

+++ Actual

@@ @@

-'&lt;object/type="text/x-scriptlet"/data="data:X,[removed]setInterval('prompt&#40;1&#41;',10;)[removed]"&gt;&lt;/object>'

+'&lt;object/type="text/x-scriptlet"/data="data:X,[removed]setInterval&lpar;'prompt&#40;1&#41;',10;&rpar;[removed]"&gt;&lt;/object>'

/home/travis/build/GrahamCampbell/Laravel-Security/tests/SecurityTest.php:222

4) GrahamCampbell\Tests\Security\SecurityTest::testCleanString with data set #26 ('<object/data="data&colon;X&comma;&lt;script&gt;alert&#40;1&#41;%3c&sol;script%3e">', '&lt;object/data="data:X,[removed]alert&#40;1&#41;[removed]"&gt;')

Failed asserting that two strings are equal.

--- Expected

+++ Actual

@@ @@

-'&lt;object/data="data:X,[removed]alert&#40;1&#41;[removed]"&gt;'

+'&lt;object/data="data&colon;X&comma;[removed]alert&#40;1&#41;&lt;&sol;script>">'

/home/travis/build/GrahamCampbell/Laravel-Security/tests/SecurityTest.php:222

5) GrahamCampbell\Tests\Security\SecurityTest::testCleanString with data set #27 ('<form/action=javascript&#x3A;void(1)&quest;void(1)&colon;alert(1)><input/type=\'submit\'>', '&lt;form/action=[removed]void(1)?void(1):alert&#40;1&#41;&gt;&lt;input/type=\'submit\'>')

Failed asserting that two strings are equal.

--- Expected

+++ Actual

@@ @@

-'&lt;form/action=[removed]void(1)?void(1):alert&#40;1&#41;&gt;&lt;input/type='submit'>'

+'&lt;form/action=[removed]void(1)&quest;void(1)&colon;alert&#40;1&#41;&gt;&lt;input/type='submit'>'

/home/travis/build/GrahamCampbell/Laravel-Security/tests/SecurityTest.php:222

6) GrahamCampbell\Tests\Security\SecurityTest::testCleanString with data set #28 ('<iframe/srcdoc=\'&lt;iframe&sol;onload&equals;confirm(&sol;&iexcl;&hearts;&xcup;&sol;)&gt;\'>', '&lt;iframe srcdoc=\'&lt;iframe/>\'>')

Failed asserting that two strings are equal.

--- Expected

+++ Actual

@@ @@

-'&lt;iframe srcdoc='&lt;iframe/>'>'

+'&lt;iframe/srcdoc='&lt;iframe&sol;onload&equals;confirm&#40;&sol;¡♥&xcup;&sol;&#41;>'>'

/home/travis/build/GrahamCampbell/Laravel-Security/tests/SecurityTest.php:222

7) GrahamCampbell\Tests\Security\SecurityTest::testCleanString with data set #29 ('<meta/http-equiv="refresh"/content="0;url=javascript&Tab;:&Tab;void(alert(0))?0:0,0,prompt(0)">', '&lt;meta/http-equiv="refresh"/content="0;url=[removed] void(alert&#40;0&#41;)?0:0,0,prompt&#40;0&#41;"&gt;')

Failed asserting that two strings are equal.

--- Expected

+++ Actual

@@ @@

-'&lt;meta/http-equiv="refresh"/content="0;url=[removed] void(alert&#40;0&#41;)?0:0,0,prompt&#40;0&#41;"&gt;'

+'&lt;meta/http-equiv="refresh"/content="0;url=javascript&Tab;:&Tab;void(alert&#40;0&#41;)?0:0,0,prompt&#40;0&#41;"&gt;'

/home/travis/build/GrahamCampbell/Laravel-Security/tests/SecurityTest.php:222

8) GrahamCampbell\Tests\Security\SecurityTest::testCleanString with data set #34 ('<iframe/src="j&Tab;AVASCRIP&NewLine;t:\\u0061ler\\u0074&#x28;1&#x29;">', '&lt;iframe/src="[removed]\\\\u0061;ler\\\\u0074;(1)"&gt;')

Failed asserting that two strings are equal.

--- Expected

+++ Actual

@@ @@

-'&lt;iframe/src="[removed]\\u0061;ler\\u0074;(1)"&gt;'

+'&lt;iframe/src="j&Tab;AVASCRIP&NewLine;t:\\u0061;ler\\u0074;(1)"&gt;'

/home/travis/build/GrahamCampbell/Laravel-Security/tests/SecurityTest.php:222

9) GrahamCampbell\Tests\Security\SecurityTest::testCleanString with data set #36 ('<embed/src=javascript&colon;\\u0061&#x6C;&#101%72t&#x28;1&#x29;>', '&lt;embed/src=[removed]\\u0061;lert(1)&gt;')

Failed asserting that two strings are equal.

--- Expected

+++ Actual

@@ @@

-'&lt;embed/src=[removed]\u0061;lert(1)&gt;'

+'&lt;embed/src=javascript&colon;\u0061;lert(1)&gt;'

/home/travis/build/GrahamCampbell/Laravel-Security/tests/SecurityTest.php:222

10) GrahamCampbell\Tests\Security\SecurityTest::testCleanString with data set #38 ('<style/&Tab;/onload=;&Tab;this&Tab;.&Tab;onload=confirm(1)>', '&lt;style / this . &gt;')

Failed asserting that two strings are equal.

--- Expected

+++ Actual

@@ @@

-'&lt;style / this . &gt;'

+'&lt;style &Tab;/&gt;'

/home/travis/build/GrahamCampbell/Laravel-Security/tests/SecurityTest.php:222

11) GrahamCampbell\Tests\Security\SecurityTest::testCleanString with data set #42 ('<img/id="confirm&lpar;1&#x29;"/alt="/"src="/"onerror=eval(id&#x29;>', '<img/id="confirm&#40;1&#41;"alt="/"src="/">')

Failed asserting that two strings are equal.

--- Expected

+++ Actual

@@ @@

-'<img/id="confirm&#40;1&#41;"alt="/"src="/">'

+'<img/id="confirm&lpar;1)"alt="/"src="/">'

/home/travis/build/GrahamCampbell/Laravel-Security/tests/SecurityTest.php:222

12) GrahamCampbell\Tests\Security\SecurityTest::testCleanString with data set #43 ('<iframe/src="data&colon;text&sol;html,<s&Tab;cr&Tab;ip&Tab;t>confirm(1)</script>">', '&lt;iframe/src="data:text/html,[removed]confirm&#40;1&#41;[removed]"&gt;')

Failed asserting that two strings are equal.

--- Expected

+++ Actual

@@ @@

-'&lt;iframe/src="data:text/html,[removed]confirm&#40;1&#41;[removed]"&gt;'

+'&lt;iframe/src="data&colon;text&sol;html,&lt;s&Tab;cr&Tab;ip&Tab;t>confirm&#40;1&#41;[removed]">'

/home/travis/build/GrahamCampbell/Laravel-Security/tests/SecurityTest.php:222

FAILURES!

Tests: 52, Assertions: 53, Failures: 12.

The failing tests can be found here: https://github.com/GrahamCampbell/Laravel-Security/blob/master/tests/SecurityTest.php.

Related to facebook/hhvm#3181.

The char variable is never used, and the character variable is undefined.

                $replace = array();
                $matches = array_unique(array_map('strtolower', $matches[0]));
                for ($i = 0; $i < $c; $i++) {
                    if (($char = array_search($matches[$i].';', $entities, true)) !== false) {
                        $replace[$matches[$i]] = $character;
                    }
                }

                $str = str_ireplace(array_keys($replace), array_values($replace), $str);

grahamcampbell / laravel-security Goto Github PK

laravel-security's Introduction

Laravel Security

Installation

Configuration

Evil configuration

Replacement string

Usage

Security

Facades\Security

SecurityServiceProvider

Further Information

Security

License

For Enterprise

laravel-security's People

Contributors

Stargazers

Watchers

Forkers

laravel-security's Issues

Recommend Projects

Recommend Topics

Recommend Org