1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
namespace Mvdstam\Oauth2ServerLaravel\Commands; |
4
|
|
|
|
5
|
|
|
use Exception; |
6
|
|
|
use Illuminate\Console\Command; |
7
|
|
|
|
8
|
|
|
class GenerateKeyPairCommand extends Command |
9
|
|
|
{ |
10
|
|
|
|
11
|
|
|
/** |
12
|
|
|
* @var string |
13
|
|
|
*/ |
14
|
|
|
protected $signature = 'oauth2-server:generate-key-pair {passphrase?}'; |
15
|
|
|
|
16
|
|
|
/** |
17
|
|
|
* @var string |
18
|
|
|
*/ |
19
|
|
|
protected $description = 'Generate a RSA keypair for use in your OAuth2 server'; |
20
|
|
|
|
21
|
|
|
public function handle() |
22
|
|
|
{ |
23
|
|
|
if (!($passphrase = $this->argument('passphrase'))) { |
24
|
|
|
$passphrase = $this->secret('Enter passphrase or leave empty (not recommended)'); |
25
|
|
|
} |
26
|
|
|
|
27
|
|
|
$this->info('Creating storage directory...'); |
28
|
|
|
$storagePath = storage_path('app/oauth2-server'); |
29
|
|
|
if (!is_dir($storagePath) && !mkdir($storagePath, 0777, true)) { |
|
|
|
|
30
|
|
|
throw new Exception('Unable to create storage directory for oauth2 server'); |
31
|
|
|
} |
32
|
|
|
|
33
|
|
|
$this->info('Generating keypair...'); |
34
|
|
|
list($publicKey, $privateKey) = $this->getKeyPair($passphrase); |
|
|
|
|
35
|
|
|
|
36
|
|
|
$publicKeyFile = $storagePath . DIRECTORY_SEPARATOR . 'public.pem'; |
37
|
|
|
$privateKeyFile = $storagePath . DIRECTORY_SEPARATOR . 'private.pem'; |
38
|
|
|
|
39
|
|
|
if (is_file($publicKeyFile) || is_file($privateKeyFile)) { |
40
|
|
|
throw new Exception('Unable to store keys files because they already exist on disk.'); |
41
|
|
|
} |
42
|
|
|
|
43
|
|
|
$this->info('Storing keys...'); |
44
|
|
|
if (!file_put_contents($publicKeyFile, $publicKey) || !file_put_contents($privateKeyFile, $privateKey)) { |
|
|
|
|
45
|
|
|
throw new Exception('Unable to write keys to file. Is the directory writable?'); |
46
|
|
|
} |
47
|
|
|
|
48
|
|
|
$this->info('Keys generated succesfully!'); |
49
|
|
|
} |
50
|
|
|
|
51
|
|
|
/** |
52
|
|
|
* @param string|null $passphrase |
53
|
|
|
* @return string[] |
54
|
|
|
*/ |
55
|
|
|
protected function getKeyPair($passphrase = null) |
56
|
|
|
{ |
57
|
|
|
$config = [ |
58
|
|
|
'digest_alg' => 'sha256', |
59
|
|
|
'private_key_bits' => 4096, |
60
|
|
|
'private_key_type' => OPENSSL_KEYTYPE_RSA, |
61
|
|
|
]; |
62
|
|
|
|
63
|
|
|
$keyPair = openssl_pkey_new($config); |
64
|
|
|
openssl_pkey_export($keyPair, $privateKey, $passphrase); |
65
|
|
|
|
66
|
|
|
return [ |
67
|
|
|
openssl_pkey_get_details($keyPair)['key'], |
68
|
|
|
$privateKey |
69
|
|
|
]; |
70
|
|
|
} |
71
|
|
|
} |
72
|
|
|
|
$storagePath
can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability.1 path for user data to reach this point
$_SERVER
in vendor/src/Illuminate/Foundation/Bootstrap/SetRequestForConsole.php on line 20
in vendor/Request.php on line 324
in vendor/Request.php on line 1936
\Illuminate\Http\Request::create($url, 'GET', array(), array(), array(), $_SERVER)
is passed to Container::instance()in vendor/src/Illuminate/Foundation/Bootstrap/SetRequestForConsole.php on line 20
in vendor/src/Illuminate/Container/Container.php on line 346
in vendor/src/Illuminate/Container/Container.php on line 635
in vendor/src/Illuminate/Foundation/helpers.php on line 106
in vendor/src/Illuminate/Foundation/helpers.php on line 759
$storagePath
is assignedin src/Commands/GenerateKeyPairCommand.php on line 28
General Strategies to prevent injection
In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
For numeric data, we recommend to explicitly cast the data: