From b001bd60db52707c52c1c0c8e257c3f63b41929c Mon Sep 17 00:00:00 2001 From: Graham Campbell Date: Fri, 2 Jan 2015 12:05:50 +0000 Subject: [PATCH 1/3] Use Binput for xss protection --- app/config/app.php | 2 + composer.json | 9 +- composer.lock | 107 +++++++++++++++++- .../Controllers/Api/ComponentController.php | 4 +- .../Controllers/Api/IncidentController.php | 6 +- src/Http/Controllers/Api/MetricController.php | 6 +- .../Controllers/Api/MetricPointController.php | 4 +- src/Http/Controllers/AuthController.php | 6 +- src/Http/Controllers/DashAPIController.php | 6 +- .../Controllers/DashComponentController.php | 6 +- .../Controllers/DashIncidentController.php | 6 +- .../Controllers/DashSettingsController.php | 10 +- src/Http/Controllers/DashUserController.php | 4 +- src/Http/Controllers/SetupController.php | 4 +- 14 files changed, 144 insertions(+), 36 deletions(-) diff --git a/app/config/app.php b/app/config/app.php index 08a47e6f..c2ceb166 100644 --- a/app/config/app.php +++ b/app/config/app.php @@ -121,6 +121,8 @@ return [ 'Illuminate\View\ViewServiceProvider', 'Dingo\Api\Provider\ApiServiceProvider', + 'GrahamCampbell\Security\SecurityServiceProvider', + 'GrahamCampbell\Binput\BinputServiceProvider', 'GrahamCampbell\Throttle\ThrottleServiceProvider', 'GrahamCampbell\Markdown\MarkdownServiceProvider', 'Thujohn\Rss\RssServiceProvider', diff --git a/composer.json b/composer.json index cc0c4316..36d17a7a 100644 --- a/composer.json +++ b/composer.json @@ -13,13 +13,14 @@ "ext-mcrypt": "*", "ext-openssl": "*", "laravel/framework": "4.2.*", - "guzzlehttp/guzzle": "~5.0", "dingo/api": "0.8.*", - "graham-campbell/throttle": "~2.0", + "doctrine/dbal": "2.5.*", + "graham-campbell/binput": "~2.1", "graham-campbell/markdown": "~2.0", - "watson/validating": "0.10.*", + "graham-campbell/throttle": "~2.0", + "guzzlehttp/guzzle": "~5.0", "thujohn/rss": "~1.0", - "doctrine/dbal": "2.5.*" + "watson/validating": "0.10.*" }, "require-dev": { "phpunit/phpunit": "~4.3", diff --git a/composer.lock b/composer.lock index 11dc9fd5..9337ba0f 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "hash": "bb692ec0057ca30fa36edd005963b3cb", + "hash": "10cd158111365c98b217fc244a6c3a6e", "packages": [ { "name": "classpreloader/classpreloader", @@ -768,6 +768,61 @@ ], "time": "2014-10-26 09:05:09" }, + { + "name": "graham-campbell/binput", + "version": "v2.1.2", + "source": { + "type": "git", + "url": "https://github.com/GrahamCampbell/Laravel-Binput.git", + "reference": "43dcec3dcabace1018e2fa009fc11165199f3889" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/GrahamCampbell/Laravel-Binput/zipball/43dcec3dcabace1018e2fa009fc11165199f3889", + "reference": "43dcec3dcabace1018e2fa009fc11165199f3889", + "shasum": "" + }, + "require": { + "graham-campbell/security": "~2.0", + "illuminate/http": "~4.1", + "illuminate/support": "~4.1", + "php": ">=5.4.7" + }, + "require-dev": { + "graham-campbell/testbench": "~1.0" + }, + "type": "library", + "autoload": { + "psr-4": { + "GrahamCampbell\\Binput\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "Apache-2.0" + ], + "authors": [ + { + "name": "Graham Campbell", + "email": "graham@mineuk.com" + } + ], + "description": "Binput Is An Input Protector For Laravel 4.1/4.2", + "keywords": [ + "Binput", + "Graham Campbell", + "GrahamCampbell", + "Laravel Binput", + "Laravel-Binput", + "better", + "better input", + "framework", + "input", + "laravel", + "security" + ], + "time": "2014-10-05 15:29:30" + }, { "name": "graham-campbell/markdown", "version": "v2.0.5", @@ -825,6 +880,56 @@ ], "time": "2014-10-05 14:49:46" }, + { + "name": "graham-campbell/security", + "version": "v2.1.2", + "source": { + "type": "git", + "url": "https://github.com/GrahamCampbell/Laravel-Security.git", + "reference": "51b822b6cfcba80a3d8ec1ac6a5e7af9b8d17907" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/GrahamCampbell/Laravel-Security/zipball/51b822b6cfcba80a3d8ec1ac6a5e7af9b8d17907", + "reference": "51b822b6cfcba80a3d8ec1ac6a5e7af9b8d17907", + "shasum": "" + }, + "require": { + "illuminate/support": "~4.1", + "php": ">=5.4.7" + }, + "require-dev": { + "graham-campbell/testbench": "~1.0" + }, + "type": "library", + "autoload": { + "psr-4": { + "GrahamCampbell\\Security\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "Apache-2.0" + ], + "authors": [ + { + "name": "Graham Campbell", + "email": "graham@mineuk.com" + } + ], + "description": "Security Is A Port Of The Security Class From Codeigniter 2.2 For Laravel 4.1/4.2", + "keywords": [ + "Graham Campbell", + "GrahamCampbell", + "Laravel Security", + "Laravel-Security", + "codeigniter", + "framework", + "laravel", + "security" + ], + "time": "2014-11-27 23:04:50" + }, { "name": "graham-campbell/throttle", "version": "v2.0.1", diff --git a/src/Http/Controllers/Api/ComponentController.php b/src/Http/Controllers/Api/ComponentController.php index ee30b707..d6afb7ab 100644 --- a/src/Http/Controllers/Api/ComponentController.php +++ b/src/Http/Controllers/Api/ComponentController.php @@ -4,8 +4,8 @@ namespace CachetHQ\Cachet\Http\Controllers\Api; use CachetHQ\Cachet\Repositories\Component\ComponentRepository; use Dingo\Api\Routing\ControllerTrait; +use GrahamCampbell\Binput\Facades\Binput; use Illuminate\Routing\Controller; -use Illuminate\Support\Facades\Input; class ComponentController extends Controller { @@ -71,6 +71,6 @@ class ComponentController extends Controller */ public function postComponents() { - return $this->component->create($this->auth->user()->id, Input::all()); + return $this->component->create($this->auth->user()->id, Binput::all()); } } diff --git a/src/Http/Controllers/Api/IncidentController.php b/src/Http/Controllers/Api/IncidentController.php index 85484e71..8b98a729 100644 --- a/src/Http/Controllers/Api/IncidentController.php +++ b/src/Http/Controllers/Api/IncidentController.php @@ -4,8 +4,8 @@ namespace CachetHQ\Cachet\Http\Controllers\Api; use CachetHQ\Cachet\Repositories\Incident\IncidentRepository; use Dingo\Api\Routing\ControllerTrait; +use GrahamCampbell\Binput\Facades\Binput; use Illuminate\Routing\Controller; -use Illuminate\Support\Facades\Input; class IncidentController extends Controller { @@ -59,7 +59,7 @@ class IncidentController extends Controller */ public function postIncidents() { - return $this->incident->create($this->auth->user()->id, Input::all()); + return $this->incident->create($this->auth->user()->id, Binput::all()); } /** @@ -71,6 +71,6 @@ class IncidentController extends Controller */ public function putIncident($id) { - return $this->incident->update($id, Input::all()); + return $this->incident->update($id, Binput::all()); } } diff --git a/src/Http/Controllers/Api/MetricController.php b/src/Http/Controllers/Api/MetricController.php index de07e9e7..3273c9f9 100644 --- a/src/Http/Controllers/Api/MetricController.php +++ b/src/Http/Controllers/Api/MetricController.php @@ -4,8 +4,8 @@ namespace CachetHQ\Cachet\Http\Controllers\Api; use CachetHQ\Cachet\Repositories\Metric\MetricRepository; use Dingo\Api\Routing\ControllerTrait; +use GrahamCampbell\Binput\Facades\Binput; use Illuminate\Routing\Controller; -use Illuminate\Support\Facades\Input; class MetricController extends Controller { @@ -58,7 +58,7 @@ class MetricController extends Controller */ public function postMetrics() { - return $this->metric->create(Input::all()); + return $this->metric->create(Binput::all()); } /** @@ -70,6 +70,6 @@ class MetricController extends Controller */ public function putMetric($id) { - return $this->metric->update($id, Input::all()); + return $this->metric->update($id, Binput::all()); } } diff --git a/src/Http/Controllers/Api/MetricPointController.php b/src/Http/Controllers/Api/MetricPointController.php index ffa9299b..aa3f0a0b 100644 --- a/src/Http/Controllers/Api/MetricPointController.php +++ b/src/Http/Controllers/Api/MetricPointController.php @@ -4,8 +4,8 @@ namespace CachetHQ\Cachet\Http\Controllers\Api; use CachetHQ\Cachet\Repositories\MetricPoint\MetricPointRepository; use Dingo\Api\Routing\ControllerTrait; +use GrahamCampbell\Binput\Facades\Binput; use Illuminate\Routing\Controller; -use Illuminate\Support\Facades\Input; class MetricPointController extends Controller { @@ -58,6 +58,6 @@ class MetricPointController extends Controller */ public function postMetricPoints() { - return $this->metricPoint->create(Input::all()); + return $this->metricPoint->create(Binput::all()); } } diff --git a/src/Http/Controllers/AuthController.php b/src/Http/Controllers/AuthController.php index 5dee003d..ff90d7f5 100644 --- a/src/Http/Controllers/AuthController.php +++ b/src/Http/Controllers/AuthController.php @@ -3,9 +3,9 @@ namespace CachetHQ\Cachet\Http\Controllers; use GrahamCampbell\Throttle\Facades\Throttle; +use GrahamCampbell\Binput\Facades\Binput; use Illuminate\Routing\Controller; use Illuminate\Support\Facades\Auth; -use Illuminate\Support\Facades\Input; use Illuminate\Support\Facades\Redirect; use Illuminate\Support\Facades\Request; use Illuminate\Support\Facades\View; @@ -32,14 +32,14 @@ class AuthController extends Controller */ public function postLogin() { - if (Auth::attempt(Input::only(['email', 'password']))) { + if (Auth::attempt(Binput::only(['email', 'password']))) { return Redirect::intended('dashboard'); } Throttle::hit(Request::instance(), 10, 10); return Redirect::back() - ->withInput(Input::except('password')) + ->withInput(Binput::except('password')) ->with('error', 'Invalid email or password'); } diff --git a/src/Http/Controllers/DashAPIController.php b/src/Http/Controllers/DashAPIController.php index 1c83afd4..fb01a052 100644 --- a/src/Http/Controllers/DashAPIController.php +++ b/src/Http/Controllers/DashAPIController.php @@ -4,8 +4,8 @@ namespace CachetHQ\Cachet\Http\Controllers; use CachetHQ\Cachet\Models\Component; use Exception; +use GrahamCampbell\Binput\Facades\Binput; use Illuminate\Routing\Controller; -use Illuminate\Support\Facades\Input; class DashAPIController extends Controller { @@ -20,7 +20,7 @@ class DashAPIController extends Controller */ public function postUpdateComponent(Component $component) { - if (!$component->update(Input::except(['_token']))) { + if (!$component->update(Binput::except(['_token']))) { throw new Exception('Failed to update the component.'); } @@ -34,7 +34,7 @@ class DashAPIController extends Controller */ public function postUpdateComponentOrder() { - $componentData = Input::all(); + $componentData = Binput::all(); unset($componentData['component'][0]); // Remove random 0 index. foreach ($componentData['component'] as $componentId => $order) { diff --git a/src/Http/Controllers/DashComponentController.php b/src/Http/Controllers/DashComponentController.php index eaf856fe..68ab7c19 100644 --- a/src/Http/Controllers/DashComponentController.php +++ b/src/Http/Controllers/DashComponentController.php @@ -3,8 +3,8 @@ namespace CachetHQ\Cachet\Http\Controllers; use CachetHQ\Cachet\Models\Component; +use GrahamCampbell\Binput\Facades\Binput; use Illuminate\Routing\Controller; -use Illuminate\Support\Facades\Input; use Illuminate\Support\Facades\Redirect; use Illuminate\Support\Facades\View; @@ -49,7 +49,7 @@ class DashComponentController extends Controller */ public function updateComponentAction(Component $component) { - $_component = Input::get('component'); + $_component = Binput::get('component'); $component->update($_component); return Redirect::back()->with('savedComponent', $component); @@ -74,7 +74,7 @@ class DashComponentController extends Controller */ public function createComponentAction() { - $_component = Input::get('component'); + $_component = Binput::get('component'); $component = Component::create($_component); return Redirect::back()->with('component', $component); diff --git a/src/Http/Controllers/DashIncidentController.php b/src/Http/Controllers/DashIncidentController.php index 1b75522a..88579907 100644 --- a/src/Http/Controllers/DashIncidentController.php +++ b/src/Http/Controllers/DashIncidentController.php @@ -4,8 +4,8 @@ namespace CachetHQ\Cachet\Http\Controllers; use CachetHQ\Cachet\Models\Incident; use CachetHQ\Cachet\Models\IncidentTemplate; +use GrahamCampbell\Binput\Facades\Binput; use Illuminate\Routing\Controller; -use Illuminate\Support\Facades\Input; use Illuminate\Support\Facades\Redirect; use Illuminate\Support\Facades\View; @@ -57,7 +57,7 @@ class DashIncidentController extends Controller */ public function createIncidentTemplateAction() { - $_template = Input::get('template'); + $_template = Binput::get('template'); $template = IncidentTemplate::create($_template); return Redirect::back()->with('template', $template); @@ -70,7 +70,7 @@ class DashIncidentController extends Controller */ public function createIncidentAction() { - $_incident = Input::get('incident'); + $_incident = Binput::get('incident'); $incident = Incident::create($_incident); return Redirect::back()->with('incident', $incident); diff --git a/src/Http/Controllers/DashSettingsController.php b/src/Http/Controllers/DashSettingsController.php index ab1c7b27..9d2bd2f6 100644 --- a/src/Http/Controllers/DashSettingsController.php +++ b/src/Http/Controllers/DashSettingsController.php @@ -4,8 +4,8 @@ namespace CachetHQ\Cachet\Http\Controllers; use CachetHQ\Cachet\Models\Setting; use Exception; +use GrahamCampbell\Binput\Facades\Binput; use Illuminate\Routing\Controller; -use Illuminate\Support\Facades\Input; use Illuminate\Support\Facades\Redirect; use Illuminate\Support\Facades\View; @@ -114,13 +114,13 @@ class DashSettingsController extends Controller */ public function postSettings() { - if (Input::get('remove_banner') == "1") { + if (Binput::get('remove_banner') == "1") { $setting = Setting::where('name', 'app_banner'); $setting->delete(); } - if (Input::hasFile('app_banner')) { - $file = Input::file('app_banner'); + if (Binput::hasFile('app_banner')) { + $file = Binput::file('app_banner'); // Image Validation. // Image size in bytes. @@ -154,7 +154,7 @@ class DashSettingsController extends Controller } try { - foreach (Input::except(['app_banner', 'remove_banner']) as $settingName => $settingValue) { + foreach (Binput::except(['app_banner', 'remove_banner']) as $settingName => $settingValue) { Setting::firstOrCreate([ 'name' => $settingName, ])->update([ diff --git a/src/Http/Controllers/DashUserController.php b/src/Http/Controllers/DashUserController.php index 47cadc3f..fcdca258 100644 --- a/src/Http/Controllers/DashUserController.php +++ b/src/Http/Controllers/DashUserController.php @@ -2,9 +2,9 @@ namespace CachetHQ\Cachet\Http\Controllers; +use GrahamCampbell\Binput\Facades\Binput; use Illuminate\Routing\Controller; use Illuminate\Support\Facades\Auth; -use Illuminate\Support\Facades\Input; use Illuminate\Support\Facades\Redirect; use Illuminate\Support\Facades\View; @@ -29,7 +29,7 @@ class DashUserController extends Controller */ public function postUser() { - $items = Input::all(); + $items = Binput::all(); $updated = Auth::user()->update($items); diff --git a/src/Http/Controllers/SetupController.php b/src/Http/Controllers/SetupController.php index 627d9721..31c967b0 100644 --- a/src/Http/Controllers/SetupController.php +++ b/src/Http/Controllers/SetupController.php @@ -4,9 +4,9 @@ namespace CachetHQ\Cachet\Http\Controllers; use CachetHQ\Cachet\Models\Setting; use CachetHQ\Cachet\Models\User; +use GrahamCampbell\Binput\Facades\Binput; use Illuminate\Routing\Controller; use Illuminate\Support\Facades\Auth; -use Illuminate\Support\Facades\Input; use Illuminate\Support\Facades\Redirect; use Illuminate\Support\Facades\Validator; use Illuminate\Support\Facades\View; @@ -42,7 +42,7 @@ class SetupController extends Controller */ public function postIndex() { - $postData = Input::get(); + $postData = Binput::get(); $v = Validator::make($postData, [ 'settings.app_name' => 'required', From d8bffb58a421d63dff971f9fce300542e2cecb27 Mon Sep 17 00:00:00 2001 From: Graham Campbell Date: Fri, 2 Jan 2015 12:06:04 +0000 Subject: [PATCH 2/3] Cleanup the csrf filter --- src/Http/Before/CsrfFilter.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/Http/Before/CsrfFilter.php b/src/Http/Before/CsrfFilter.php index 48cc06ef..c46db9e7 100644 --- a/src/Http/Before/CsrfFilter.php +++ b/src/Http/Before/CsrfFilter.php @@ -2,8 +2,9 @@ namespace CachetHQ\Cachet\Http\Before; +use Illuminate\Http\Request; +use Illuminate\Routing\Route; use Illuminate\Session\TokenMismatchException; -use Illuminate\Support\Facades\Input; use Illuminate\Support\Facades\Session; class CsrfFilter @@ -15,13 +16,16 @@ class CsrfFilter * our csrf token in the session does not match the one given sent to us in * this request, then we'll bail. * + * @param \Illuminate\Routing\Route $route + * @param \Illuminate\Http\Request $request + * * @throws \Illuminate\Session\TokenMismatchException * * @return void */ - public function filter() + public function filter(Route $route, Request $request) { - if (Session::token() !== Input::get('_token')) { + if (Session::token() !== $request->input('_token')) { throw new TokenMismatchException(); } } From 69d59f925432fd1ddf18efcfb0206b51cfc4819f Mon Sep 17 00:00:00 2001 From: Graham Campbell Date: Fri, 2 Jan 2015 12:09:29 +0000 Subject: [PATCH 3/3] CS fix --- src/Http/Controllers/AuthController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Http/Controllers/AuthController.php b/src/Http/Controllers/AuthController.php index ff90d7f5..fe5ace84 100644 --- a/src/Http/Controllers/AuthController.php +++ b/src/Http/Controllers/AuthController.php @@ -2,8 +2,8 @@ namespace CachetHQ\Cachet\Http\Controllers; -use GrahamCampbell\Throttle\Facades\Throttle; use GrahamCampbell\Binput\Facades\Binput; +use GrahamCampbell\Throttle\Facades\Throttle; use Illuminate\Routing\Controller; use Illuminate\Support\Facades\Auth; use Illuminate\Support\Facades\Redirect;