Merge branch 'hotfix-0.20.1'

chesio · Apr 11, 2023 · ff50bb5 · ff50bb5
2 parents 0d87bec + 273c620
commit ff50bb5
Show file tree

Hide file tree

Showing 5 changed files with 77 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # BC Security Changelog
 
+## Version 0.20.1 (2023-04-11)
+
+* Validate IP addresses to avoid potential security issues [#138](https://github.com/chesio/bc-security/issues/138).
+* List of supported PHP versions for PHP version check has been updated to include PHP 8.2 and exclude PHP 7.4 [#137](https://github.com/chesio/bc-security/issues/137).
+
 ## Version 0.20.0 (2023-03-31)
 
 This release brings a new feature: __external blocklist__. This feature has its own module named _External Blocklist_. To keep the naming consistent, _IP Blacklist_ module has been renamed to _Internal Blocklist_.

diff --git a/bc-security.php b/bc-security.php
@@ -4,7 +4,7 @@
  * Plugin Name: BC Security
  * Plugin URI: https://github.com/chesio/bc-security
  * Description: Helps keeping WordPress websites secure.
- * Version: 0.20.0
+ * Version: 0.20.1
  * Author: Česlav Przywara <[email protected]>
  * Author URI: https://www.chesio.com
  * Requires PHP: 7.3

diff --git a/classes/BlueChip/Security/Modules/Checklist/Checks/PhpVersionSupported.php b/classes/BlueChip/Security/Modules/Checklist/Checks/PhpVersionSupported.php
@@ -8,11 +8,13 @@ class PhpVersionSupported extends Checklist\BasicCheck
 {
     /**
      * @var array<string,string> List of supported PHP versions and their end-of-life dates
+     *
+     * @link https://www.php.net/supported-versions.php
      */
     private const SUPPORTED_VERSIONS = [
-        '7.4' => '2022-11-28',
         '8.0' => '2023-11-26',
         '8.1' => '2024-11-25',
+        '8.2' => '2025-12-08',
     ];
 
 

diff --git a/classes/BlueChip/Security/Setup/IpAddress.php b/classes/BlueChip/Security/Setup/IpAddress.php
@@ -53,7 +53,7 @@ public static function get(string $type): string
         }
 
         if (isset($_SERVER[$type])) {
-            return self::getFirst($_SERVER[$type]);
+            return self::parseFrom($_SERVER[$type]);
         }
 
         // Not found: try to fall back to direct address if proxy has been requested.
@@ -64,7 +64,7 @@ public static function get(string $type): string
             //
             // Client can itself send HTTP_X_FORWARDED_FOR header fooling us
             // regarding which IP should be banned.
-            return self::getFirst($_SERVER[self::REMOTE_ADDR]);
+            return self::parseFrom($_SERVER[self::REMOTE_ADDR]);
         }
 
         return '';
@@ -91,7 +91,13 @@ public static function getRaw(string $type): string
      */
     public static function getServer(): string
     {
-        return isset($_SERVER['SERVER_ADDR']) ? self::getFirst($_SERVER['SERVER_ADDR']) : '';
+        return array_key_exists('SERVER_ADDR', $_SERVER) ? self::parseFrom($_SERVER['SERVER_ADDR']) : '';
+    }
+
+
+    private static function parseFrom(string $maybe_list_of_ip_addresses): string
+    {
+        return self::validate(self::getFirst($maybe_list_of_ip_addresses)) ?? '';
     }
 
 
@@ -108,4 +114,13 @@ private static function getFirst(string $ip_addresses): string
         $ips = \array_map('trim', \explode(',', $ip_addresses));
         return $ips[0];
     }
+
+
+    /**
+     * Validate given $ip_address, return null if invalid.
+     */
+    private static function validate(string $ip_address): ?string
+    {
+        return \filter_var($ip_address, FILTER_VALIDATE_IP, FILTER_NULL_ON_FAILURE);
+    }
 }
diff --git a/tests/unit/src/Cases/Setup/IpAddressValidationTest.php b/tests/unit/src/Cases/Setup/IpAddressValidationTest.php
@@ -0,0 +1,50 @@
+<?php
+
+namespace BlueChip\Security\Tests\Unit\Cases\Setup;
+
+use BlueChip\Security\Setup\IpAddress;
+use BlueChip\Security\Tests\Unit\TestCase;
+
+class IpAddressValidationTest extends TestCase
+{
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        // Valid IP
+        $_SERVER[IpAddress::REMOTE_ADDR] = '23.23.23.23';
+        // Cross-Site Scripting attempt
+        $_SERVER[IpAddress::HTTP_X_FORWARDED_FOR] = '<span onmouseover=alert(1)>23.23.23.23</span>';
+        // Invalid IP with valid format
+        $_SERVER[IpAddress::HTTP_X_REAL_IP] = '256.256.256.256';
+    }
+
+
+    protected function tearDown(): void
+    {
+        unset($_SERVER[IpAddress::REMOTE_ADDR]);
+        unset($_SERVER[IpAddress::HTTP_X_FORWARDED_FOR]);
+        unset($_SERVER[IpAddress::HTTP_X_REAL_IP]);
+
+        parent::tearDown();
+    }
+
+
+    public function provideRemoteAddressGetterData(): array
+    {
+        return [
+            'valid IP' => [IpAddress::REMOTE_ADDR, '23.23.23.23'],
+            'Cross-Site Scripting attempt' => [IpAddress::HTTP_X_FORWARDED_FOR, ''],
+            'Invalid IP with valid format' => [IpAddress::HTTP_X_REAL_IP, ''],
+        ];
+    }
+
+
+    /**
+     * @dataProvider provideRemoteAddressGetterData
+     */
+    public function testRemoteAddressGetter(string $connection_type, ?string $ip_address): void
+    {
+        $this->assertSame($ip_address, IpAddress::get($connection_type));
+    }
+}