Skip to content

Commit

Permalink
headers migrados para rotas e padronização de sanitização de urls
Browse files Browse the repository at this point in the history
  • Loading branch information
@altendorfme
altendorfme committed Jan 24, 2025
1 parent 7013b56 commit ab2e596
Show file tree
Hide file tree
Showing 4 changed files with 103 additions and 111 deletions.
82 changes: 23 additions & 59 deletions app/inc/URLAnalyzer.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -234,33 +234,27 @@ public function analyze($url)
// Reset das regras ativadas para nova análise
$this->activatedRules = [];

// 1. Clean URL / Limpa a URL
$cleanUrl = $this->cleanUrl($url);
if (!$cleanUrl) {
$this->throwError(self::ERROR_INVALID_URL);
}

// 2. Check cache / Verifica cache
if ($this->cache->exists($cleanUrl)) {
return $this->cache->get($cleanUrl);
// 1. Check cache / Verifica cache
if ($this->cache->exists($url)) {
return $this->cache->get($url);
}

// 3. Check blocked domains / Verifica domínios bloqueados
$host = parse_url($cleanUrl, PHP_URL_HOST);
// 2. Check blocked domains / Verifica domínios bloqueados
$host = parse_url($url, PHP_URL_HOST);
if (!$host) {
$this->throwError(self::ERROR_INVALID_URL);
}
$host = preg_replace('/^www\./', '', $host);

if (in_array($host, BLOCKED_DOMAINS)) {
Logger::getInstance()->logUrl($cleanUrl, 'BLOCKED_DOMAIN');
Logger::getInstance()->logUrl($url, 'BLOCKED_DOMAIN');
$this->throwError(self::ERROR_BLOCKED_DOMAIN);
}

// Check URL status code before proceeding
$redirectInfo = $this->checkStatus($cleanUrl);
// 3. Check URL status code before proceeding
$redirectInfo = $this->checkStatus($url);
if ($redirectInfo['httpCode'] !== 200) {
Logger::getInstance()->logUrl($cleanUrl, 'INVALID_STATUS_CODE', "HTTP {$redirectInfo['httpCode']}");
Logger::getInstance()->logUrl($url, 'INVALID_STATUS_CODE', "HTTP {$redirectInfo['httpCode']}");
if ($redirectInfo['httpCode'] === 404) {
$this->throwError(self::ERROR_NOT_FOUND);
} else {
Expand All @@ -279,33 +273,33 @@ public function analyze($url)
$content = null;
switch ($fetchStrategy) {
case 'fetchContent':
$content = $this->fetchContent($cleanUrl);
$content = $this->fetchContent($url);
break;
case 'fetchFromWaybackMachine':
$content = $this->fetchFromWaybackMachine($cleanUrl);
$content = $this->fetchFromWaybackMachine($url);
break;
case 'fetchFromSelenium':
$content = $this->fetchFromSelenium($cleanUrl, isset($domainRules['browser']) ? $domainRules['browser'] : 'firefox');
$content = $this->fetchFromSelenium($url, isset($domainRules['browser']) ? $domainRules['browser'] : 'firefox');
break;
}

if (!empty($content)) {
$this->activatedRules[] = "fetchStrategy: $fetchStrategy";
$processedContent = $this->processContent($content, $host, $cleanUrl);
$this->cache->set($cleanUrl, $processedContent);
$processedContent = $this->processContent($content, $host, $url);
$this->cache->set($url, $processedContent);
return $processedContent;
}
} catch (Exception $e) {
Logger::getInstance()->logUrl($cleanUrl, strtoupper($fetchStrategy) . '_ERROR', $e->getMessage());
Logger::getInstance()->logUrl($url, strtoupper($fetchStrategy) . '_ERROR', $e->getMessage());
throw $e;
}
}

// 5. Try all strategies in sequence
$fetchStrategies = [
['method' => 'fetchContent', 'args' => [$cleanUrl]],
['method' => 'fetchFromWaybackMachine', 'args' => [$cleanUrl]],
['method' => 'fetchFromSelenium', 'args' => [$cleanUrl, 'firefox']]
['method' => 'fetchContent', 'args' => [$url]],
['method' => 'fetchFromWaybackMachine', 'args' => [$url]],
['method' => 'fetchFromSelenium', 'args' => [$url, 'firefox']]
];

$lastError = null;
Expand All @@ -314,8 +308,8 @@ public function analyze($url)
$content = call_user_func_array([$this, $strategy['method']], $strategy['args']);
if (!empty($content)) {
$this->activatedRules[] = "fetchStrategy: {$strategy['method']}";
$processedContent = $this->processContent($content, $host, $cleanUrl);
$this->cache->set($cleanUrl, $processedContent);
$processedContent = $this->processContent($content, $host, $url);
$this->cache->set($url, $processedContent);
return $processedContent;
}
} catch (Exception $e) {
Expand All @@ -326,7 +320,7 @@ public function analyze($url)
}

// If we get here, all strategies failed
Logger::getInstance()->logUrl($cleanUrl, 'GENERAL_FETCH_ERROR');
Logger::getInstance()->logUrl($url, 'GENERAL_FETCH_ERROR');
if ($lastError) {
$message = $lastError->getMessage();
if (strpos($message, 'DNS') !== false) {
Expand Down Expand Up @@ -432,8 +426,8 @@ private function fetchContent($url)
*/
private function fetchFromWaybackMachine($url)
{
$cleanUrl = preg_replace('#^https?://#', '', $url);
$availabilityUrl = "https://archive.org/wayback/available?url=" . urlencode($cleanUrl);
$url = preg_replace('#^https?://#', '', $url);
$availabilityUrl = "https://archive.org/wayback/available?url=" . urlencode($url);

$curl = new Curl();
$curl->setOpt(CURLOPT_FOLLOWLOCATION, true);
Expand Down Expand Up @@ -552,36 +546,6 @@ private function fetchFromSelenium($url, $browser = 'firefox')
}
}

/**
* Clean and normalize a URL
* Limpa e normaliza uma URL
*/
private function cleanUrl($url)
{
$url = trim($url);

if (!filter_var($url, FILTER_VALIDATE_URL)) {
return false;
}

if (preg_match('#https://([^.]+)\.cdn\.ampproject\.org/v/s/([^/]+)(.*)#', $url, $matches)) {
$url = 'https://' . $matches[2] . $matches[3];
}

$parts = parse_url($url);
if (!isset($parts['scheme']) || !isset($parts['host'])) {
return false;
}

$cleanedUrl = $parts['scheme'] . '://' . $parts['host'];

if (isset($parts['path'])) {
$cleanedUrl .= $parts['path'];
}

return $cleanedUrl;
}

/**
* Get specific rules for a domain
* Obtém regras específicas para um domínio
Expand Down
94 changes: 77 additions & 17 deletions app/src/Router.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,21 +50,19 @@ public function __construct()
$message_type = '';
$url = '';

// Processa mensagens da query string
// Process query string messages
// Sanitize and process query string messages
if (isset($_GET['message'])) {
$message_key = $_GET['message'];
$message_key = htmlspecialchars(trim($_GET['message']), ENT_QUOTES | ENT_HTML5, 'UTF-8');
$messageData = \Language::getMessage($message_key);
$message = $messageData['message'];
$message_type = $messageData['type'];
$message = htmlspecialchars($messageData['message'], ENT_QUOTES | ENT_HTML5, 'UTF-8');
$message_type = htmlspecialchars($messageData['type'], ENT_QUOTES | ENT_HTML5, 'UTF-8');
}

// Processa submissão do formulário
// Process form submission
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['url'])) {
$url = filter_var($_POST['url'], FILTER_SANITIZE_URL);
$url = $this->sanitizeUrl($_POST['url']);
if (filter_var($url, FILTER_VALIDATE_URL)) {
header('Location: ' . SITE_URL . '/p/' . urlencode($url));
header('Location: ' . SITE_URL . '/p/' . $url);
exit;
} else {
$messageData = \Language::getMessage('INVALID_URL');
Expand All @@ -84,7 +82,7 @@ public function __construct()
// Rota da API - usa URLProcessor em modo API
// API route - uses URLProcessor in API mode
$r->addRoute('GET', '/api/{url:.+}', function($vars) {
$processor = new URLProcessor($vars['url'], true);
$processor = new URLProcessor($this->sanitizeUrl($vars['url']), true);
$processor->process();
});

Expand All @@ -98,23 +96,23 @@ public function __construct()
// Rota de processamento - usa URLProcessor em modo web
// Processing route - uses URLProcessor in web mode
$r->addRoute('GET', '/p/{url:.+}', function($vars) {
$processor = new URLProcessor($vars['url'], false);
$processor = new URLProcessor($this->sanitizeUrl($vars['url']), false);
$processor->process();
});

// Rota de processamento com query parameter ou sem parâmetros
// Processing route with query parameter or without parameters
$r->addRoute('GET', '/p[/]', function() {
if (isset($_GET['url']) || isset($_GET['text'])) {
$url = isset($_GET['url']) ? $_GET['url'] : '';
$text = isset($_GET['text']) ? $_GET['text'] : '';
// Sanitize input parameters
$url = isset($_GET['url']) ? $this->sanitizeUrl($_GET['url']) : '';
$text = isset($_GET['text']) ? $this->sanitizeUrl($_GET['text']) : '';

// Check which parameter is a valid URL
if (filter_var($url, FILTER_VALIDATE_URL)) {
header('Location: /p/' . urlencode($url));
header('Location: /p/' . $url);
exit;
} elseif (filter_var($text, FILTER_VALIDATE_URL)) {
header('Location: /p/' . urlencode($text));
header('Location: /p/' . $text);
exit;
} else {
header('Location: /?message=INVALID_URL');
Expand All @@ -134,11 +132,73 @@ public function __construct()
}

/**
* Despacha a requisição para a rota apropriada
* Dispatches the request to the appropriate route
* Sanitizes URLs to prevent XSS and injection attacks
* Sanitiza URLs para prevenir ataques XSS e injeções
*
* @param string $url The URL to sanitize
* @return string The sanitized URL
*/
/**
* Sanitizes and normalizes URLs
* Sanitiza e normaliza URLs
*
* @param string $url The URL to sanitize and normalize
* @return string|false The cleaned URL or false if invalid
*/
private function sanitizeUrl(string $url): string
{
$url = trim($url);

// Basic URL validation
if (!filter_var($url, FILTER_VALIDATE_URL)) {
return '';
}

// Handle AMP URLs
if (preg_match('#https://([^.]+)\.cdn\.ampproject\.org/v/s/([^/]+)(.*)#', $url, $matches)) {
$url = 'https://' . $matches[2] . $matches[3];
}

// Parse and reconstruct URL to ensure proper structure
$parts = parse_url($url);
if (!isset($parts['scheme']) || !isset($parts['host'])) {
return '';
}

$cleanedUrl = $parts['scheme'] . '://' . $parts['host'];

if (isset($parts['path'])) {
$cleanedUrl .= $parts['path'];
}

// Remove control characters and sanitize
$cleanedUrl = preg_replace('/[\x00-\x1F\x7F]/', '', $cleanedUrl);
$cleanedUrl = filter_var($cleanedUrl, FILTER_SANITIZE_URL);

// Convert special characters to HTML entities
return htmlspecialchars($cleanedUrl, ENT_QUOTES | ENT_HTML5, 'UTF-8');
}

/**
* Sets security headers for all responses
* Define cabeçalhos de segurança para todas as respostas
*/
private function setSecurityHeaders()
{
// Set security headers
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:;");
header("X-Content-Type-Options: nosniff");
header("X-Frame-Options: DENY");
header("X-XSS-Protection: 1; mode=block");
header("Referrer-Policy: strict-origin-when-cross-origin");
header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
header("Strict-Transport-Security: max-age=31536000; includeSubDomains");
}

public function dispatch()
{
$this->setSecurityHeaders();

$httpMethod = $_SERVER['REQUEST_METHOD'];
$uri = $_SERVER['REQUEST_URI'];

Expand Down
16 changes: 1 addition & 15 deletions app/src/URLProcessor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ public function __construct(string $url = '', bool $isApi = false)
require_once __DIR__ . '/../inc/URLAnalyzer.php';
require_once __DIR__ . '/../inc/Language.php';

$this->url = urldecode($url);
$this->url = $url;
$this->isApi = $isApi;
$this->analyzer = new \URLAnalyzer();

Expand Down Expand Up @@ -82,20 +82,6 @@ private function redirect(string $path, string $message = ''): void
*/
public function process(): void
{
// Validate URL format
if (!filter_var($this->url, FILTER_VALIDATE_URL)) {
if ($this->isApi) {
$this->sendApiResponse([
'error' => [
'type' => \URLAnalyzer::ERROR_INVALID_URL,
'message' => \Language::getMessage('INVALID_URL')['message']
]
], 400);
} else {
$this->redirect(SITE_URL, \URLAnalyzer::ERROR_INVALID_URL);
}
}

try {
// Check for redirects in web mode
if (!$this->isApi) {
Expand Down
22 changes: 2 additions & 20 deletions default.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,26 +11,8 @@ server {
# Oculta a versão do NGINX para reduzir informações expostas
server_tokens off;

# Security Headers / Cabeçalhos de Segurança
# Enable HSTS (HTTP Strict Transport Security) to force HTTPS connections
# Habilita HSTS (HTTP Strict Transport Security) para forçar conexões HTTPS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

# Prevent clickjacking attacks by allowing the site to be displayed only in its own domain
# Previne ataques de clickjacking, permitindo que o site seja exibido apenas em seu próprio domínio
add_header X-Frame-Options "SAMEORIGIN" always;

# Enable protection against Cross-Site Scripting (XSS) attacks
# Ativa proteção contra ataques de Cross-Site Scripting (XSS)
add_header X-XSS-Protection "1; mode=block" always;

# Prevent browsers from MIME-type sniffing
# Impede que navegadores tentem adivinhar (sniff) o tipo MIME dos arquivos
add_header X-Content-Type-Options "nosniff" always;

# Control how referrer headers are sent
# Controla como os cabeçalhos de referência são enviados
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# NGINX-specific security configurations
# Configurações de segurança específicas do NGINX

# Limit upload size to prevent denial of service attacks
# Limita o tamanho de uploads para prevenir ataques de negação de serviço
Expand Down

0 comments on commit ab2e596

Please sign in to comment.