use HSTS when doing request with the HttpClient #34553
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| <?php | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| /** | ||
| * @copyright Copyright (c) 2022 Your name <[email protected]> | ||
| * | ||
| * @author Your name <[email protected]> | ||
| * | ||
| * @license GNU AGPL version 3 or any later version | ||
| * | ||
| * This program is free software: you can redistribute it and/or modify | ||
| * it under the terms of the GNU Affero General Public License as | ||
| * published by the Free Software Foundation, either version 3 of the | ||
| * License, or (at your option) any later version. | ||
| * | ||
| * This program is distributed in the hope that it will be useful, | ||
| * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| * GNU Affero General Public License for more details. | ||
| * | ||
| * You should have received a copy of the GNU Affero General Public License | ||
| * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
| * | ||
| */ | ||
|
|
||
| namespace OC\Core\Migrations; | ||
|
|
||
| use Closure; | ||
| use OCP\DB\ISchemaWrapper; | ||
| use OCP\DB\Types; | ||
| use OCP\Migration\IOutput; | ||
| use OCP\Migration\SimpleMigrationStep; | ||
|
|
||
| /** | ||
| * Auto-generated migration step: Please modify to your needs! | ||
| */ | ||
| class Version26000Date20221011203714 extends SimpleMigrationStep { | ||
|
|
||
| /** | ||
| * @param IOutput $output | ||
| * @param Closure(): ISchemaWrapper $schemaClosure | ||
| * @param array $options | ||
| * @return null|ISchemaWrapper | ||
| */ | ||
| public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper { | ||
| $schema = $schemaClosure(); | ||
|
|
||
| if (!$schema->hasTable('hsts')) { | ||
| $table = $schema->createTable('hsts'); | ||
| $table->addColumn('id', Types::BIGINT, [ | ||
| 'autoincrement' => true, | ||
| 'notnull' => true, | ||
| ]); | ||
| $table->addColumn('host', Types::STRING, [ | ||
| 'notnull' => true, | ||
| 'length' => 255, | ||
| ]); | ||
| $table->addColumn('expires', Types::BIGINT, [ | ||
| 'notnull' => true, | ||
| ]); | ||
| $table->addColumn('includeSubdomains', Types::BOOLEAN, [ | ||
| 'notnull' => false, | ||
| ]); | ||
| $table->setPrimaryKey(['id'], 'hsts_idx'); | ||
| $table->addUniqueConstraint(['host'], 'hsts_host'); | ||
| } | ||
|
|
||
| return $schema; | ||
| } | ||
|
|
||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,106 @@ | ||
| <?php | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| /** | ||
| * @copyright Copyright (c) 2022, Roeland Jago Douma <[email protected]> | ||
| * | ||
| * @author Roeland Jago Douma <[email protected]> | ||
| * | ||
| * @license GNU AGPL version 3 or any later version | ||
| * | ||
| * This program is free software: you can redistribute it and/or modify | ||
| * it under the terms of the GNU Affero General Public License as | ||
| * published by the Free Software Foundation, either version 3 of the | ||
| * License, or (at your option) any later version. | ||
| * | ||
| * This program is distributed in the hope that it will be useful, | ||
| * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| * GNU Affero General Public License for more details. | ||
| * | ||
| * You should have received a copy of the GNU Affero General Public License | ||
| * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
| * | ||
| */ | ||
| namespace OC\Http\Client; | ||
|
|
||
| use Psr\Http\Message\RequestInterface; | ||
| use Psr\Http\Message\ResponseInterface; | ||
| use Psr\Log\LoggerInterface; | ||
|
|
||
| class HSTSMiddleware { | ||
|
|
||
| private HSTSStore $hstsStore; | ||
| private LoggerInterface $logger; | ||
|
|
||
| public function __construct( | ||
| HSTSStore $hstsStore, | ||
| LoggerInterface $logger | ||
| ) { | ||
| $this->hstsStore = $hstsStore; | ||
| $this->logger = $logger; | ||
| } | ||
|
|
||
| private function isIpaAddr(string $host): bool { | ||
| return filter_var($host, FILTER_VALIDATE_IP) !== false; | ||
| } | ||
|
|
||
| private function handleHSTSRewrite(RequestInterface $request): RequestInterface { | ||
|
|
||
| $uri = $request->getUri(); | ||
|
|
||
| if ($uri->getScheme() === 'http' | ||
| && !$this->isIpaAddr($uri->getHost()) | ||
| && $this->hstsStore->hasHSTS($uri->getHost())) { | ||
|
|
||
| $uri = $uri->withScheme('https'); | ||
| } | ||
|
|
||
| return $request->withUri($uri); | ||
| } | ||
|
|
||
| private function handleHSTSResponse(ResponseInterface $response, RequestInterface $request): ResponseInterface { | ||
| $uri = $request->getUri(); | ||
|
|
||
| $this->logger->error($uri->getScheme()); | ||
|
|
||
| if ($uri->getScheme() === 'https' | ||
| && !$this->isIpaAddr($uri->getHost()) | ||
| && $response->hasHeader('Strict-Transport-Security')) { | ||
|
|
||
|
|
||
| $this->logger->error("LETS GO"); | ||
|
|
||
| // Get the header and pass it to the store to parse and store this info | ||
| $header = $response->getHeader('Strict-Transport-Security')[0]; | ||
| $this->hstsStore->setHSTS($uri->getHost(), $header); | ||
| } | ||
|
|
||
| return $response; | ||
| } | ||
|
|
||
| public function addHSTS() { | ||
| return function (callable $handler) { | ||
| return function ( | ||
| RequestInterface $request, | ||
| array $options | ||
| ) use ($handler) { | ||
|
|
||
| $request = $this->handleHSTSRewrite($request); | ||
|
|
||
| $this->logger->warning("GONNA REQUEST"); | ||
|
|
||
| $this->logger->warning($request->getUri()->getScheme()); | ||
| $this->logger->warning($request->getUri()->getHost()); | ||
|
|
||
|
|
||
| return $handler($request, $options) | ||
| ->then(function (ResponseInterface $response) use ($request) { | ||
| $this->logger->error("GOT RESPONSE"); | ||
|
|
||
| $this->handleHSTSResponse($response, $request); | ||
| return $response; | ||
| }); | ||
| }; | ||
| }; | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,157 @@ | ||
| <?php | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| /** | ||
| * @copyright Copyright (c) 2022, Roeland Jago Douma <[email protected]> | ||
| * | ||
| * @author Roeland Jago Douma <[email protected]> | ||
| * | ||
| * @license GNU AGPL version 3 or any later version | ||
| * | ||
| * This program is free software: you can redistribute it and/or modify | ||
| * it under the terms of the GNU Affero General Public License as | ||
| * published by the Free Software Foundation, either version 3 of the | ||
| * License, or (at your option) any later version. | ||
| * | ||
| * This program is distributed in the hope that it will be useful, | ||
| * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| * GNU Affero General Public License for more details. | ||
| * | ||
| * You should have received a copy of the GNU Affero General Public License | ||
| * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
| * | ||
| */ | ||
| namespace OC\Http\Client; | ||
|
|
||
| use OCP\AppFramework\Utility\ITimeFactory; | ||
| use OCP\IDBConnection; | ||
| use Psr\Log\LoggerInterface; | ||
|
|
||
| class HSTSStore { | ||
|
|
||
| private IDBConnection $db; | ||
| private ITimeFactory $timeFactory; | ||
| private LoggerInterface $logger; | ||
|
|
||
| public function __construct(IDBConnection $db, ITimeFactory $timeFactory, LoggerInterface $logger) { | ||
| $this->db = $db; | ||
| $this->timeFactory = $timeFactory; | ||
| $this->logger = $logger; | ||
| } | ||
|
|
||
| private function checkHost(string $host, bool $includeSubdomain) { | ||
| // Look for the domain as is if we can't find it remove a subdomain and go up | ||
|
|
||
| $this->logger->warning("Checking for host " . $host); | ||
|
|
||
| $qb = $this->db->getQueryBuilder(); | ||
| $qb->select('*') | ||
| ->from('hsts') | ||
| ->where($qb->expr()->eq('host', $qb->createNamedParameter($host))); | ||
|
|
||
| $cursor = $qb->executeQuery(); | ||
| $data = $cursor->fetch(); | ||
| $cursor->closeCursor(); | ||
|
|
||
| if ($data !== false) { | ||
| $this->logger->warning("GOT DATA"); | ||
| $this->logger->warning(json_encode($data)); | ||
| } | ||
|
|
||
| if ($data !== false | ||
| && $this->timeFactory->getTime() < $data['expires'] | ||
| && (!$includeSubdomain || ($includeSubdomain && $data['includeSubdomains'])) | ||
Check failureCode scanning / Psalm RedundantCondition |
||
| ) { | ||
| $this->logger->warning("REWRITE"); | ||
| return true; | ||
| } | ||
|
|
||
| return false; | ||
| } | ||
|
|
||
| private function checkSuperHost(string $host): bool { | ||
| $labels = explode('.', $host); | ||
|
|
||
| $labelCount = count($labels); | ||
|
|
||
| for ($i = 1; $i < $labelCount; $i++) { | ||
| $domainName = implode('.', array_slice($labels, $labelCount - $i)); | ||
|
|
||
| if ($this->checkHost($domainName, true)) { | ||
| return true; | ||
| } | ||
| } | ||
|
|
||
| return false; | ||
| } | ||
|
|
||
| public function hasHSTS(string $host): bool { | ||
| return $this->checkHost($host, false) || $this->checkSuperHost($host); | ||
| } | ||
|
|
||
| public function setHSTS(string $host, string $header): void { | ||
| $directives = explode(';', $header); | ||
|
|
||
| $maxAge = 0; | ||
| $includeSubdomains = false; | ||
|
|
||
| foreach ($directives as $directive) { | ||
| $directive = trim($directive); | ||
|
|
||
| if ($directive === 'includeSubDomains') { | ||
| $includeSubdomains = true; | ||
| } elseif ($directive === 'preload') { | ||
| // We just ignore this | ||
| } else { | ||
| $data = explode('=', $directive); | ||
| if (count($data) === 2 && trim($data[0]) === 'max-age' && is_numeric(trim($data[1]))) { | ||
| $maxAge = max(0, (int)$data[1]); | ||
| } | ||
| } | ||
| } | ||
|
|
||
| if ($maxAge <= 0) { | ||
| return; | ||
| } | ||
|
|
||
| $this->logger->warning("TIME TO SET HSTS"); | ||
|
|
||
| $expires = $this->timeFactory->getTime() + $maxAge; | ||
|
|
||
| $qb = $this->db->getQueryBuilder(); | ||
|
Member
There was a problem hiding this comment. could we maybe make hosts unique and if we get an unique exeption when trying to insert then we try updating. Save one DB query in some cases Also we probably should try to catch data races
Member
Author
There was a problem hiding this comment. |
||
| $qb->select('*') | ||
| ->from('hsts') | ||
| ->where($qb->expr()->eq('host', $qb->createNamedParameter($host))); | ||
|
|
||
| $cursor = $qb->executeQuery(); | ||
| $data = $cursor->fetchOne(); | ||
| $cursor->closeCursor(); | ||
|
|
||
|
|
||
| $this->logger->warning("Q1"); | ||
|
|
||
| if ($data === false) { | ||
| // No entry yet insert | ||
| $qb = $this->db->getQueryBuilder(); | ||
| $qb->insert('hsts') | ||
| ->values([ | ||
| 'host' => $qb->createNamedParameter($host), | ||
| 'expires' => $qb->createNamedParameter($expires), | ||
| 'includeSubdomains' => $qb->createNamedParameter($includeSubdomains) | ||
| ]); | ||
| $this->logger->warning($qb->getSQL()); | ||
| $qb->executeStatement(); | ||
| } else { | ||
| // Already set just update | ||
| // No entry yet insert | ||
| $qb = $this->db->getQueryBuilder(); | ||
| $qb->update('hsts') | ||
| ->set('expires', $qb->createNamedParameter($expires)) | ||
| ->set('includeSubdomains', $qb->createNamedParameter($includeSubdomains)) | ||
| ->where($qb->expr()->eq('host', $qb->createNamedParameter($host))); | ||
| $qb->executeStatement(); | ||
| } | ||
| } | ||
| } | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Check failure
Code scanning / Psalm
MoreSpecificImplementedParamType