Search moodle.org's
Developer Documentation

See Release Notes
Long Term Support Release

  • Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
  • Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
  • PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.

/**
 * Check the presence of public paths via curl.
 *
 * @package    core
 * @category   check
 * @copyright  2020 Brendan Heywood <brendan@catalyst-au.net>
 * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
 */

namespace core\check\environment;

defined('MOODLE_INTERNAL') || die();

use core\check\check;
use core\check\result;

/**
 * Check the public access of various paths.
 *
 * @copyright  2020 Brendan Heywood <brendan@catalyst-au.net>
 * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
 */
class publicpaths extends check {

    /**
     * Get the short check name
     *
     * @return string
     */
    public function get_name(): string {
        return get_string('check_publicpaths_name', 'report_security');
    }

    /**
     * Returns a list of test urls and metadata.
     */
    public function get_pathsets() {
        global $CFG;

        // The intention here is that each pattern is a simple regex such that
        // in future perhaps the various webserver config could be generated as more
        // pattens are added to these checks.
        return [
            [
                'pattern'   => '/vendor/',
                '404'       => [
                    'vendor/',
                    'vendor/bin/behat',
                ],
                'details'   => get_string('check_vendordir_details', 'report_security', ['path' => $CFG->dirroot.'/vendor']),
                'summary'   => get_string('check_vendordir_info', 'report_security'),
            ],
            [
                'pattern'   => '/node_modules/',
                '404'       => [
                    'node_modules/',
                    'node_modules/cli/cli.js',
                ],
                'summary'   => get_string('check_nodemodules_info', 'report_security'),
                'details'   => get_string('check_nodemodules_details', 'report_security',
                        ['path' => $CFG->dirroot . '/node_modules']),
            ],
            [
                'pattern'   => '^\..*',
                '404'       => [
                    '.git/',
                    '.git/HEAD',
                    '.github/FUNDING.yml',
                    '.stylelintrc',
                ],
            ],
            [
                'pattern'   => 'composer.json',
                '404'       => [
                    'composer.json',
                ],
            ],
            [
                'pattern'   => '.lock',
                '404'       => [
                    'composer.lock',
                ],
            ],
            [
                'pattern'   => 'environment.xml',
                '404'       => [
                    'admin/environment.xml',
                ],
            ],
            [
                'pattern'   => '',
                '404'       => [
                    'doesnotexist', // Just to make sure that real 404s are still 404s.
                ],
                'summary'   => '',
            ],
            [
                'pattern'   => '',
                '404'       => [
                    'lib/classes/',
                ],
                'summary'   => get_string('check_dirindex_info', 'report_security'),
            ],
            [
                'pattern'   => 'db/install.xml',
                '404'       => [
                    'lib/db/install.xml',
                    'mod/assign/db/install.xml',
                ],
            ],
            [
                'pattern'   => 'readme.txt',
                '404'       => [
< 'lib/scssphp/moodle_readme.txt',
> 'lib/scssphp/readme_moodle.txt',
'mod/resource/readme.txt', ], ], [ 'pattern' => 'README', '404' => [ 'mod/README.txt', 'mod/book/README.md', 'mod/chat/README.txt', ], ], [ 'pattern' => '/upgrade.txt', '404' => [ 'auth/manual/upgrade.txt', 'lib/upgrade.txt', ], ], [ 'pattern' => 'phpunit.xml', '404' => ['phpunit.xml.dist'], ], [ 'pattern' => '/fixtures/', '404' => [ 'privacy/tests/fixtures/logo.png', 'enrol/lti/tests/fixtures/input.xml', ], ], [ 'pattern' => '/behat/', '404' => ['blog/tests/behat/delete.feature'], ], ]; } /** * Return result * @return result */ public function get_result(): result { global $CFG, $OUTPUT; $status = result::OK; $details = '';
< $summary = '';
> $summary = get_string('check_publicpaths_ok', 'report_security');
$errors = []; $c = new \curl(); $paths = $this->get_pathsets(); $table = new \html_table(); $table->align = ['center', 'right', 'left']; $table->size = ['1%', '1%', '1%', '1%', '1%', '99%']; $table->head = [ get_string('status'), get_string('checkexpected'), get_string('checkactual'), get_string('url'), get_string('category'), get_string('details'), ]; $table->attributes['class'] = 'flexible generaltable generalbox table-sm'; $table->data = []; // Used to track duplicated errors. $lastdetail = '-'; $curl = new \curl(); $requests = []; // Build up a list of all url so we can load them in parallel. foreach ($paths as $path) { foreach (['200', '404'] as $expected) { if (!isset($path[$expected])) { continue; } foreach ($path[$expected] as $test) { $requests[] = [ 'nobody' => true, 'header' => 1, 'url' => $CFG->wwwroot . '/' . $test, 'returntransfer' => true, ]; } } } $headers = $curl->download($requests); foreach ($paths as $path) { foreach (['200', '404'] as $expected) { if (!isset($path[$expected])) { continue; } foreach ($path[$expected] as $test) { $rowsummary = ''; $rowdetail = ''; $url = $CFG->wwwroot . '/' . $test; // Parse the HTTP header to get the 200 / 404 code. $header = array_shift($headers); $actual = strtok($header, "\n"); $actual = strtok($actual, " "); $actual = strtok(" "); if ($actual != $expected) { if (isset($path['summary'])) { $rowsummary = $path['summary']; } else { $rowsummary = get_string('check_publicpaths_generic', 'report_security', $path['pattern']); } // Special case where a 404 is ideal but a 403 is ok too. if ($actual == 403) { $result = new result(result::INFO, '', ''); $rowsummary .= get_string('check_publicpaths_403', 'report_security'); } else { $result = new result(result::ERROR, '', ''); $status = result::ERROR;
> $summary = get_string('check_publicpaths_warning', 'report_security');
} $rowdetail = isset($path['details']) ? $path['details'] : $rowsummary; if (empty($errors[$path['pattern']])) { $summary .= '<li>' . $rowsummary . '</li>'; $errors[$path['pattern']] = 1; } } else { $result = new result(result::OK, '', ''); } $table->data[] = [ $OUTPUT->check_result($result), $expected, $actual, $OUTPUT->action_link($url, $test, null, ['target' => '_blank']), "<pre>{$path['pattern']}</pre>", ]; // Merge duplicate details to display a nicer table. if ($rowdetail == $lastdetail) { $duplicates++; } else { $duplicates = 1; } $detailcell = new \html_table_cell($rowdetail); $detailcell->rowspan = $duplicates; $rows = count($table->data); $table->data[$rows - $duplicates][5] = $detailcell; $lastdetail = $rowdetail; } } } $details .= \html_writer::table($table); return new result($status, $summary, $details); } /** * Link to the dev docs for more info. * * @return action_link|null */ public function get_action_link(): ?\action_link { return new \action_link( new \moodle_url(\get_docs_url('Installing_Moodle#Set_up_your_server')), get_string('moodledocs')); } }