From 88dcea1571ed4e7bba2fbc9c3801467ca448f487 Mon Sep 17 00:00:00 2001 From: Cristian Tabacitu Date: Wed, 30 Mar 2022 10:20:27 +0300 Subject: [PATCH 1/3] add fix command in 4.1 --- src/BackpackServiceProvider.php | 1 + src/app/Console/Commands/Fix.php | 91 ++++++++++++++++++++++++++++++++ 2 files changed, 92 insertions(+) create mode 100644 src/app/Console/Commands/Fix.php diff --git a/src/BackpackServiceProvider.php b/src/BackpackServiceProvider.php index 8166233f0a..848053126f 100644 --- a/src/BackpackServiceProvider.php +++ b/src/BackpackServiceProvider.php @@ -23,6 +23,7 @@ class BackpackServiceProvider extends ServiceProvider \Backpack\CRUD\app\Console\Commands\PublishBackpackMiddleware::class, \Backpack\CRUD\app\Console\Commands\PublishView::class, \Backpack\CRUD\app\Console\Commands\RequireDevTools::class, + \Backpack\CRUD\app\Console\Commands\Fix::class, ]; // Indicates if loading of the provider is deferred. diff --git a/src/app/Console/Commands/Fix.php b/src/app/Console/Commands/Fix.php new file mode 100644 index 0000000000..a9b696064c --- /dev/null +++ b/src/app/Console/Commands/Fix.php @@ -0,0 +1,91 @@ +fixErrorViews(); + } + + private function fixErrorViews() + { + $errorsDirectory = base_path('resources/views/errors'); + + $this->line('Checking error views...'); + + // check if the `resources/views/errors` directory exists + if (!is_dir($errorsDirectory)) { + $this->info('Your error views are not vulnerable. Nothing to do here.'); + return; + } + + $views = scandir($errorsDirectory); + $views = array_filter($views, function ($file) { + // eliminate ".", ".." and any hidden files like .gitignore or .gitkeep + return substr($file, 0, 1) != '.'; + }); + + // check if there are actually views inside the directory + if (!count($views)) { + $this->info('Your error views are not vulnerable. Nothing to do here.'); + return; + } + + $autofixed = true; + foreach ($views as $key => $view) { + $contents = file_get_contents($errorsDirectory.'/'.$view); + + // does it even work with exception messages? + if (strpos($contents, '->getMessage()') == false) { + continue; + } + + // does it already escape the exception message? + if (strpos($contents, 'e($exception->getMessage())') !== false) { + $this->info($view.' was ok.'); + continue; + } + + // cover the most likely scenario, where the file has not been edited at all + $new_contents = str_replace('$exception->getMessage()?$exception->getMessage():$default_error_message', '$exception->getMessage()?e($exception->getMessage()):$default_error_message', $contents); + + if ($new_contents != $contents) { + file_put_contents($errorsDirectory.'/'.$view, $new_contents); + $this->warn($view.' has been fixed.'); + continue; + } + + $this->error($view.' could not be fixed automatically.'); + $autofixed = false; + } + + if ($autofixed == false) { + $this->error('Some error views could not be fixed automatically. Please look inside your "resources/views/errors" directory and make sure exception messages are escaped before outputting. It should be e($exception->getMessage()) instead of $exception->getMessage(). Alternatively, outputting should be done using {{ }} instead of {!! !!}'); + } + } +} From ab598e2e1d066062c6d3be0f23afaf1f348636ae Mon Sep 17 00:00:00 2001 From: StyleCI Bot Date: Wed, 30 Mar 2022 07:20:51 +0000 Subject: [PATCH 2/3] Apply fixes from StyleCI [ci skip] [skip ci] --- src/app/Console/Commands/Fix.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/app/Console/Commands/Fix.php b/src/app/Console/Commands/Fix.php index a9b696064c..de72c3943c 100644 --- a/src/app/Console/Commands/Fix.php +++ b/src/app/Console/Commands/Fix.php @@ -3,8 +3,6 @@ namespace Backpack\CRUD\app\Console\Commands; use Illuminate\Console\Command; -use Symfony\Component\Process\Exception\ProcessFailedException; -use Symfony\Component\Process\Process; class Fix extends Command { @@ -39,8 +37,9 @@ private function fixErrorViews() $this->line('Checking error views...'); // check if the `resources/views/errors` directory exists - if (!is_dir($errorsDirectory)) { + if (! is_dir($errorsDirectory)) { $this->info('Your error views are not vulnerable. Nothing to do here.'); + return; } @@ -51,8 +50,9 @@ private function fixErrorViews() }); // check if there are actually views inside the directory - if (!count($views)) { + if (! count($views)) { $this->info('Your error views are not vulnerable. Nothing to do here.'); + return; } From 3cd1fd45c165d8767960598b4ffe1b9a426ab3fe Mon Sep 17 00:00:00 2001 From: Cristian Tabacitu Date: Wed, 30 Mar 2022 12:03:25 +0300 Subject: [PATCH 3/3] fix command - add suggestion at the end to publish CSS and JS assets --- src/app/Console/Commands/Fix.php | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/app/Console/Commands/Fix.php b/src/app/Console/Commands/Fix.php index de72c3943c..04ce25889e 100644 --- a/src/app/Console/Commands/Fix.php +++ b/src/app/Console/Commands/Fix.php @@ -2,6 +2,7 @@ namespace Backpack\CRUD\app\Console\Commands; +use Artisan; use Illuminate\Console\Command; class Fix extends Command @@ -18,7 +19,7 @@ class Fix extends Command * * @var string */ - protected $description = 'Fix known Backpack security issues.'; + protected $description = 'Fix known Backpack issues.'; /** * Execute the console command. @@ -28,6 +29,15 @@ class Fix extends Command public function handle() { $this->fixErrorViews(); + + if ($this->confirm('[SUGGESTION] Would you like to publish updated JS & CSS dependencies to public/packages?', false)) { + Artisan::call('vendor:publish', [ + '--provider' => 'Backpack\CRUD\BackpackServiceProvider', + '--tag' => 'assets', + '--force' => 'true', + ]); + $this->info('Published latest CSS and JS assets to your public/packages directory.'); + } } private function fixErrorViews()