Added: more tests.

Fixed: issue with the in_array match type.
Changed: key parameter matching to its own property.

Author: dave83649

src/Processor.php

@@ -140,6 +140,11 @@ public function launch($mustExit = true)
         // Merge the rules together. First iterate through the whitelist rules.
         $rules = array_merge($this->whitelistRules, $this->firewallRules);
         foreach ($rules as $rule) {
+            // Should never happen.
+            if (!isset($rule->rules) || empty($rule->rules)) {
+                continue;
+            }
+
             // Execute the firewall rule.
             $rule_hit = $this->executeFirewall(json_decode(json_encode($rule->rules), true));
 
@@ -194,10 +199,15 @@ public function executeFirewall($rules)
         $inclusiveHits = 0;
 
         // Loop through all of the conditions for this rule.
-        foreach ($rules as $key => $rule) {
+        foreach ($rules as $rule) {
+            // Parameter must always be present.
+            if (!isset($rule['parameter'])) {
+                continue;
+            }
+
             // Extract the value of the paramater that we want.
-            $value = $this->getParameterValue($key);
-            if (is_null($value) && !is_numeric($key)) {
+            $value = $this->getParameterValue($rule['parameter']);
+            if (is_null($value)) {
                 continue;
             }
 
@@ -315,11 +325,11 @@ public function matchParameterValue($match, $value)
             return @!current_user_can($matchValue);
         }
 
-        if ($matchType == 'in_array' && is_array($value)) {
+        if ($matchType == 'in_array' && !is_array($value)) {
             return @in_array($value, $matchValue);
         }
 
-        if ($matchType == 'not_in_array' && is_array($value)) {
+        if ($matchType == 'not_in_array' && !is_array($value)) {
             return @!in_array($value, $matchValue);
         }
 
@@ -345,7 +355,7 @@ public function matchParameterValue($match, $value)
     public function getParameterValue($parameter, $data = [])
     {
         // For when a rule contains sub-rules.
-        if (ctype_digit($parameter)) {
+        if (ctype_digit($parameter) || empty($parameter)) {
             return null;
         }
 

tests/FirewallTest.php

@@ -57,6 +57,7 @@ private function alterPayload(array $payload = [])
 
         $_POST = isset($payload['POST']) ? $payload['POST'] : [];
         $_GET = isset($payload['GET']) ? $payload['GET'] : [];
+        $_SERVER['REQUEST_URI'] = isset($payload['SERVER'], $payload['SERVER']['REQUEST_URI']) ? $payload['SERVER']['REQUEST_URI'] : '';
     }
 
     /**
@@ -96,5 +97,134 @@ public function testRules()
         );
         $this->assertFalse($this->processor->launch(false));
         $this->alterPayload();
+
+        // Block WordPress WP-AJAX action restaurant_system_customize_button or restaurant_system_insert_dialog, when not executed by an administrator.
+        // Should return false because current_user_can does not exist.
+        $this->setUpFirewallProcessor([$this->rules[3]]);
+        $this->alterPayload(
+            ['POST' => [
+            'action' => 'restaurant_system_customize_button'
+            ]]
+        );
+        $this->assertTrue($this->processor->launch(false));
+        $this->alterPayload();
+
+        // Block WordPress WP-AJAX action restaurant_system_customize_button or restaurant_system_insert_dialog.
+        $this->setUpFirewallProcessor([$this->rules[4]]);
+        $this->alterPayload(
+            ['POST' => [
+            'action' => 'restaurant_system_customize_button'
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
+
+        // Block access to specific WP-JSON endpoint.
+        $this->setUpFirewallProcessor([$this->rules[5]]);
+        $this->alterPayload(
+            ['SERVER' => [
+            'REQUEST_URI' => '/wp-json/yikes/cpt/v1/settings'
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
+
+        // Block access to specific WP-JSON endpoint.
+        $this->setUpFirewallProcessor([$this->rules[5]]);
+        $this->alterPayload(
+            ['GET' => [
+            'rest_route' => '/wp-json/yikes/cpt/v1/settings'
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
+
+        // Block access to endpoint that should only accept an integer of less than 101.
+        $this->setUpFirewallProcessor([$this->rules[6]]);
+        $this->alterPayload(
+            ['GET' => [
+            'pid' => 10000
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
+
+        // Block access to endpoint that should only accept an integer of more than 99.
+        $this->setUpFirewallProcessor([$this->rules[7]]);
+        $this->alterPayload(
+            ['GET' => [
+            'pid' => 99
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
+
+        // Determine if a POST parameter is not a ctype_alnum.
+        $this->setUpFirewallProcessor([$this->rules[8]]);
+        $this->alterPayload(
+            ['POST' => [
+            'value' => 'something)'
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
+
+        // Determine if a POST parameter is not numeric.
+        $this->setUpFirewallProcessor([$this->rules[9]]);
+        $this->alterPayload(
+            ['POST' => [
+            'number' => '8*8'
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
+
+        // Determine if the URL matches a regex.
+        $this->setUpFirewallProcessor([$this->rules[10]]);
+        $this->alterPayload(
+            ['SERVER' => [
+            'REQUEST_URI' => '/something/backdoor/something-else/'
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
+
+        // Determine if value is not part of an array of values.
+        $this->setUpFirewallProcessor([$this->rules[11]]);
+        $this->alterPayload(
+            ['GET' => [
+            'user' => 'simon'
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
+
+        $this->setUpFirewallProcessor([$this->rules[11]]);
+        $this->alterPayload(
+            ['GET' => [
+            'user' => 'admin'
+            ]]
+        );
+        $this->assertTrue($this->processor->launch(false));
+        $this->alterPayload();
+
+        // Determine if an array of values is part of a given array.
+        $this->setUpFirewallProcessor([$this->rules[12]]);
+        $this->alterPayload(
+            ['POST' => [
+            'usernames' => ['simon', 'peter']
+            ]]
+        );
+        $this->assertTrue($this->processor->launch(false));
+        $this->alterPayload();
+
+        $this->setUpFirewallProcessor([$this->rules[12]]);
+        $this->alterPayload(
+            ['POST' => [
+            'usernames' => ['admin']
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
     }
 }

tests/data/Rules.json

@@ -2,23 +2,103 @@
     {
         "id":1,
         "title":"Block test parameter being present in the URL",
-        "rules":{"get.test":{"match":{"type":"isset"}}},
+        "rules":[{"parameter":"get.test","match":{"type":"isset"}}],
         "cat":"TEST",
         "type":"BLOCK",
         "type_params":null
     },
     {
         "id":2,
         "title":"Block backdoor parameter in payload set to mybackdoor and user agent containing some_backdoor_agent.",
-        "rules":{"post.backdoor":{"match":{"type":"equals","value":"mybackdoor"},"inclusive":true},"server.HTTP_USER_AGENT":{"match":{"type":"contains","value":"some_backdoor_agent"},"inclusive":true}},
+        "rules":[{"parameter":"post.backdoor","match":{"type":"equals","value":"mybackdoor"},"inclusive":true},{"parameter":"server.HTTP_USER_AGENT","match":{"type":"contains","value":"some_backdoor_agent"},"inclusive":true}],
         "cat":"TEST",
         "type":"BLOCK",
         "type_params":null
     },
     {
         "id":3,
         "title":"Block a base64 json encoded request with the user_role parameter set to administrator",
-        "rules":{"post.payload":{"mutations":["base64_decode","json_decode"],"match":{"type":"array_key_value","key":"user_role","match":{"type":"equals","value":"administrator"}}}},
+        "rules":[{"parameter":"post.payload","mutations":["base64_decode","json_decode"],"match":{"type":"array_key_value","key":"user_role","match":{"type":"equals","value":"administrator"}}}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
+    },
+    {
+        "id":4,
+        "title":"Block WordPress WP-AJAX action restaurant_system_customize_button or restaurant_system_insert_dialog, when not executed by an administrator.",
+        "rules":[{"parameter":"rules","rules":[{"parameter":"get.action","match":{"type":"in_array","value":["restaurant_system_customize_button","restaurant_system_insert_dialog"]}},{"parameter":"post.action","match":{"type":"in_array","value":["restaurant_system_customize_button","restaurant_system_insert_dialog"]}}],"inclusive":true},{"parameter":false,"match":{"type":"current_user_cannot","value":"administrator"},"inclusive":true}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
+    },
+    {
+        "id":5,
+        "title":"Block WordPress WP-AJAX action restaurant_system_customize_button or restaurant_system_insert_dialog.",
+        "rules":[{"parameter":"get.action","match":{"type":"in_array","value":["restaurant_system_customize_button","restaurant_system_insert_dialog"]}},{"parameter":"post.action","match":{"type":"in_array","value":["restaurant_system_customize_button","restaurant_system_insert_dialog"]}}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
+    },
+    {
+        "id":6,
+        "title":"Block access to specific WP-JSON endpoint.",
+        "rules":[{"parameter":"server.REQUEST_URI","match":{"type":"contains","value":"yikes\/cpt\/v1\/settings"}},{"parameter":"post.rest_route","match":{"type":"contains","value":"yikes\/cpt\/v1\/settings"}},{"parameter":"get.rest_route","match":{"type":"contains","value":"yikes\/cpt\/v1\/settings"}}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
+    },
+    {
+        "id":7,
+        "title":"Block access to endpoint that should only accept an integer of less than 101.",
+        "rules":[{"parameter":"get.pid","match":{"type":"ctype_digit","value":false}},{"parameter":"get.pid","match":{"type":"bigger_than","value":100}}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
+    },
+    {
+        "id":8,
+        "title":"Block access to endpoint that should only accept an integer of more than 99.",
+        "rules":[{"parameter":"get.pid","match":{"type":"ctype_digit","value":false}},{"parameter":"get.pid","match":{"type":"less_than","value":100}}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
+    },
+    {
+        "id":9,
+        "title":"Determine if a POST parameter is a ctype_alnum.",
+        "rules":[{"parameter":"post.value","match":{"type":"ctype_alnum","value":false}}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
+    },
+    {
+        "id":10,
+        "title":"Determine if a POST parameter is a numeric.",
+        "rules":[{"parameter":"post.number","match":{"type":"is_numeric","value":false}}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
+    },
+    {
+        "id":11,
+        "title":"Determine if a POST parameter is a numeric.",
+        "rules":[{"parameter":"server.REQUEST_URI","match":{"type":"regex","value":"\/(\\\/something\\\/)\/msi"}}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
+    },
+    {
+        "id":12,
+        "title":"Determine if a value is not in an array",
+        "rules":[{"parameter":"get.user","match":{"type":"not_in_array","value":["admin"]}}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
+    },
+    {
+        "id":13,
+        "title":"Determine if an array contains any values from given array.",
+        "rules":[{"parameter":"post.usernames","match":{"type":"array_in_array","value":["test","admin"]}}],
         "cat":"TEST",
         "type":"BLOCK",
         "type_params":null

tests/data/Whitelist.json

@@ -2,13 +2,13 @@
     {
         "id":1,
         "title":"Whitelist IP 127.0.0.1",
-        "rules":{"server.ip":{"match":{"type":"array_in_array","value":["127.0.0.1"]}}},
+        "rules":[{"parameter":"server.ip","match":{"type":"array_in_array","value":["127.0.0.1"]}}],
         "type":"WHITELIST"
     },
     {
         "id":2,
         "title":"Whitelist if POST request action parameter is set to wp_heartbeat",
-        "rules":{"post.action":{"match":{"type":"equals","value":"wp_heartbeat"}}},
+        "rules":[{"parameter":"post.action","match":{"type":"equals","value":"wp_heartbeat"}}],
         "type":"WHITELIST"
     }
 ]