/
OpenRedirectProtection.php
128 lines (101 loc) · 3.35 KB
/
OpenRedirectProtection.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
<?php
declare(strict_types=1);
namespace Snicco\Middleware\OpenRedirectProtection;
use InvalidArgumentException;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\UriInterface;
use Snicco\Component\HttpRouting\Http\Psr7\Request;
use Snicco\Component\HttpRouting\Http\Response\RedirectResponse;
use Snicco\Component\HttpRouting\Middleware\Middleware;
use Snicco\Component\HttpRouting\Middleware\NextMiddleware;
use Snicco\Component\StrArr\Str;
use function is_string;
use function parse_url;
use const PHP_URL_HOST;
final class OpenRedirectProtection extends Middleware
{
/**
* @var string[]
*/
private array $whitelist = [];
private string $host;
private string $exit_path;
/**
* @param string[] $whitelist
*/
public function __construct(string $host, string $exit_path, array $whitelist = [])
{
$parsed = parse_url($host, PHP_URL_HOST);
if (! is_string($parsed) || '' === $parsed) {
throw new InvalidArgumentException(sprintf('Invalid host [%s].', $host));
}
$this->host = $parsed;
$this->exit_path = $exit_path;
$this->whitelist = $this->formatWhiteList($whitelist);
$this->whitelist[] = $this->allSubdomainsOfApplication();
}
protected function handle(Request $request, NextMiddleware $next): ResponseInterface
{
$response = $next($request);
if (! $response->isRedirect()) {
return $response;
}
if ($response instanceof RedirectResponse && $response->isExternalRedirectAllowed()) {
return $response;
}
$target = $response->getHeaderLine('location');
$parts = (array) parse_url($target);
$parts['host'] ??= '';
// Always allow relative redirects
if ($this->isSameSiteRedirect($request->getUri(), $parts['host'])) {
return $response;
}
if (! $this->isWhitelisted($parts['host'])) {
return $this->forbiddenRedirect($target);
}
return $response;
}
/**
* @return string[]
*/
private function formatWhiteList(array $whitelist): array
{
return array_map(function (string $pattern): string {
if (Str::startsWith($pattern, '*.')) {
return $this->allSubdomains(Str::afterFirst($pattern, '*.'));
}
return '/' . preg_quote($pattern, '/') . '/';
}, $whitelist);
}
private function allSubdomains(string $host): string
{
return '/^(.+\.)?' . preg_quote($host, '/') . '$/';
}
private function allSubdomainsOfApplication(): string
{
return $this->allSubdomains($this->host);
}
private function isSameSiteRedirect(UriInterface $uri, string $redirect_host): bool
{
if ('' === $redirect_host) {
return true;
}
return $uri->getHost() === $redirect_host;
}
private function isWhitelisted(string $host): bool
{
foreach ($this->whitelist as $pattern) {
if (preg_match($pattern, $host)) {
return true;
}
}
return false;
}
private function forbiddenRedirect(string $location): RedirectResponse
{
return $this->respondWith()
->redirectTo($this->exit_path, 302, [
'intended_redirect' => $location,
]);
}
}