Nosial/ncc
2
0
Fork 0
Code Issues 1 Pull requests Projects Releases 11 Packages Wiki Activity Actions

- Corrected code-smell and code style issues in \ncc\Classes > HttpClient

Browse source 
- Fixed MITM attack vector in `\ncc\Classes > HttpClient > prepareCurl()`
This commit is contained in:
Netkas 2023-08-17 14:02:41 -04:00
parent 8019d8c378
commit 393078cd9e
No known key found for this signature in database
GPG key ID: 5DAF58535614062B
2 changed files with 48 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
CHANGELOG.md
View file

@ -5,6 +5,16 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [1.0.4] - Unreleased
### Fixed
- Fixed MITM attack vector in `\ncc\Classes > HttpClient > prepareCurl()`
### Changed
- Corrected code-smell and code style issues in `\ncc\Classes > HttpClient`
## [1.0.3] - 2023-08-16 ## [1.0.3] - 2023-08-16
### Changed ### Changed

69
src/ncc/Classes/HttpClient.php
View file

@ -50,29 +50,25 @@ namespace ncc\Classes;
curl_setopt($curl, CURLOPT_MAXREDIRS, 5); curl_setopt($curl, CURLOPT_MAXREDIRS, 5);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($curl, CURLOPT_TIMEOUT, 10); curl_setopt($curl, CURLOPT_TIMEOUT, 10);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_HTTPHEADER, $request->Headers); curl_setopt($curl, CURLOPT_HTTPHEADER, $request->Headers);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, $request->Type); curl_setopt($curl, CURLOPT_CUSTOMREQUEST, $request->Type);
curl_setopt($curl, CURLOPT_NOPROGRESS, false); curl_setopt($curl, CURLOPT_NOPROGRESS, false);
curl_setopt($curl, CURLOPT_PROGRESSFUNCTION, function($curl, $downloadSize, $downloaded, $uploadSize, $uploaded) use ($request)
{
if($downloadSize > 0 && ($downloaded !== $downloadSize))
{
if(Main::getLogLevel() !== null)
{
switch(Main::getLogLevel())
{
case LogLevel::Verbose:
case LogLevel::Debug:
case LogLevel::Silent:
Console::outVerbose(sprintf(' <= %s of %s bytes downloaded', $downloaded, $downloadSize));
break;
default: curl_setopt($curl, CURLOPT_PROGRESSFUNCTION, static function($curl, $downloadSize, $downloaded)
Console::inlineProgressBar($downloaded, $downloadSize + 1); {
break; if($downloadSize > 0 && ($downloaded !== $downloadSize) && Main::getLogLevel() !== null)
} {
switch(Main::getLogLevel())
{
case LogLevel::Verbose:
case LogLevel::Debug:
case LogLevel::Silent:
Console::outVerbose(sprintf(' <= %s of %s bytes downloaded', $downloaded, $downloadSize));
break;
default:
Console::inlineProgressBar($downloaded, $downloadSize + 1);
break;
} }
} }
}); });
@ -86,13 +82,17 @@ namespace ncc\Classes;
case HttpRequestType::POST: case HttpRequestType::POST:
curl_setopt($curl, CURLOPT_POST, true); curl_setopt($curl, CURLOPT_POST, true);
if($request->Body !== null) if($request->Body !== null)
{
curl_setopt($curl, CURLOPT_POSTFIELDS, $request->Body); curl_setopt($curl, CURLOPT_POSTFIELDS, $request->Body);
}
break; break;
case HttpRequestType::PUT: case HttpRequestType::PUT:
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, 'PUT'); curl_setopt($curl, CURLOPT_CUSTOMREQUEST, 'PUT');
if($request->Body !== null) if($request->Body !== null)
{
curl_setopt($curl, CURLOPT_POSTFIELDS, $request->Body); curl_setopt($curl, CURLOPT_POSTFIELDS, $request->Body);
}
break; break;
case HttpRequestType::DELETE: case HttpRequestType::DELETE:
@ -110,7 +110,9 @@ namespace ncc\Classes;
} }
foreach ($request->Options as $option => $value) foreach ($request->Options as $option => $value)
{
curl_setopt($curl, $option, $value); curl_setopt($curl, $option, $value);
}
return $curl; return $curl;
} }
@ -128,21 +130,27 @@ namespace ncc\Classes;
if($cache) if($cache)
{ {
/** @var HttpResponseCache $cache */ /** @var HttpResponseCache $cache */
$cache = RuntimeCache::get(sprintf('http_cache_%s', $httpRequest->requestHash())); $cache_value = RuntimeCache::get(sprintf('http_cache_%s', $httpRequest->requestHash()));
if($cache !== null && $cache->getTtl() > time()) if($cache_value !== null && $cache_value->getTtl() > time())
{ {
Console::outDebug(sprintf('using cached response for %s', $httpRequest->requestHash())); Console::outDebug(sprintf('using cached response for %s', $httpRequest->requestHash()));
return $cache->getHttpResponse(); return $cache_value->getHttpResponse();
} }
} }
$curl = self::prepareCurl($httpRequest); $curl = self::prepareCurl($httpRequest);
Console::outDebug(sprintf(' => %s request %s', $httpRequest->Type, $httpRequest->Url)); Console::outDebug(sprintf(' => %s request %s', $httpRequest->Type, $httpRequest->Url));
if($httpRequest->Headers !== null && count($httpRequest->Headers) > 0) if($httpRequest->Headers !== null && count($httpRequest->Headers) > 0)
{
Console::outDebug(sprintf(' => headers: %s', implode(', ', $httpRequest->Headers))); Console::outDebug(sprintf(' => headers: %s', implode(', ', $httpRequest->Headers)));
}
if($httpRequest->Body !== null) if($httpRequest->Body !== null)
{
Console::outDebug(sprintf(' => body: %s', $httpRequest->Body)); Console::outDebug(sprintf(' => body: %s', $httpRequest->Body));
}
$response = curl_exec($curl); $response = curl_exec($curl);
@ -162,12 +170,9 @@ namespace ncc\Classes;
$httpResponse->Headers = self::parseHeaders($headers); $httpResponse->Headers = self::parseHeaders($headers);
$httpResponse->Body = $body; $httpResponse->Body = $body;
Console::outDebug(sprintf(' <= %s response', $httpResponse->StatusCode));/** @noinspection PhpConditionAlreadyCheckedInspection */ Console::outDebug(sprintf(' <= %s response', $httpResponse->StatusCode));
if($httpResponse->Headers !== null && count($httpResponse->Headers) > 0) Console::outDebug(sprintf(' <= headers: %s', (implode(', ', $httpResponse->Headers))));
Console::outDebug(sprintf(' <= headers: %s', implode(', ', $httpResponse->Headers))); Console::outDebug(sprintf(' <= body: %s', $httpResponse->Body));
/** @noinspection PhpConditionAlreadyCheckedInspection */
if($httpResponse->Body !== null)
Console::outDebug(sprintf(' <= body: %s', $httpResponse->Body));
curl_close($curl); curl_close($curl);
@ -194,7 +199,7 @@ namespace ncc\Classes;
{ {
$curl = self::prepareCurl($httpRequest); $curl = self::prepareCurl($httpRequest);
$fp = fopen($path, 'w'); $fp = fopen($path, 'wb');
curl_setopt($curl, CURLOPT_FILE, $fp); curl_setopt($curl, CURLOPT_FILE, $fp);
curl_setopt($curl, CURLOPT_HEADER, 0); curl_setopt($curl, CURLOPT_HEADER, 0);
$response = curl_exec($curl); $response = curl_exec($curl);
@ -222,9 +227,11 @@ namespace ncc\Classes;
$lines = explode("\n", $input); $lines = explode("\n", $input);
$headers['HTTP'] = array_shift($lines); $headers['HTTP'] = array_shift($lines);
foreach ($lines as $line) { foreach ($lines as $line)
{
$header = explode(':', $line, 2); $header = explode(':', $line, 2);
if (count($header) == 2) { if (count($header) === 2)
{
$headers[trim($header[0])] = trim($header[1]); $headers[trim($header[0])] = trim($header[1]);
} }
} }