From a25cfb435cd126d3a5ff7fa57f22aa0c1e529b41 Mon Sep 17 00:00:00 2001 From: Punyapal Shah Date: Tue, 11 Jun 2024 20:56:49 +0530 Subject: [PATCH 1/8] Update Base.php to include 'mysql_*' in the list of restricted functions --- src/ArchPresets/Base.php | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/ArchPresets/Base.php b/src/ArchPresets/Base.php index 68d72937..1c492c70 100644 --- a/src/ArchPresets/Base.php +++ b/src/ArchPresets/Base.php @@ -23,10 +23,24 @@ final class Base extends AbstractPreset 'dump', 'ray', 'die', - 'goto', + 'goto', 'var_dump', 'phpinfo', 'echo', + 'mysql_connect', + 'mysql_pconnect', + 'mysql_query', + 'mysql_select_db', + 'mysql_fetch_array', + 'mysql_fetch_assoc', + 'mysql_fetch_object', + 'mysql_fetch_row', + 'mysql_num_rows', + 'mysql_affected_rows', + 'mysql_free_result', + 'mysql_insert_id', + 'mysql_error', + 'mysql_real_escape_string', 'print', 'print_r', 'var_export', @@ -71,7 +85,7 @@ final class Base extends AbstractPreset 'xdebug_stop_trace', 'xdebug_time_index', 'xdebug_var_dump', - 'trap', + 'trap', ])->not->toBeUsed(); } } From e4550c8d51885308ec4da65dd33b4b312327917c Mon Sep 17 00:00:00 2001 From: Punyapal Shah Date: Tue, 11 Jun 2024 20:58:52 +0530 Subject: [PATCH 2/8] Update Base.php to include 'global' in the list of restricted functions --- src/ArchPresets/Base.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ArchPresets/Base.php b/src/ArchPresets/Base.php index 1c492c70..5137ae12 100644 --- a/src/ArchPresets/Base.php +++ b/src/ArchPresets/Base.php @@ -24,6 +24,7 @@ final class Base extends AbstractPreset 'ray', 'die', 'goto', + 'global', 'var_dump', 'phpinfo', 'echo', From 4396ee2e033a76e9b67b981aaa3ec0040ec0d4b9 Mon Sep 17 00:00:00 2001 From: Punyapal Shah Date: Tue, 11 Jun 2024 21:02:19 +0530 Subject: [PATCH 3/8] feat(presets): update Security.php to restrict additional dangerous functions --- src/ArchPresets/Security.php | 10 +++++++++- tests/Arch.php | 5 +++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/src/ArchPresets/Security.php b/src/ArchPresets/Security.php index 8f756e44..2beafa83 100644 --- a/src/ArchPresets/Security.php +++ b/src/ArchPresets/Security.php @@ -23,7 +23,15 @@ final class Security extends AbstractPreset 'tempnam', 'str_shuffle', 'shuffle', - 'array_rand' + 'array_rand', + 'eval', + 'exec', + 'shell_exec', + 'system', + 'passthru', + 'create_function', + 'unserialize', + 'extract', ])->not->toBeUsed(); } } diff --git a/tests/Arch.php b/tests/Arch.php index d3af0dbd..37420691 100644 --- a/tests/Arch.php +++ b/tests/Arch.php @@ -4,14 +4,15 @@ use Pest\Expectation; arch()->preset()->base()->ignoring([ Expectation::class, - 'eval', 'debug_backtrace', 'usleep', ]); arch()->preset()->strict(); -arch()->preset()->security(); +arch()->preset()->security()->ignoring([ + 'eval', +]); arch('globals') ->expect(['dd', 'dump', 'ray', 'die', 'var_dump', 'sleep']) From 7b4dd410f662d3ba794a1e84f30033e09a3253d4 Mon Sep 17 00:00:00 2001 From: Punyapal Shah Date: Tue, 11 Jun 2024 21:08:02 +0530 Subject: [PATCH 4/8] chore: update Arch.php to ignore additional functions in presets --- tests/Arch.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/tests/Arch.php b/tests/Arch.php index 37420691..9b73f809 100644 --- a/tests/Arch.php +++ b/tests/Arch.php @@ -5,13 +5,20 @@ use Pest\Expectation; arch()->preset()->base()->ignoring([ Expectation::class, 'debug_backtrace', + 'var_export', + 'xdebug_info', +]); + +arch()->preset()->strict()->ignoring([ 'usleep', ]); -arch()->preset()->strict(); - arch()->preset()->security()->ignoring([ 'eval', + 'str_shuffle', + 'exec', + 'unserialize', + 'extract', ]); arch('globals') From 1bee283d15ac508aebf0c11e242c95a3de147914 Mon Sep 17 00:00:00 2001 From: Punyapal Shah Date: Tue, 11 Jun 2024 21:09:15 +0530 Subject: [PATCH 5/8] Update Base.php to include 'ereg' and 'eregi' in the list of restricted functions --- src/ArchPresets/Base.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/ArchPresets/Base.php b/src/ArchPresets/Base.php index 5137ae12..ad64459a 100644 --- a/src/ArchPresets/Base.php +++ b/src/ArchPresets/Base.php @@ -28,6 +28,8 @@ final class Base extends AbstractPreset 'var_dump', 'phpinfo', 'echo', + 'ereg', + 'eregi', 'mysql_connect', 'mysql_pconnect', 'mysql_query', From b873b89b62e6d9660fa9d7324b5c5c80a9b4c105 Mon Sep 17 00:00:00 2001 From: Punyapal Shah Date: Tue, 11 Jun 2024 21:20:32 +0530 Subject: [PATCH 6/8] Restrict additional dangerous functions in Security.php --- src/ArchPresets/Security.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/ArchPresets/Security.php b/src/ArchPresets/Security.php index 2beafa83..c7142748 100644 --- a/src/ArchPresets/Security.php +++ b/src/ArchPresets/Security.php @@ -32,6 +32,10 @@ final class Security extends AbstractPreset 'create_function', 'unserialize', 'extract', + 'parse_str', + 'mb_parse_str', + 'dl', + 'assert', ])->not->toBeUsed(); } } From 894dca83f77731cef0e85a7101aeaf7cffe14795 Mon Sep 17 00:00:00 2001 From: Punyapal Shah Date: Tue, 11 Jun 2024 21:24:57 +0530 Subject: [PATCH 7/8] chore: update Arch.php to ignore 'assert' function in presets --- tests/Arch.php | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/Arch.php b/tests/Arch.php index 9b73f809..7e1d0552 100644 --- a/tests/Arch.php +++ b/tests/Arch.php @@ -19,6 +19,7 @@ arch()->preset()->security()->ignoring([ 'exec', 'unserialize', 'extract', + 'assert', ]); arch('globals') From ed3ec79aab6cfb7b6a7bc056862fc9a2f8ae5272 Mon Sep 17 00:00:00 2001 From: Punyapal Shah Date: Tue, 11 Jun 2024 21:26:40 +0530 Subject: [PATCH 8/8] pint --- src/Preset.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Preset.php b/src/Preset.php index 41ad5d64..cc7c8956 100644 --- a/src/Preset.php +++ b/src/Preset.php @@ -8,8 +8,8 @@ use Pest\Arch\Support\Composer; use Pest\ArchPresets\AbstractPreset; use Pest\ArchPresets\Base; use Pest\ArchPresets\Laravel; -use Pest\ArchPresets\Strict; use Pest\ArchPresets\Security; +use Pest\ArchPresets\Strict; use Pest\PendingCalls\TestCall; use stdClass;