Add phar

nicoSWD · Apr 14, 2019 · 70e5d55 · 70e5d55
1 parent b441bbe
commit 70e5d55
Show file tree

Hide file tree

Showing 13 changed files with 117 additions and 14 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,4 @@
-.DS_Store
 /.idea/
 /vendor/
 /composer.lock
+/build/*.phar
diff --git a/LICENSE.md b/LICENSE.md
@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2018 Nicolas Oelgart
+Copyright (c) 2019 Nicolas Oelgart
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/Makefile b/Makefile
@@ -0,0 +1,17 @@
+.DEFAULT_GOAL := build-phar
+.PHONY: clean
+
+build-phar:
+		composer install --no-dev
+		php ./bin/create-phar.php ./build/httpsec.phar
+
+install:
+		cp ./build/httpsec.phar /usr/local/bin/httpsec
+		chmod u+x /usr/local/bin/httpsec
+
+test:
+		composer install --dev
+		./vendor/bin/phpunit
+
+clean:
+		rm ./build/httpsec.phar
diff --git a/README.md b/README.md
@@ -1,3 +1,35 @@
-# Security Headers Check
+# httpsec (beta)
 
-WIP
+Test a site's HTTP headers for possible security issues
+
+**Basic usage**
+```shell
+$ httpsec https://www.target.com
+```
+
+**Advances usage**
+
+If you're trying to test a site that requires authentication, a POST request, or anything
+of the like, you can use `curl` and pipe the result to `httpsec`
+```shell
+$ curl https://yahoo.com/ --head | httpsec
+```
+
+**Screenshot**
+
+![screenshot](resources/screenshots/screenshot.png)
+
+**Build**
+```shell
+$ make
+```
+
+**Test**
+```shell
+$ make test
+```
+
+**Install**
+```shell
+$ make install
+```
diff --git a/bin/create-phar.php b/bin/create-phar.php
@@ -0,0 +1,33 @@
+<?php declare(strict_types=1);
+
+require __DIR__ . '/../vendor/autoload.php';
+
+use Symfony\Component\Finder\Finder;
+
+if (!isset($argv[1])) {
+    echo 'No output filename supplied', PHP_EOL;
+    exit(1);
+}
+
+$pharFile = $argv[1];
+
+if (is_file($pharFile)) {
+    unlink($pharFile);
+}
+
+$baseDir = dirname(__DIR__);
+
+$finder = new Finder();
+$finder->files()->in([
+    $baseDir . '/bin',
+    $baseDir . '/config',
+    $baseDir . '/src',
+    $baseDir . '/vendor'
+]);
+
+$phar = new Phar($pharFile);
+$phar->setStub("#!/usr/bin/env php\n<?php Phar::mapPhar('phpsec.phar'); require 'phar://phpsec.phar/bin/run.php'; __HALT_COMPILER();");
+$phar->compress(Phar::GZ);
+$phar->buildFromIterator($finder->getIterator(), $baseDir);
+
+echo "$pharFile successfully created", PHP_EOL;
diff --git a/bin/header-audit → bin/run.php b/bin/header-audit → bin/run.php
@@ -1,5 +1,4 @@
-#!/usr/bin/env php
-<?php
+<?php declare(strict_types=1);
 
 require __DIR__ . '/../vendor/autoload.php';
 

diff --git a/build/.gitkeep b/build/.gitkeep
diff --git a/composer.json b/composer.json
@@ -1,13 +1,14 @@
 {
-    "name": "nicoswd/sec-header-check",
+    "name": "nicoswd/httpsec",
     "type": "library",
     "description": "Check security headers",
     "require": {
         "symfony/console": "^4.1",
         "symfony/config": "^4.1",
         "symfony/dependency-injection": "^4.1",
         "symfony/yaml": "^4.1",
-        "ext-json": "*"
+        "ext-json": "*",
+        "symfony/finder": "^4.2"
     },
     "require-dev": {
         "phpunit/phpunit": "^7.4",

diff --git a/resources/screenshots/screenshot.png b/resources/screenshots/screenshot.png
diff --git a/src/Domain/Header/AbstractHeaderProvider.php b/src/Domain/Header/AbstractHeaderProvider.php
@@ -77,7 +77,7 @@ private function getRawHeadersFromRedirectingUrl(URL $url, HttpHeaderBag $header
             }
 
             $headers = $this->getHeadersFromString(
-                $this->getRawHeaders($url->redirectTo($headers->get('location')[0]))
+                $this->getRawHeaders($url->redirectTo($headers->getFirst('location')))
             );
         }
 

diff --git a/src/Domain/Header/HttpHeaderBag.php b/src/Domain/Header/HttpHeaderBag.php
@@ -43,6 +43,11 @@ public function get(string $headerName): array
         return $headers;
     }
 
+    public function getFirst(string $headerName): HttpHeader
+    {
+        return $this->get($headerName)[0];
+    }
+
     /** @return HttpHeader|bool */
     public function current()
     {

diff --git a/src/Domain/Result/Warning/XFrameOptionsNotNecessaryDueToValidContentSecurityPolicyKudos.php b/src/Domain/Result/Warning/XFrameOptionsNotNecessaryDueToValidContentSecurityPolicyKudos.php
@@ -0,0 +1,15 @@
+<?php declare(strict_types=1);
+
+/**
+ * @license  http://opensource.org/licenses/mit-license.php MIT
+ * @link     https://github.com/nicoSWD
+ * @author   Nicolas Oelgart <nico@oelgart.com>
+ */
+namespace nicoSWD\SecHeaderCheck\Domain\Result\Warning;
+
+use nicoSWD\SecHeaderCheck\Domain\Result\Kudos;
+
+final class XFrameOptionsNotNecessaryDueToValidContentSecurityPolicyKudos extends Kudos
+{
+    protected $message = 'Not necessary due to valid Content-Security-Policy frame-ancestors';
+}
diff --git a/src/Infrastructure/ResultPrinter/ConsoleResultPrinter.php b/src/Infrastructure/ResultPrinter/ConsoleResultPrinter.php
@@ -60,7 +60,7 @@ public function getOutput(AuditionResult $scanResults, OutputOptions $outputOpti
             $output .= '  <bg=green;fg=black>                            </>' . PHP_EOL ;
         }
 
-        $output .= PHP_EOL .'Total Score: <comment>' . $scanResults->getScore() . '</comment> out of <comment>10</comment> (<fg=red>Fail</>)';
+//        $output .= PHP_EOL .'Total Score: <comment>' . $scanResults->getScore() . '</comment> out of <comment>10</comment> (<fg=red>Fail</>)';
 
         return $output;
     }
@@ -73,9 +73,10 @@ private function prettyName($headerName): string
     private function getWarnings(ObservationCollection $observations): string
     {
         $out = '';
+        $c = 1;
 
         foreach ($observations as $observation) {
-            $out .= PHP_EOL . '   =>';
+            $out .= PHP_EOL . '  ' . $c++ . ')';
 
             if ($observation->isInfo()) {
                 $out .= '<fg=yellow> ' . (string) $observation . '</> ';
@@ -98,18 +99,18 @@ private function shortenHeaderValue(string $headerName, string $headerValue): st
         if ($headerName === SecurityHeader::SET_COOKIE) {
             $callback = function (array $match): string {
                 if (strlen($match['value']) < 20) {
-                    return $match['all'];
+                    return $match['full_match'];
                 }
 
                 return sprintf(
-                    '%s=s%s<bg=cyan>(...)</>%s',
+                    '%s=%s<bg=cyan>(...)</>%s',
                     $match['name'],
                     substr($match['value'], 0, 8),
                     substr($match['value'], -8)
                 );
             };
 
-            return preg_replace_callback('~^(?<all>(?<name>.*?)=(?<value>.*?;))~', $callback, $headerValue);
+            return preg_replace_callback('~(?<full_match>(?<name>.*?)=(?<value>.*?;))~', $callback, $headerValue);
         }
 
         return $headerValue;