You are here

Home » API reference » Security Review 8 » TrustedHosts.php

class TrustedHosts in Security Review 8

Checks for base_url and trusted_host_patterns settings in settings.php.

Hierarchy

Expanded class hierarchy of TrustedHosts

1 file declares its use of TrustedHosts
security_review.module in ./security_review.module
Site security review and reporting Drupal module.

File

src/Checks/TrustedHosts.php, line 14

Namespace

Drupal\security_review\Checks
View source 
class TrustedHosts extends Check {

  /**
   * {@inheritdoc}
   */
  public function __construct() {
    parent::__construct();
    $this->settings = new TrustedHostSettings($this, $this->config);
  }

  /**
   * {@inheritdoc}
   */
  public function getNamespace() {
    return 'Security Review';
  }

  /**
   * {@inheritdoc}
   */
  public function getTitle() {
    return 'Trusted hosts';
  }

  /**
   * {@inheritdoc}
   */
  public function run() {
    $result = CheckResult::FAIL;
    $base_url_set = FALSE;
    $trusted_host_patterns_set = FALSE;
    $findings = [];
    $settings_php = $this
      ->security()
      ->sitePath() . '/settings.php';
    if (!file_exists($settings_php)) {
      return $this
        ->createResult(CheckResult::INFO, [], FALSE);
    }
    if ($this
      ->settings()
      ->get('method', 'token') === 'token') {

      // Use tokenization.
      $content = file_get_contents($settings_php);
      $tokens = token_get_all($content);
      $prev_settings_line = -1;
      foreach ($tokens as $token) {
        if (is_array($token)) {

          // Get information about the current token.
          $line = $token[2];
          $is_variable = $token[0] === T_VARIABLE;
          $is_string = $token[0] === T_CONSTANT_ENCAPSED_STRING;
          $is_settings = $is_variable ? $token[1] == '$settings' : FALSE;
          $is_base_url = $token[1] == '$base_url';
          $is_thp = trim($token[1], "\"'") == 'trusted_host_patterns';
          $is_after_settings = $line == $prev_settings_line;

          // Check for $base_url.
          if ($is_variable && $is_base_url) {
            $base_url_set = TRUE;
            $result = CheckResult::SUCCESS;
          }

          // Check for $settings['trusted_host_patterns'].
          if ($is_after_settings && $is_string && $is_thp) {
            $trusted_host_patterns_set = TRUE;
            $result = CheckResult::SUCCESS;
          }

          // If found both settings stop the review.
          if ($base_url_set && $trusted_host_patterns_set) {

            // Got everything we need.
            break;
          }

          // Store last $settings line.
          if ($is_settings) {
            $prev_settings_line = $line;
          }
        }
      }
    }
    else {

      // Use inclusion.
      include $settings_php;
      $base_url_set = isset($base_url);
      $trusted_host_patterns_set = isset($settings['trusted_host_patterns']);
    }
    if ($result === CheckResult::FAIL) {

      // Provide information if the check failed.
      global $base_url;
      $findings['base_url'] = $base_url;
      $findings['settings'] = $settings_php;
      $findings['base_url_set'] = $base_url_set;
      $findings['trusted_host_patterns_set'] = $trusted_host_patterns_set;
    }
    return $this
      ->createResult($result, $findings);
  }

  /**
   * {@inheritdoc}
   */
  public function help() {
    $paragraphs = [];
    $paragraphs[] = $this
      ->t('Often Drupal needs to know the URL(s) it is responding from in order to build full links back to itself (e.g. password reset links sent via email). Until you explicitly tell Drupal what full or partial URL(s) it should respond for it must dynamically detect it based on the incoming request, something that can be malicously spoofed in order to trick someone into unknowningly visiting an attacker\'s site (known as a HTTP host header attack).');
    return [
      '#theme' => 'check_help',
      '#title' => $this
        ->t('Drupal trusted hosts'),
      '#paragraphs' => $paragraphs,
    ];
  }

  /**
   * {@inheritdoc}
   */
  public function evaluate(CheckResult $result) {
    global $base_url;
    if ($result
      ->result() !== CheckResult::FAIL) {
      return [];
    }
    $settings_php = $this
      ->security()
      ->sitePath() . '/settings.php';
    $paragraphs = [];
    $paragraphs[] = $this
      ->t('This site is responding from the URL: :url.', [
      ':url' => $base_url,
    ]);
    $paragraphs[] = $this
      ->t('If the site should be available only at that URL it is recommended that you set it as the $base_url variable in the settings.php file at @file.', [
      '@file' => $settings_php,
    ]);
    $paragraphs[] = $this
      ->t('If the site has multiple URLs it can respond from you should whitelist host patterns with trusted_host_patterns in settings.php.');
    $paragraphs[] = new Link($this
      ->t('Read more about HTTP Host Header attacks and setting trusted_host_patterns.'), Url::fromUri('https://www.drupal.org/node/1992030'));
    return [
      '#theme' => 'check_evaluation',
      '#paragraphs' => $paragraphs,
      '#items' => [],
    ];
  }

  /**
   * {@inheritdoc}
   */
  public function getMessage($result_const) {
    switch ($result_const) {
      case CheckResult::SUCCESS:
        return $this
          ->t('Either $base_url or trusted_host_patterns is set.');
      case CheckResult::FAIL:
        return $this
          ->t('Neither $base_url nor trusted_host_patterns is set.');
      default:
        return $this
          ->t('Unexpected result.');
    }
  }

}

Members

Namesort descending Modifiers Type Description Overrides
Check::$config protected property The configuration storage for this check.
Check::$container protected property The service container.
Check::$settings protected property Settings handler for this check.
Check::$state protected property The State system.
Check::$statePrefix protected property The check's prefix in the State system.
Check::checklist protected function Returns the Security Review Checklist service.
Check::configFactory protected function Returns the Config factory.
Check::container protected function Returns the service container.
Check::createResult public function Creates a new CheckResult for this Check.
Check::currentUser protected function Returns the current Drupal user.
Check::database protected function Returns the database connection.
Check::enable public function Enables the check. Has no effect if the check was not skipped.
Check::entityTypeManager protected function Returns the entity type manager.
Check::evaluatePlain public function Evaluates a CheckResult and returns a plaintext output. 12
Check::getMachineNamespace public function Returns the namespace of the check.
Check::getMachineTitle public function Returns the machine name of the check. 5
Check::id final public function Returns the identifier constructed using the namespace and title values.
Check::isSkipped public function Returns whether the check is skipped. Checks are not skipped by default.
Check::kernel protected function Returns the Drupal Kernel.
Check::lastResult public function Returns the last stored result of the check.
Check::lastRun public function Returns the timestamp the check was last run.
Check::moduleHandler protected function Returns the module handler.
Check::runCli public function Same as run(), but used in CLI context such as Drush. 2
Check::security protected function Returns the Security Review Security service.
Check::securityReview protected function Returns the Security Review service.
Check::settings public function Returns the check-specific settings' handler.
Check::skip public function Marks the check as skipped.
Check::skippedBy public function Returns the user the check was skipped by.
Check::skippedOn public function Returns the timestamp the check was last skipped on.
Check::storeResult public function Stores a result in the state system.
Check::storesFindings public function Returns whether the findings should be stored or reproduced when needed. 2
DependencySerializationTrait::$_entityStorages protected property An array of entity type IDs keyed by the property name of their storages.
DependencySerializationTrait::$_serviceIds protected property An array of service IDs keyed by property name used for serialization.
DependencySerializationTrait::__sleep public function 1
DependencySerializationTrait::__wakeup public function 2
StringTranslationTrait::$stringTranslation protected property The string translation service. 1
StringTranslationTrait::formatPlural protected function Formats a string containing a count of items.
StringTranslationTrait::getNumberOfPlurals protected function Returns the number of plurals supported by a given language.
StringTranslationTrait::getStringTranslation protected function Gets the string translation service.
StringTranslationTrait::setStringTranslation public function Sets the string translation service to use. 2
StringTranslationTrait::t protected function Translates a string to the current language or to a given language.
TrustedHosts::evaluate public function Returns the evaluation page of a result. Overrides Check::evaluate
TrustedHosts::getMessage public function Converts a result integer to a human-readable result message. Overrides Check::getMessage
TrustedHosts::getNamespace public function Returns the namespace of the check. Overrides Check::getNamespace
TrustedHosts::getTitle public function Returns the human-readable title of the check. Overrides Check::getTitle
TrustedHosts::help public function Returns the check-specific help page. Overrides Check::help
TrustedHosts::run public function The actual procedure of carrying out the check. Overrides Check::run
TrustedHosts::__construct public function Initializes the configuration storage and the settings handler. Overrides Check::__construct