Skip to content
Permalink
Browse files

feature #30385 [SecurityBundle] Validate the IPs configured in access…

…_control (javiereguiluz)

This PR was squashed before being merged into the 4.3-dev branch (closes #30385).

Discussion
----------

[SecurityBundle] Validate the IPs configured in access_control

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #30299
| License       | MIT
| Doc PR        | -

Commits
-------

857ac95 [SecurityBundle] Validate the IPs configured in access_control
  • Loading branch information...
chalasr committed Mar 7, 2019
2 parents 7908549 + 857ac95 commit ddd676723ffe946ad0eec369fd25b722d6fe41c4
@@ -143,6 +143,15 @@ private function addAccessControlSection(ArrayNodeDefinition $rootNode)
->integerNode('port')->defaultNull()->end()
->arrayNode('ips')
->beforeNormalization()->ifString()->then(function ($v) { return [$v]; })->end()
->beforeNormalization()->always()->then(function ($v) {
foreach ($v as $ip) {
if (false === $this->isValidIp($ip)) {
throw new \LogicException(sprintf('The given "%s" value in the "access_control" config option is not a valid IP address.', $ip));
}
}
return $v;
})->end()
->prototype('scalar')->end()
->end()
->arrayNode('methods')
@@ -419,4 +428,30 @@ private function addEncodersSection(ArrayNodeDefinition $rootNode)
->end()
;
}
private function isValidIp(string $cidr): bool
{
$cidrParts = explode('/', $cidr);
if (1 === \count($cidrParts)) {
return false !== filter_var($cidrParts[0], FILTER_VALIDATE_IP);
}
$ip = $cidrParts[0];
$netmask = $cidrParts[1];
if (!ctype_digit($netmask)) {
return false;
}
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
return $netmask <= 32;
}
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
return $netmask <= 128;
}
return false;
}
}
@@ -31,6 +31,15 @@ secured-by-one-ip:
secured-by-two-ips:
path: /secured-by-two-ips

secured-by-one-real-ip:
path: /secured-by-one-real-ip

secured-by-one-real-ip-with-mask:
path: /secured-by-one-real-ip-with-mask

secured-by-one-real-ipv6:
path: /secured-by-one-real-ipv6

form_logout:
path: /logout_path

@@ -71,10 +71,16 @@ public function testSecurityConfigurationForMultipleIPAddresses($config)
{
$allowedClientA = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => $config], ['REMOTE_ADDR' => '1.1.1.1']);
$allowedClientB = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => $config], ['REMOTE_ADDR' => '2.2.2.2']);
$allowedClientC = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => $config], ['REMOTE_ADDR' => '203.0.113.0']);
$barredClient = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => $config], ['REMOTE_ADDR' => '192.168.1.1']);
$this->assertAllowed($allowedClientA, '/secured-by-two-ips');
$this->assertAllowed($allowedClientB, '/secured-by-two-ips');
$this->assertRestricted($allowedClientA, '/secured-by-one-real-ip');
$this->assertRestricted($allowedClientA, '/secured-by-one-real-ipv6');
$this->assertAllowed($allowedClientC, '/secured-by-one-real-ip-with-mask');
$this->assertRestricted($barredClient, '/secured-by-two-ips');
}
@@ -100,6 +106,15 @@ public function testSecurityConfigurationForExpression($config)
$this->assertAllowed($allowedClient, '/protected-via-expression');
}
public function testInvalidIpsInAccessControl()
{
$this->expectException(\LogicException::class);
$this->expectExceptionMessage('The given "256.357.458.559" value in the "access_control" config option is not a valid IP address.');
$client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'invalid_ip_access_control.yml']);
$client->request('GET', '/unprotected_resource');
}
private function assertAllowed($client, $path)
{
$client->request('GET', $path);
@@ -39,6 +39,10 @@ security:
- { path: ^/secure-but-not-covered-by-access-control$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/secured-by-one-ip$, ip: 10.10.10.10, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/secured-by-two-ips$, ips: [1.1.1.1, 2.2.2.2], roles: IS_AUTHENTICATED_ANONYMOUSLY }
# these real IP addresses are reserved for docs/examples (https://tools.ietf.org/search/rfc5737)
- { path: ^/secured-by-one-real-ip$, ips: 198.51.100.0, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/secured-by-one-real-ip-with-mask$, ips: '203.0.113.0/24', roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/secured-by-one-real-ipv6$, ips: 0:0:0:0:0:ffff:c633:6400, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/highly_protected_resource$, roles: IS_ADMIN }
- { path: ^/protected-via-expression$, allow_if: "(is_anonymous() and request.headers.get('user-agent') matches '/Firefox/i') or is_granted('ROLE_USER')" }
- { path: .*, roles: IS_AUTHENTICATED_FULLY }
@@ -0,0 +1,22 @@
imports:
- { resource: ./../config/default.yml }

security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext

providers:
in_memory:
memory:
users:
johannes: { password: test, roles: [ROLE_USER] }

firewalls:
default:
form_login: ~
logout: ~
anonymous: ~

access_control:
# the '256.357.458.559' IP is wrong on purpose, to check invalid IP errors
- { path: ^/unprotected_resource$, ips: [1.1.1.1, 256.357.458.559], roles: IS_AUTHENTICATED_ANONYMOUSLY }

0 comments on commit ddd6767

Please sign in to comment.
You can’t perform that action at this time.