vikarti.anatra/main
1
0
Fork 0
mirror of https://github.com/manualdousuario/marreta.git synced 2025-04-23 15:09:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

headers migrados para rotas e padronização de sanitização de urls

Browse source
This commit is contained in:
Renan Bernordi 2025-01-24 15:03:45 -03:00
parent 7013b56b2f
commit ab2e596621
4 changed files with 103 additions and 111 deletions

82
app/inc/URLAnalyzer.php
View file

@ -234,33 +234,27 @@ class URLAnalyzer
// Reset das regras ativadas para nova análise
$this->activatedRules = [];
// 1. Clean URL / Limpa a URL
$cleanUrl = $this->cleanUrl($url);
if (!$cleanUrl) {
$this->throwError(self::ERROR_INVALID_URL);
// 1. Check cache / Verifica cache
if ($this->cache->exists($url)) {
return $this->cache->get($url);
}
// 2. Check cache / Verifica cache
if ($this->cache->exists($cleanUrl)) {
return $this->cache->get($cleanUrl);
}
// 3. Check blocked domains / Verifica domínios bloqueados
$host = parse_url($cleanUrl, PHP_URL_HOST);
// 2. Check blocked domains / Verifica domínios bloqueados
$host = parse_url($url, PHP_URL_HOST);
if (!$host) {
$this->throwError(self::ERROR_INVALID_URL);
}
$host = preg_replace('/^www\./', '', $host);
if (in_array($host, BLOCKED_DOMAINS)) {
Logger::getInstance()->logUrl($cleanUrl, 'BLOCKED_DOMAIN');
Logger::getInstance()->logUrl($url, 'BLOCKED_DOMAIN');
$this->throwError(self::ERROR_BLOCKED_DOMAIN);
}
// Check URL status code before proceeding
$redirectInfo = $this->checkStatus($cleanUrl);
// 3. Check URL status code before proceeding
$redirectInfo = $this->checkStatus($url);
if ($redirectInfo['httpCode'] !== 200) {
Logger::getInstance()->logUrl($cleanUrl, 'INVALID_STATUS_CODE', "HTTP {$redirectInfo['httpCode']}");
Logger::getInstance()->logUrl($url, 'INVALID_STATUS_CODE', "HTTP {$redirectInfo['httpCode']}");
if ($redirectInfo['httpCode'] === 404) {
$this->throwError(self::ERROR_NOT_FOUND);
} else {
@ -279,33 +273,33 @@ class URLAnalyzer
$content = null;
switch ($fetchStrategy) {
case 'fetchContent':
$content = $this->fetchContent($cleanUrl);
$content = $this->fetchContent($url);
break;
case 'fetchFromWaybackMachine':
$content = $this->fetchFromWaybackMachine($cleanUrl);
$content = $this->fetchFromWaybackMachine($url);
break;
case 'fetchFromSelenium':
$content = $this->fetchFromSelenium($cleanUrl, isset($domainRules['browser']) ? $domainRules['browser'] : 'firefox');
$content = $this->fetchFromSelenium($url, isset($domainRules['browser']) ? $domainRules['browser'] : 'firefox');
break;
}
if (!empty($content)) {
$this->activatedRules[] = "fetchStrategy: $fetchStrategy";
$processedContent = $this->processContent($content, $host, $cleanUrl);
$this->cache->set($cleanUrl, $processedContent);
$processedContent = $this->processContent($content, $host, $url);
$this->cache->set($url, $processedContent);
return $processedContent;
}
} catch (Exception $e) {
Logger::getInstance()->logUrl($cleanUrl, strtoupper($fetchStrategy) . '_ERROR', $e->getMessage());
Logger::getInstance()->logUrl($url, strtoupper($fetchStrategy) . '_ERROR', $e->getMessage());
throw $e;
}
}
// 5. Try all strategies in sequence
$fetchStrategies = [
['method' => 'fetchContent', 'args' => [$cleanUrl]],
['method' => 'fetchFromWaybackMachine', 'args' => [$cleanUrl]],
['method' => 'fetchFromSelenium', 'args' => [$cleanUrl, 'firefox']]
['method' => 'fetchContent', 'args' => [$url]],
['method' => 'fetchFromWaybackMachine', 'args' => [$url]],
['method' => 'fetchFromSelenium', 'args' => [$url, 'firefox']]
];
$lastError = null;
@ -314,8 +308,8 @@ class URLAnalyzer
$content = call_user_func_array([$this, $strategy['method']], $strategy['args']);
if (!empty($content)) {
$this->activatedRules[] = "fetchStrategy: {$strategy['method']}";
$processedContent = $this->processContent($content, $host, $cleanUrl);
$this->cache->set($cleanUrl, $processedContent);
$processedContent = $this->processContent($content, $host, $url);
$this->cache->set($url, $processedContent);
return $processedContent;
}
} catch (Exception $e) {
@ -326,7 +320,7 @@ class URLAnalyzer
}
// If we get here, all strategies failed
Logger::getInstance()->logUrl($cleanUrl, 'GENERAL_FETCH_ERROR');
Logger::getInstance()->logUrl($url, 'GENERAL_FETCH_ERROR');
if ($lastError) {
$message = $lastError->getMessage();
if (strpos($message, 'DNS') !== false) {
@ -432,8 +426,8 @@ class URLAnalyzer
*/
private function fetchFromWaybackMachine($url)
{
$cleanUrl = preg_replace('#^https?://#', '', $url);
$availabilityUrl = "https://archive.org/wayback/available?url=" . urlencode($cleanUrl);
$url = preg_replace('#^https?://#', '', $url);
$availabilityUrl = "https://archive.org/wayback/available?url=" . urlencode($url);
$curl = new Curl();
$curl->setOpt(CURLOPT_FOLLOWLOCATION, true);
@ -552,36 +546,6 @@ class URLAnalyzer
}
}
/**
* Clean and normalize a URL
* Limpa e normaliza uma URL
*/
private function cleanUrl($url)
{
$url = trim($url);
if (!filter_var($url, FILTER_VALIDATE_URL)) {
return false;
}
if (preg_match('#https://([^.]+)\.cdn\.ampproject\.org/v/s/([^/]+)(.*)#', $url, $matches)) {
$url = 'https://' . $matches[2] . $matches[3];
}
$parts = parse_url($url);
if (!isset($parts['scheme']) || !isset($parts['host'])) {
return false;
}
$cleanedUrl = $parts['scheme'] . '://' . $parts['host'];
if (isset($parts['path'])) {
$cleanedUrl .= $parts['path'];
}
return $cleanedUrl;
}
/**
* Get specific rules for a domain
* Obtém regras específicas para um domínio

94
app/src/Router.php
View file

@ -50,21 +50,19 @@ class Router
$message_type = '';
$url = '';
// Processa mensagens da query string
// Process query string messages
// Sanitize and process query string messages
if (isset($_GET['message'])) {
$message_key = $_GET['message'];
$message_key = htmlspecialchars(trim($_GET['message']), ENT_QUOTES | ENT_HTML5, 'UTF-8');
$messageData = \Language::getMessage($message_key);
$message = $messageData['message'];
$message_type = $messageData['type'];
$message = htmlspecialchars($messageData['message'], ENT_QUOTES | ENT_HTML5, 'UTF-8');
$message_type = htmlspecialchars($messageData['type'], ENT_QUOTES | ENT_HTML5, 'UTF-8');
}
// Processa submissão do formulário
// Process form submission
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['url'])) {
$url = filter_var($_POST['url'], FILTER_SANITIZE_URL);
$url = $this->sanitizeUrl($_POST['url']);
if (filter_var($url, FILTER_VALIDATE_URL)) {
header('Location: ' . SITE_URL . '/p/' . urlencode($url));
header('Location: ' . SITE_URL . '/p/' . $url);
exit;
} else {
$messageData = \Language::getMessage('INVALID_URL');
@ -84,7 +82,7 @@ class Router
// Rota da API - usa URLProcessor em modo API
// API route - uses URLProcessor in API mode
$r->addRoute('GET', '/api/{url:.+}', function($vars) {
$processor = new URLProcessor($vars['url'], true);
$processor = new URLProcessor($this->sanitizeUrl($vars['url']), true);
$processor->process();
});
@ -98,23 +96,23 @@ class Router
// Rota de processamento - usa URLProcessor em modo web
// Processing route - uses URLProcessor in web mode
$r->addRoute('GET', '/p/{url:.+}', function($vars) {
$processor = new URLProcessor($vars['url'], false);
$processor = new URLProcessor($this->sanitizeUrl($vars['url']), false);
$processor->process();
});
// Rota de processamento com query parameter ou sem parâmetros
// Processing route with query parameter or without parameters
$r->addRoute('GET', '/p[/]', function() {
if (isset($_GET['url']) || isset($_GET['text'])) {
$url = isset($_GET['url']) ? $_GET['url'] : '';
$text = isset($_GET['text']) ? $_GET['text'] : '';
// Sanitize input parameters
$url = isset($_GET['url']) ? $this->sanitizeUrl($_GET['url']) : '';
$text = isset($_GET['text']) ? $this->sanitizeUrl($_GET['text']) : '';
// Check which parameter is a valid URL
if (filter_var($url, FILTER_VALIDATE_URL)) {
header('Location: /p/' . urlencode($url));
header('Location: /p/' . $url);
exit;
} elseif (filter_var($text, FILTER_VALIDATE_URL)) {
header('Location: /p/' . urlencode($text));
header('Location: /p/' . $text);
exit;
} else {
header('Location: /?message=INVALID_URL');
@ -134,11 +132,73 @@ class Router
}
/**
* Despacha a requisição para a rota apropriada
* Dispatches the request to the appropriate route
* Sanitizes URLs to prevent XSS and injection attacks
* Sanitiza URLs para prevenir ataques XSS e injeções
*
* @param string $url The URL to sanitize
* @return string The sanitized URL
*/
/**
* Sanitizes and normalizes URLs
* Sanitiza e normaliza URLs
*
* @param string $url The URL to sanitize and normalize
* @return string|false The cleaned URL or false if invalid
*/
private function sanitizeUrl(string $url): string
{
$url = trim($url);
// Basic URL validation
if (!filter_var($url, FILTER_VALIDATE_URL)) {
return '';
}
// Handle AMP URLs
if (preg_match('#https://([^.]+)\.cdn\.ampproject\.org/v/s/([^/]+)(.*)#', $url, $matches)) {
$url = 'https://' . $matches[2] . $matches[3];
}
// Parse and reconstruct URL to ensure proper structure
$parts = parse_url($url);
if (!isset($parts['scheme']) || !isset($parts['host'])) {
return '';
}
$cleanedUrl = $parts['scheme'] . '://' . $parts['host'];
if (isset($parts['path'])) {
$cleanedUrl .= $parts['path'];
}
// Remove control characters and sanitize
$cleanedUrl = preg_replace('/[\x00-\x1F\x7F]/', '', $cleanedUrl);
$cleanedUrl = filter_var($cleanedUrl, FILTER_SANITIZE_URL);
// Convert special characters to HTML entities
return htmlspecialchars($cleanedUrl, ENT_QUOTES | ENT_HTML5, 'UTF-8');
}
/**
* Sets security headers for all responses
* Define cabeçalhos de segurança para todas as respostas
*/
private function setSecurityHeaders()
{
// Set security headers
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:;");
header("X-Content-Type-Options: nosniff");
header("X-Frame-Options: DENY");
header("X-XSS-Protection: 1; mode=block");
header("Referrer-Policy: strict-origin-when-cross-origin");
header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
header("Strict-Transport-Security: max-age=31536000; includeSubDomains");
}
public function dispatch()
{
$this->setSecurityHeaders();
$httpMethod = $_SERVER['REQUEST_METHOD'];
$uri = $_SERVER['REQUEST_URI'];

16
app/src/URLProcessor.php
View file

@ -31,7 +31,7 @@ class URLProcessor
require_once __DIR__ . '/../inc/URLAnalyzer.php';
require_once __DIR__ . '/../inc/Language.php';
$this->url = urldecode($url);
$this->url = $url;
$this->isApi = $isApi;
$this->analyzer = new \URLAnalyzer();
@ -82,20 +82,6 @@ class URLProcessor
*/
public function process(): void
{
// Validate URL format
if (!filter_var($this->url, FILTER_VALIDATE_URL)) {
if ($this->isApi) {
$this->sendApiResponse([
'error' => [
'type' => \URLAnalyzer::ERROR_INVALID_URL,
'message' => \Language::getMessage('INVALID_URL')['message']
]
], 400);
} else {
$this->redirect(SITE_URL, \URLAnalyzer::ERROR_INVALID_URL);
}
}
try {
// Check for redirects in web mode
if (!$this->isApi) {

22
default.conf
View file

@ -11,26 +11,8 @@ server {
# Oculta a versão do NGINX para reduzir informações expostas
server_tokens off;
# Security Headers / Cabeçalhos de Segurança
# Enable HSTS (HTTP Strict Transport Security) to force HTTPS connections
# Habilita HSTS (HTTP Strict Transport Security) para forçar conexões HTTPS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Prevent clickjacking attacks by allowing the site to be displayed only in its own domain
# Previne ataques de clickjacking, permitindo que o site seja exibido apenas em seu próprio domínio
add_header X-Frame-Options "SAMEORIGIN" always;
# Enable protection against Cross-Site Scripting (XSS) attacks
# Ativa proteção contra ataques de Cross-Site Scripting (XSS)
add_header X-XSS-Protection "1; mode=block" always;
# Prevent browsers from MIME-type sniffing
# Impede que navegadores tentem adivinhar (sniff) o tipo MIME dos arquivos
add_header X-Content-Type-Options "nosniff" always;
# Control how referrer headers are sent
# Controla como os cabeçalhos de referência são enviados
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# NGINX-specific security configurations
# Configurações de segurança específicas do NGINX
# Limit upload size to prevent denial of service attacks
# Limita o tamanho de uploads para prevenir ataques de negação de serviço