terrylinooo /
shieldon
| Total Complexity | 40 |
| Total Lines | 407 |
| Duplicated Lines | 0 % |
| Changes | 0 | ||
Complex classes like FilterTrait often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes.
Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.
While breaking up the class, it is a good idea to analyze how other classes use FilterTrait, and based on these observations, apply Extract Interface, too.
| 1 | <?php |
||
| 23 | trait FilterTrait |
||
| 24 | { |
||
| 25 | /** |
||
| 26 | * Enable or disable the filters. |
||
| 27 | * |
||
| 28 | * @var array |
||
| 29 | */ |
||
| 30 | protected $filterStatus = [ |
||
| 31 | /** |
||
| 32 | * Check how many pageviews an user made in a short period time. |
||
| 33 | * For example, limit an user can only view 30 pages in 60 minutes. |
||
| 34 | */ |
||
| 35 | 'frequency' => true, |
||
| 36 | |||
| 37 | /** |
||
| 38 | * If an user checks any internal link on your website, the user's |
||
| 39 | * browser will generate HTTP_REFERER information. |
||
| 40 | * When a user view many pages without HTTP_REFERER information meaning |
||
| 41 | * that the user MUST be a web crawler. |
||
| 42 | */ |
||
| 43 | 'referer' => false, |
||
| 44 | |||
| 45 | /** |
||
| 46 | * Most of web crawlers do not render JavaScript, they only get the |
||
| 47 | * content they want, so we can check whether the cookie can be created |
||
| 48 | * by JavaScript or not. |
||
| 49 | */ |
||
| 50 | 'cookie' => false, |
||
| 51 | |||
| 52 | /** |
||
| 53 | * Every unique user should only has a unique session, but if a user |
||
| 54 | * creates different sessions every connection... meaning that the |
||
| 55 | * user's browser doesn't support cookie. |
||
| 56 | * It is almost impossible that modern browsers not support cookie, |
||
| 57 | * therefore the user MUST be a web crawler. |
||
| 58 | */ |
||
| 59 | 'session' => false, |
||
| 60 | ]; |
||
| 61 | |||
| 62 | /** |
||
| 63 | * The status for Filters to reset. |
||
| 64 | * |
||
| 65 | * @var array |
||
| 66 | */ |
||
| 67 | protected $filterResetStatus = [ |
||
| 68 | 's' => false, // second. |
||
| 69 | 'm' => false, // minute. |
||
| 70 | 'h' => false, // hour. |
||
| 71 | 'd' => false, // day. |
||
| 72 | ]; |
||
| 73 | |||
| 74 | /** |
||
| 75 | * Detect and analyze an user's behavior. |
||
| 76 | * |
||
| 77 | * @return int The response code. |
||
| 78 | */ |
||
| 79 | protected function filter(): int |
||
| 80 | { |
||
| 81 | $now = time(); |
||
| 82 | $isFlagged = false; |
||
| 83 | |||
| 84 | // Fetch an IP data from Shieldon log table. |
||
| 85 | $ipDetail = $this->driver->get($this->ip, 'filter'); |
||
| 86 | |||
| 87 | $ipDetail = $this->driver->parseData($ipDetail, 'filter'); |
||
| 88 | $logData = $ipDetail; |
||
| 89 | |||
| 90 | // Counting user pageviews. |
||
| 91 | foreach (array_keys($this->filterResetStatus) as $unit) { |
||
| 92 | |||
| 93 | // Each time unit will increase by 1. |
||
| 94 | $logData['pageviews_' . $unit] = $ipDetail['pageviews_' . $unit] + 1; |
||
| 95 | $logData['first_time_' . $unit] = $ipDetail['first_time_' . $unit]; |
||
| 96 | } |
||
| 97 | |||
| 98 | $logData['first_time_flag'] = $ipDetail['first_time_flag']; |
||
| 99 | |||
| 100 | if (!empty($ipDetail['ip'])) { |
||
| 101 | $logData['ip'] = $this->ip; |
||
| 102 | $logData['session'] = get_session()->get('id'); |
||
| 103 | $logData['hostname'] = $this->rdns; |
||
| 104 | $logData['last_time'] = $now; |
||
| 105 | |||
| 106 | // Filter: HTTP referrer information. |
||
| 107 | $filterReferer = $this->filterReferer($logData, $ipDetail, $isFlagged); |
||
| 108 | $isFlagged = $filterReferer['is_flagged']; |
||
| 109 | $logData = $filterReferer['log_data']; |
||
| 110 | |||
| 111 | if ($filterReferer['is_reject']) { |
||
| 112 | return kernel::RESPONSE_TEMPORARILY_DENY; |
||
| 113 | } |
||
| 114 | |||
| 115 | // Filter: Session. |
||
| 116 | $filterSession = $this->filterSession($logData, $ipDetail, $isFlagged); |
||
| 117 | $isFlagged = $filterSession['is_flagged']; |
||
| 118 | $logData = $filterSession['log_data']; |
||
| 119 | |||
| 120 | if ($filterSession['is_reject']) { |
||
| 121 | return kernel::RESPONSE_TEMPORARILY_DENY; |
||
| 122 | } |
||
| 123 | |||
| 124 | // Filter: JavaScript produced cookie. |
||
| 125 | $filterCookie = $this->filterCookie($logData, $ipDetail, $isFlagged); |
||
| 126 | $isFlagged = $filterCookie['is_flagged']; |
||
| 127 | $logData = $filterCookie['log_data']; |
||
| 128 | |||
| 129 | if ($filterCookie['is_reject']) { |
||
| 130 | return kernel::RESPONSE_TEMPORARILY_DENY; |
||
| 131 | } |
||
| 132 | |||
| 133 | // Filter: frequency. |
||
| 134 | $filterFrequency = $this->filterFrequency($logData, $ipDetail, $isFlagged); |
||
| 135 | $isFlagged = $filterFrequency['is_flagged']; |
||
| 136 | $logData = $filterFrequency['log_data']; |
||
| 137 | |||
| 138 | if ($filterFrequency['is_reject']) { |
||
| 139 | return kernel::RESPONSE_TEMPORARILY_DENY; |
||
| 140 | } |
||
| 141 | |||
| 142 | // Is fagged as unusual beavior? Count the first time. |
||
| 143 | if ($isFlagged) { |
||
| 144 | $logData['first_time_flag'] = (!empty($logData['first_time_flag'])) ? $logData['first_time_flag'] : $now; |
||
| 145 | } |
||
| 146 | |||
| 147 | // Reset the flagged factor check. |
||
| 148 | if (!empty($ipDetail['first_time_flag'])) { |
||
| 149 | if ($now - $ipDetail['first_time_flag'] >= $this->properties['time_reset_limit']) { |
||
| 150 | $logData['flag_multi_session'] = 0; |
||
| 151 | $logData['flag_empty_referer'] = 0; |
||
| 152 | $logData['flag_js_cookie'] = 0; |
||
| 153 | } |
||
| 154 | } |
||
| 155 | |||
| 156 | $this->driver->save($this->ip, $logData, 'filter'); |
||
| 157 | |||
| 158 | } else { |
||
| 159 | |||
| 160 | // If $ipDetail[ip] is empty. |
||
| 161 | // It means that the user is first time visiting our webiste. |
||
| 162 | $this->InitializeFirstTimeFilter($logData); |
||
| 163 | } |
||
| 164 | |||
| 165 | return kernel::RESPONSE_ALLOW; |
||
| 166 | } |
||
| 167 | |||
| 168 | /** |
||
| 169 | * When the user is first time visiting our webiste. |
||
| 170 | * Initialize the log data. |
||
| 171 | * |
||
| 172 | * @param array $logData The user's log data. |
||
| 173 | * |
||
| 174 | * @return void |
||
| 175 | */ |
||
| 176 | protected function InitializeFirstTimeFilter($logData) |
||
| 177 | { |
||
| 178 | $now = time(); |
||
| 179 | |||
| 180 | $logData['ip'] = $this->ip; |
||
| 181 | $logData['session'] = get_session()->get('id'); |
||
| 182 | $logData['hostname'] = $this->rdns; |
||
| 183 | $logData['last_time'] = $now; |
||
| 184 | |||
| 185 | foreach (array_keys($this->filterResetStatus) as $unit) { |
||
| 186 | $logData['first_time_' . $unit] = $now; |
||
| 187 | } |
||
| 188 | |||
| 189 | $this->driver->save($this->ip, $logData, 'filter'); |
||
| 190 | } |
||
| 191 | |||
| 192 | /** |
||
| 193 | * Filter - Referer. |
||
| 194 | * |
||
| 195 | * @param array $logData IP data from Shieldon log table. |
||
| 196 | * @param array $ipData The IP log data. |
||
| 197 | * @param bool $isFlagged Is flagged as unusual behavior or not. |
||
| 198 | * |
||
| 199 | * @return array |
||
| 200 | */ |
||
| 201 | protected function filterReferer(array $logData, array $ipDetail, bool $isFlagged): array |
||
| 202 | { |
||
| 203 | $isReject = false; |
||
| 204 | |||
| 205 | if ($this->filterStatus['referer']) { |
||
| 206 | |||
| 207 | if ($logData['last_time'] - $ipDetail['last_time'] > $this->properties['interval_check_referer']) { |
||
| 208 | |||
| 209 | // Get values from data table. We will count it and save it back to data table. |
||
| 210 | // If an user is already in your website, it is impossible no referer when he views other pages. |
||
| 211 | $logData['flag_empty_referer'] = $ipDetail['flag_empty_referer'] ?? 0; |
||
| 212 | |||
| 213 | if (empty(get_request()->getHeaderLine('referer'))) { |
||
| 214 | $logData['flag_empty_referer']++; |
||
| 215 | $isFlagged = true; |
||
| 216 | } |
||
| 217 | |||
| 218 | // Ban this IP if they reached the limit. |
||
| 219 | if ($logData['flag_empty_referer'] > $this->properties['limit_unusual_behavior']['referer']) { |
||
| 220 | $this->action( |
||
|
Bug
introduced
by
|
|||
| 221 | kernel::ACTION_TEMPORARILY_DENY, |
||
| 222 | kernel::REASON_EMPTY_REFERER |
||
| 223 | ); |
||
| 224 | $isReject = true; |
||
| 225 | } |
||
| 226 | } |
||
| 227 | } |
||
| 228 | |||
| 229 | return [ |
||
| 230 | 'is_flagged' => $isFlagged, |
||
| 231 | 'is_reject' => $isReject, |
||
| 232 | 'log_data' => $logData, |
||
| 233 | ]; |
||
| 234 | } |
||
| 235 | |||
| 236 | /** |
||
| 237 | * Filter - Session |
||
| 238 | * |
||
| 239 | * @param array $logData IP data from Shieldon log table. |
||
| 240 | * @param array $ipData The IP log data. |
||
| 241 | * @param bool $isFlagged Is flagged as unusual behavior or not. |
||
| 242 | * |
||
| 243 | * @return array |
||
| 244 | */ |
||
| 245 | protected function filterSession(array $logData, array $ipDetail, bool $isFlagged): array |
||
| 246 | { |
||
| 247 | $isReject = false; |
||
| 248 | |||
| 249 | if ($this->filterStatus['session']) { |
||
| 250 | |||
| 251 | if ($logData['last_time'] - $ipDetail['last_time'] > $this->properties['interval_check_session']) { |
||
| 252 | |||
| 253 | // Get values from data table. We will count it and save it back to data table. |
||
| 254 | $logData['flag_multi_session'] = $ipDetail['flag_multi_session'] ?? 0; |
||
| 255 | |||
| 256 | if (get_session()->get('id') !== $ipDetail['session']) { |
||
| 257 | |||
| 258 | // Is is possible because of direct access by the same user many times. |
||
| 259 | // Or they don't have session cookie set. |
||
| 260 | $logData['flag_multi_session']++; |
||
| 261 | $isFlagged = true; |
||
| 262 | } |
||
| 263 | |||
| 264 | // Ban this IP if they reached the limit. |
||
| 265 | if ($logData['flag_multi_session'] > $this->properties['limit_unusual_behavior']['session']) { |
||
| 266 | $this->action( |
||
| 267 | kernel::ACTION_TEMPORARILY_DENY, |
||
| 268 | kernel::REASON_TOO_MANY_SESSIONS |
||
| 269 | ); |
||
| 270 | $isReject = true; |
||
| 271 | } |
||
| 272 | } |
||
| 273 | } |
||
| 274 | |||
| 275 | |||
| 276 | return [ |
||
| 277 | 'is_flagged' => $isFlagged, |
||
| 278 | 'is_reject' => $isReject, |
||
| 279 | 'log_data' => $logData, |
||
| 280 | ]; |
||
| 281 | } |
||
| 282 | |||
| 283 | /** |
||
| 284 | * Filter - Cookie |
||
| 285 | * |
||
| 286 | * @param array $logData IP data from Shieldon log table. |
||
| 287 | * @param array $ipData The IP log data. |
||
| 288 | * @param bool $isFlagged Is flagged as unusual behavior or not. |
||
| 289 | * |
||
| 290 | * @return array |
||
| 291 | */ |
||
| 292 | protected function filterCookie(array $logData, array $ipDetail, bool $isFlagged): array |
||
| 346 | ]; |
||
| 347 | } |
||
| 348 | |||
| 349 | /** |
||
| 350 | * Filter - Frequency |
||
| 351 | * |
||
| 352 | * @param array $logData IP data from Shieldon log table. |
||
| 353 | * @param array $ipData The IP log data. |
||
| 354 | * @param bool $isFlagged Is flagged as unusual behavior or not. |
||
| 355 | * |
||
| 356 | * @return array |
||
| 357 | */ |
||
| 358 | protected function filterFrequency(array $logData, array $ipDetail, bool $isFlagged): array |
||
| 433 |
Loading history...