mirror of
https://github.com/FreshRSS/FreshRSS.git
synced 2026-06-29 17:55:35 -04:00
* Add SSRF mitigations using `filter_var` and `CURLOPT_RESOLVE`
The idea is to prevent FreshRSS from sending any HTTP requests to internal services, except for the ones that are explicitly allowed in the config.
Based on 6e82b46a48/lib/filelib.php (L3818) and https://github.com/symfony/symfony/blob/8.1/src/Symfony/Component/HttpClient/NoPrivateNetworkHttpClient.php
https://github.com/FreshRSS/simplepie/pull/76
https://github.com/FreshRSS/simplepie/pull/78
* Add allowlist setting in Web UI
* make readme
* Update app/i18n/fr/admin.php
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* make readme again
* make readme
* Further work
Still WIP and needs testing etc.
* Readd previous if check for domain combination allowlist
* Turn POST to GET after redirect
* Improve
* Update config.default.php
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* make readme
* Skip SSRF check if `CURLOPT_PROXY` is set
* make readme
* Fix `!empty()` mistake
* Respect max redirects feed option when fetching with `httpGet()`
* Respect max redirects during SimplePie fetching + fix bypass
bypass fix: `CURLOPT_FOLLOWLOCATION` was moved below so that emulated redirects are enforced.
* Avoid FreshRSS and Minz code in SimplePie
https://github.com/FreshRSS/FreshRSS/pull/8400#discussion_r2935375980
* Corrected hook code
* phpdoc wrong return type
* Add CIDR support in allowlist
* Implement simple DNS caching
* Suppress `dns_get_record()` warnings
* A bit of proof-reading
* Minor typo
* Fix proxy logic
* Fix HTTP POST redirect logic
* Proofread checkCIDR
Add fixes for several situations
* Remove credentials from URL in logs
* Ensure `CURLOPT_FOLLOWLOCATION` is `false` by setting it at the end
* Fix codesniffer long line
* Fix potential bypass due to wrong return value
If there were no records returned by `dns_get_record()`, no overrides to `CURLOPT_RESOLVE` would get passed,
and a potential bypass could occur, when cURL would try to resolve the domain by itself.
* Put the URL at the end in logs
* Add documentation and environment variable support
* make readme
* Fix wrong behavior in case of IP
* Fix duplicate selector in CSS
* Minor type check change
* i18n fr, en
* Minor type check change
* Fix whitespace i18n fr
* make fix-all
* Fix `$ips_ok` not being returned after domain records were cached
* make readme
* PHPStan fix
* make readme
* Minor syntax in SimplePie
* Only return `null` if no allowed IPs were found
* Add wildcard *, help message
* Consistent docs with help message
* i18n: pl
* SimplePie compatibility PHP 7.2
* make fix-all
* Sync SimplePie
* https://github.com/FreshRSS/simplepie/pull/76
* 💥 Breaking change in the Changelog
* Document `INTERNAL_HOST_ALLOWLIST` in Docker docs
* Remove `Cookie` and `Authorization` headers in `httpGet()` during cross-origin redirect
* Minor whitespace
And same comment convention than below
* Remove authentication headers and change POST to GET on redirect in SimplePie
* Remove .local in Docker example
* Fill in default ports when comparing URL origins
* Remove .local from other places than the Docker example
* Rewrite WebSub subscribe to use `httpGet()`
* make fix-all
* Also unset `CURLOPT_USERPWD` during redirects
* phpcs fix
* Always unset `CURLOPT_FOLLOWLOCATION`
* Bump SimplePie
https://github.com/FreshRSS/simplepie/pull/78
* Update logic for CURLOPT_FOLLOWLOCATION
* Fix PHPStan
* Changelog fix security section
* Update most common RSS Bridge case
https://hub.docker.com/r/rssbridge/rss-bridge
* Replace misleading 127.0.0.1:8080 example for Docker
This does not make sense for a Docker container
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
118 lines
6.2 KiB
XML
118 lines
6.2 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<ruleset name="FreshRSS">
|
|
<arg name="extensions" value="php,phtml"/>
|
|
<arg name="tab-width" value="4"/>
|
|
<exclude-pattern>/\.git/*</exclude-pattern>
|
|
<exclude-pattern>/data/config.php</exclude-pattern>
|
|
<exclude-pattern>/data/update.php</exclude-pattern>
|
|
<exclude-pattern>/data/users/*/config.php</exclude-pattern>
|
|
<exclude-pattern>/(?-i:extensions)/*</exclude-pattern><!-- Case sensitive to allow our Extensions repo -->
|
|
<exclude-pattern>/lib/http-conditional.php</exclude-pattern>
|
|
<exclude-pattern>/lib/marienfressinaud/</exclude-pattern>
|
|
<exclude-pattern>/lib/phpgt/*</exclude-pattern>
|
|
<exclude-pattern>/lib/phpmailer/*</exclude-pattern>
|
|
<exclude-pattern>/lib/simplepie/*</exclude-pattern>
|
|
<exclude-pattern>/node_modules/*</exclude-pattern>
|
|
<exclude-pattern>/p/scripts/vendor/*</exclude-pattern>
|
|
<exclude-pattern>/vendor/*</exclude-pattern>
|
|
<!-- Additional exclusions for Extensions: -->
|
|
<exclude-pattern>/symbolic/*</exclude-pattern>
|
|
<exclude-pattern>/third-party/*</exclude-pattern>
|
|
<exclude-pattern>/tmp/*</exclude-pattern>
|
|
<rule ref="PSR12">
|
|
<exclude name="Generic.ControlStructures.InlineControlStructure.NotAllowed"/>
|
|
<exclude name="Generic.Formatting.DisallowMultipleStatements.SameLine"/>
|
|
<exclude name="Generic.WhiteSpace.DisallowTabIndent.NonIndentTabsUsed"/>
|
|
<exclude name="Generic.WhiteSpace.DisallowTabIndent.TabsUsed"/>
|
|
<exclude name="Generic.WhiteSpace.DisallowTabIndent.TabsUsedHeredocCloser"/>
|
|
<exclude name="PSR1.Classes.ClassDeclaration.MissingNamespace"/>
|
|
<exclude name="PSR1.Classes.ClassDeclaration.MultipleClasses"/>
|
|
<exclude name="PSR1.Files.SideEffects.FoundWithSymbols"/>
|
|
<exclude name="PSR1.Methods.CamelCapsMethodName.NotCamelCaps"/>
|
|
<exclude name="PSR12.Classes.OpeningBraceSpace.Found"/><!-- Consider using PSR12 defaults instead -->
|
|
<exclude name="PSR12.ControlStructures.ControlStructureSpacing.CloseParenthesisLine"/>
|
|
<exclude name="PSR12.ControlStructures.ControlStructureSpacing.FirstExpressionLine"/><!-- Consider using PSR12 defaults instead -->
|
|
<exclude name="PSR12.Files.FileHeader.IncorrectOrder"/><!-- Consider using PSR12 defaults instead -->
|
|
<exclude name="PSR12.Files.FileHeader.SpacingAfterBlock"/><!-- Legacy PHPCS 3 -->
|
|
<exclude name="PSR12.Files.FileHeader.SpacingAfterDeclareBlock"/><!-- Consider using PSR12 defaults instead -->
|
|
<exclude name="PSR12.Files.FileHeader.SpacingAfterTagBlock"/><!-- Consider using PSR12 defaults instead -->
|
|
<exclude name="PSR12.Traits.UseDeclaration.MultipleImport"/>
|
|
<exclude name="PSR2.Classes.ClassDeclaration.CloseBraceAfterBody"/><!-- Consider using PSR12 defaults instead -->
|
|
<exclude name="PSR2.Classes.ClassDeclaration.OpenBraceNewLine"/><!-- Consider using PSR12 defaults instead -->
|
|
<exclude name="PSR2.ControlStructures.SwitchDeclaration.BodyOnNextLineCASE"/>
|
|
<exclude name="PSR2.ControlStructures.SwitchDeclaration.BreakNotNewLine"/>
|
|
<exclude name="PSR2.Functions.FunctionCallSignature.ContentAfterOpenBracket"/>
|
|
<exclude name="PSR2.Methods.FunctionCallSignature.CloseBracketLine"/>
|
|
<exclude name="PSR2.Methods.FunctionCallSignature.ContentAfterOpenBracket"/>
|
|
<exclude name="PSR2.Methods.FunctionCallSignature.Indent"/>
|
|
<exclude name="PSR2.Methods.FunctionCallSignature.MultipleArguments"/>
|
|
<exclude name="PSR2.Methods.MethodDeclaration.Underscore"/>
|
|
<exclude name="Squiz.Classes.ValidClassName.NotCamelCaps"/><!-- Legacy PHPCS 3 -->
|
|
<exclude name="Squiz.Classes.ValidClassName.NotPascalCase"/>
|
|
<exclude name="Squiz.Functions.MultiLineFunctionDeclaration.BraceOnSameLine"/>
|
|
<exclude name="Squiz.Functions.MultiLineFunctionDeclaration.CloseBracketLine"/>
|
|
<exclude name="Squiz.Functions.MultiLineFunctionDeclaration.ContentAfterBrace"/>
|
|
<exclude name="Squiz.Functions.MultiLineFunctionDeclaration.FirstParamSpacing"/>
|
|
<exclude name="Squiz.Functions.MultiLineFunctionDeclaration.Indent"/>
|
|
<exclude name="Squiz.Functions.MultiLineFunctionDeclaration.OneParamPerLine"/>
|
|
<exclude name="Squiz.WhiteSpace.ScopeClosingBrace.ContentBefore"/>
|
|
<exclude name="Generic.CodeAnalysis.EmptyStatement.DetectedIf"/>
|
|
</rule>
|
|
<rule ref="Generic.Classes.DuplicateClassName"/>
|
|
<rule ref="Generic.CodeAnalysis.EmptyStatement"/>
|
|
<rule ref="Generic.CodeAnalysis.UnconditionalIfStatement"/>
|
|
<rule ref="Generic.CodeAnalysis.UnnecessaryFinalModifier"/>
|
|
<rule ref="Generic.CodeAnalysis.UselessOverridingMethod"/>
|
|
<rule ref="Generic.Files.LineLength">
|
|
<properties>
|
|
<property name="lineLimit" value="165"/>
|
|
<property name="absoluteLineLimit" value="190"/>
|
|
</properties>
|
|
<exclude-pattern>/i18n/*\.php$</exclude-pattern>
|
|
<exclude-pattern>*\.phtml$</exclude-pattern>
|
|
</rule>
|
|
<rule ref="Generic.Functions.OpeningFunctionBraceKernighanRitchie"/><!-- Consider using PSR12 defaults instead -->
|
|
<rule ref="Generic.PHP.DeprecatedFunctions"/>
|
|
<rule ref="Generic.Strings.UnnecessaryStringConcat">
|
|
<properties>
|
|
<property name="allowMultiline" value="true"/>
|
|
</properties>
|
|
</rule>
|
|
<rule ref="Generic.WhiteSpace.DisallowSpaceIndent"/>
|
|
<rule ref="Generic.WhiteSpace.ScopeIndent.Incorrect">
|
|
<exclude-pattern>*\.phtml$</exclude-pattern>
|
|
<exclude-pattern>/app/install.php</exclude-pattern>
|
|
</rule>
|
|
<rule ref="Generic.WhiteSpace.ScopeIndent.IncorrectExact">
|
|
<exclude-pattern>*\.phtml$</exclude-pattern>
|
|
<exclude-pattern>/app/install.php</exclude-pattern>
|
|
</rule>
|
|
<rule ref="Internal.NoCodeFound">
|
|
<exclude-pattern>*\.phtml$</exclude-pattern>
|
|
</rule>
|
|
<!-- <rule ref="Squiz.Commenting.ClassComment.Missing"/> --><!-- Consider adding -->
|
|
|
|
<rule ref="Squiz.ControlStructures.ControlSignature">
|
|
<include-pattern>*\.phtml$</include-pattern>
|
|
<properties>
|
|
<property name="requiredSpacesBeforeColon" value="0" />
|
|
</properties>
|
|
</rule>
|
|
<rule ref="Squiz.ControlStructures.ControlSignature">
|
|
<include-pattern>*\.php$</include-pattern>
|
|
</rule>
|
|
|
|
<rule ref="Squiz.ControlStructures.ControlSignature.NewlineAfterOpenBrace">
|
|
<exclude-pattern>*\.phtml$</exclude-pattern>
|
|
</rule>
|
|
<rule ref="Squiz.WhiteSpace.OperatorSpacing">
|
|
<properties>
|
|
<property name="ignoreNewlines" value="true"/>
|
|
</properties>
|
|
</rule>
|
|
<rule ref="Squiz.WhiteSpace.ScopeClosingBrace.Indent">
|
|
<exclude-pattern>*\.phtml$</exclude-pattern>
|
|
</rule>
|
|
<rule ref="Squiz.WhiteSpace.SemicolonSpacing"/>
|
|
</ruleset>
|