TrustedProxyMiddleware - Code Metrics - Inspection of "Merge pull request #7052 from sminnee/director-mid..." - silverstripe/silverstripe-framework - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( daed8c...cf758d )

by Damian

created 2017-06-27 02:21 UTC

TrustedProxyMiddleware A

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	227
Duplicated Lines	0 %

Coupling/Cohesion

Components	1
Dependencies	2

Importance

Changes

Metric	Value
dl	0
loc	227
rs	10
c	0
b	0
f	0
wmc	29
lcom	1
cbo	2

11 Methods

Rating	Name	Size	Complexity
A	getTrustedProxyIPs()	4	1
A	setTrustedProxyIPs()	5	1
A	getProxyHostHeaders()	4	1
A	setProxyHostHeaders()	5	2
A	getProxyIPHeaders()	4	1
A	setProxyIPHeaders()	5	2
A	getProxySchemeHeaders()	4	1
A	setProxySchemeHeaders()	5	2
D	process()	37	9
B	isTrustedProxy()	22	5
B	getIPFromHeaderValue()	22	4

<?php

namespace SilverStripe\Control\Middleware;

use SilverStripe\Control\HTTPRequest;
use SilverStripe\Control\Util\IPUtils;

/**
 * This middleware will rewrite headers that provide IP and host details from an upstream proxy.
 */
class TrustedProxyMiddleware implements HTTPMiddleware
{
    /**
     * Comma-separated list of IP ranges that are trusted to provide proxy headers.
     * Can also be 'none' or '*' (all)
     *
     * @var string
     */
    private $trustedProxyIPs = null;

    /**
     * Array of headers from which to lookup the hostname
     *
     * @var array
     */
    private $proxyHostHeaders = [
        'X-Forwarded-Host'
    ];

    /**
     * Array of headers from which to lookup the client IP
     *
     * @var array
     */
    private $proxyIPHeaders = [
        'Client-IP',
        'X-Forwarded-For'
    ];

    /**
     * Array of headers from which to lookup the client scheme (http/https)
     *
     * @var array
     */
    private $proxySchemeHeaders = [
        'X-Forwarded-Protocol',
        'X-Forwarded-Proto',
    ];

    /**
     * Return the comma-separated list of IP ranges that are trusted to provide proxy headers
     * Can also be 'none' or '*' (all)
     *
     * @return string
     */
    public function getTrustedProxyIPs()
    {
        return $this->trustedProxyIPs;
    }

    /**
     * Set the comma-separated list of IP ranges that are trusted to provide proxy headers
     * Can also be 'none' or '*' (all)
     *
     * @param string $trustedProxyIPs
     * @return $this
     */
    public function setTrustedProxyIPs($trustedProxyIPs)
    {
        $this->trustedProxyIPs = $trustedProxyIPs;
        return $this;
    }

    /**
     * Return the array of headers from which to lookup the hostname
     *
     * @return array
     */
    public function getProxyHostHeaders()
    {
        return $this->proxyHostHeaders;
    }

    /**
     * Set the array of headers from which to lookup the hostname.
     *
     * @param array $proxyHostHeaders
     * @return $this
     */
    public function setProxyHostHeaders($proxyHostHeaders)
    {
        $this->proxyHostHeaders = $proxyHostHeaders ?: [];
        return $this;
    }

    /**
     * Return the array of headers from which to lookup the client IP
     *
     * @return array
     */
    public function getProxyIPHeaders()
    {
        return $this->proxyIPHeaders;
    }

    /**
     * Set the array of headers from which to lookup the client IP.
     *
     * @param array $proxyIPHeaders
     * @return $this
     */
    public function setProxyIPHeaders($proxyIPHeaders)
    {
        $this->proxyIPHeaders = $proxyIPHeaders ?: [];
        return $this;
    }

    /**
     * Return the array of headers from which to lookup the client scheme (http/https)
     *
     * @return array
     */
    public function getProxySchemeHeaders()
    {
        return $this->proxySchemeHeaders;
    }

    /**
     * Set array of headers from which to lookup the client scheme (http/https)
     * Can also specify comma-separated list as a single string.
     *
     * @param array $proxySchemeHeaders
     * @return $this
     */
    public function setProxySchemeHeaders($proxySchemeHeaders)
    {
        $this->proxySchemeHeaders = $proxySchemeHeaders ?: [];
        return $this;
    }

    public function process(HTTPRequest $request, callable $delegate)
    {
        // If this is a trust proxy
        if ($this->isTrustedProxy($request)) {
            // Replace host
            foreach ($this->getProxyHostHeaders() as $header) {
                $hostList = $request->getHeader($header);
                if ($hostList) {
                    $request->addHeader('Host', strtok($hostList, ','));
                    break;
                }
            }

            // Replace scheme
            foreach ($this->getProxySchemeHeaders() as $header) {
                $headerValue = $request->getHeader($header);
                if ($headerValue) {
                    $request->setScheme(strtolower($headerValue));
                    break;
                }
            }

            // Replace IP
            foreach ($this->proxyIPHeaders as $header) {
                $headerValue = $request->getHeader($header);
                if ($headerValue) {
                    $ipHeader = $this->getIPFromHeaderValue($headerValue);
                    if ($ipHeader) {
                        $request->setIP($ipHeader);
                        break;
                    }
                }
            }
        }

        return $delegate($request);
    }

    /**
     * Determine if the current request is coming from a trusted proxy
     *
     * @param HTTPRequest $request
     * @return bool True if the request's source IP is a trusted proxy
     */
    protected function isTrustedProxy(HTTPRequest $request)
    {
        $trustedIPs = $this->getTrustedProxyIPs();

        // Disabled
        if (empty($trustedIPs) || $trustedIPs === 'none') {
            return false;
        }

        // Allow all
        if ($trustedIPs === '*') {
            return true;
        }

        // Validate IP address
        $ip = $request->getIP();
        if ($ip) {
            return IPUtils::checkIP($ip, preg_split('/\s*,\s*/', $trustedIPs));
        }

        return false;
    }

    /**
     * Extract an IP address from a header value that has been obtained.
     * Accepts single IP or comma separated string of IPs
     *
     * @param string $headerValue The value from a trusted header
     * @return string The IP address
     */
    protected function getIPFromHeaderValue($headerValue)
    {
        // Sometimes the IP from a load balancer could be "x.x.x.x, y.y.y.y, z.z.z.z"
        // so we need to find the most likely candidate
        $ips = preg_split('/\s*,\s*/', $headerValue);

        // Prioritise filters
        $filters = [
            FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE,
            FILTER_FLAG_NO_PRIV_RANGE,
            null
        ];
        foreach ($filters as $filter) {
            // Find best IP
            foreach ($ips as $ip) {
                if (filter_var($ip, FILTER_VALIDATE_IP, $filter)) {
                    return $ip;
                }
            }
        }
        return null;
    }
}


1			<?php
2
3			namespace SilverStripe\Control\Middleware;
4
5			use SilverStripe\Control\HTTPRequest;
6			use SilverStripe\Control\Util\IPUtils;
7
8			/**
9			* This middleware will rewrite headers that provide IP and host details from an upstream proxy.
10			*/
11			class TrustedProxyMiddleware implements HTTPMiddleware
12			{
13			/**
14			* Comma-separated list of IP ranges that are trusted to provide proxy headers.
15			* Can also be 'none' or '*' (all)
16			*
17			* @var string
18			*/
19			private $trustedProxyIPs = null;
20
21			/**
22			* Array of headers from which to lookup the hostname
23			*
24			* @var array
25			*/
26			private $proxyHostHeaders = [
27			'X-Forwarded-Host'
28			];
29
30			/**
31			* Array of headers from which to lookup the client IP
32			*
33			* @var array
34			*/
35			private $proxyIPHeaders = [
36			'Client-IP',
37			'X-Forwarded-For'
38			];
39
40			/**
41			* Array of headers from which to lookup the client scheme (http/https)
42			*
43			* @var array
44			*/
45			private $proxySchemeHeaders = [
46			'X-Forwarded-Protocol',
47			'X-Forwarded-Proto',
48			];
49
50			/**
51			* Return the comma-separated list of IP ranges that are trusted to provide proxy headers
52			* Can also be 'none' or '*' (all)
53			*
54			* @return string
55			*/
56			public function getTrustedProxyIPs()
57			{
58			return $this->trustedProxyIPs;
59			}
60
61			/**
62			* Set the comma-separated list of IP ranges that are trusted to provide proxy headers
63			* Can also be 'none' or '*' (all)
64			*
65			* @param string $trustedProxyIPs
66			* @return $this
67			*/
68			public function setTrustedProxyIPs($trustedProxyIPs)
69			{
70			$this->trustedProxyIPs = $trustedProxyIPs;
71			return $this;
72			}
73
74			/**
75			* Return the array of headers from which to lookup the hostname
76			*
77			* @return array
78			*/
79			public function getProxyHostHeaders()
80			{
81			return $this->proxyHostHeaders;
82			}
83
84			/**
85			* Set the array of headers from which to lookup the hostname.
86			*
87			* @param array $proxyHostHeaders
88			* @return $this
89			*/
90			public function setProxyHostHeaders($proxyHostHeaders)
91			{
92			$this->proxyHostHeaders = $proxyHostHeaders ?: [];
93			return $this;
94			}
95
96			/**
97			* Return the array of headers from which to lookup the client IP
98			*
99			* @return array
100			*/
101			public function getProxyIPHeaders()
102			{
103			return $this->proxyIPHeaders;
104			}
105
106			/**
107			* Set the array of headers from which to lookup the client IP.
108			*
109			* @param array $proxyIPHeaders
110			* @return $this
111			*/
112			public function setProxyIPHeaders($proxyIPHeaders)
113			{
114			$this->proxyIPHeaders = $proxyIPHeaders ?: [];
115			return $this;
116			}
117
118			/**
119			* Return the array of headers from which to lookup the client scheme (http/https)
120			*
121			* @return array
122			*/
123			public function getProxySchemeHeaders()
124			{
125			return $this->proxySchemeHeaders;
126			}
127
128			/**
129			* Set array of headers from which to lookup the client scheme (http/https)
130			* Can also specify comma-separated list as a single string.
131			*
132			* @param array $proxySchemeHeaders
133			* @return $this
134			*/
135			public function setProxySchemeHeaders($proxySchemeHeaders)
136			{
137			$this->proxySchemeHeaders = $proxySchemeHeaders ?: [];
138			return $this;
139			}
140
141			public function process(HTTPRequest $request, callable $delegate)
142			{
143			// If this is a trust proxy
144			if ($this->isTrustedProxy($request)) {
145			// Replace host
146			foreach ($this->getProxyHostHeaders() as $header) {
147			$hostList = $request->getHeader($header);
148			if ($hostList) {
149			$request->addHeader('Host', strtok($hostList, ','));
150			break;
151			}
152			}
153
154			// Replace scheme
155			foreach ($this->getProxySchemeHeaders() as $header) {
156			$headerValue = $request->getHeader($header);
157			if ($headerValue) {
158			$request->setScheme(strtolower($headerValue));
159			break;
160			}
161			}
162
163			// Replace IP
164			foreach ($this->proxyIPHeaders as $header) {
165			$headerValue = $request->getHeader($header);
166			if ($headerValue) {
167			$ipHeader = $this->getIPFromHeaderValue($headerValue);
168			if ($ipHeader) {
169			$request->setIP($ipHeader);
170			break;
171			}
172			}
173			}
174			}
175
176			return $delegate($request);
177			}
178
179			/**
180			* Determine if the current request is coming from a trusted proxy
181			*
182			* @param HTTPRequest $request
183			* @return bool True if the request's source IP is a trusted proxy
184			*/
185			protected function isTrustedProxy(HTTPRequest $request)
186			{
187			$trustedIPs = $this->getTrustedProxyIPs();
188
189			// Disabled
190			if (empty($trustedIPs) \|\| $trustedIPs === 'none') {
191			return false;
192			}
193
194			// Allow all
195			if ($trustedIPs === '*') {
196			return true;
197			}
198
199			// Validate IP address
200			$ip = $request->getIP();
201			if ($ip) {
202			return IPUtils::checkIP($ip, preg_split('/\s,\s/', $trustedIPs));
203			}
204
205			return false;
206			}
207
208			/**
209			* Extract an IP address from a header value that has been obtained.
210			* Accepts single IP or comma separated string of IPs
211			*
212			* @param string $headerValue The value from a trusted header
213			* @return string The IP address
214			*/
215			protected function getIPFromHeaderValue($headerValue)
216			{
217			// Sometimes the IP from a load balancer could be "x.x.x.x, y.y.y.y, z.z.z.z"
218			// so we need to find the most likely candidate
219			$ips = preg_split('/\s,\s/', $headerValue);
220
221			// Prioritise filters
222			$filters = [
223			FILTER_FLAG_NO_PRIV_RANGE \| FILTER_FLAG_NO_RES_RANGE,
224			FILTER_FLAG_NO_PRIV_RANGE,
225			null
226			];
227			foreach ($filters as $filter) {
228			// Find best IP
229			foreach ($ips as $ip) {
230			if (filter_var($ip, FILTER_VALIDATE_IP, $filter)) {
231			return $ip;
232			}
233			}
234			}
235			return null;
236			}
237			}
238

silverstripe / silverstripe-framework

Push — master ( daed8c...cf758d )

TrustedProxyMiddleware A

Complexity

Size/Duplication

Coupling/Cohesion

Importance

11 Methods

Duplication Side-by-Side

Filter issues like