waf.inc.php

Go to the documentation of this file.

<?php
/* Copyright (C) 2004-2025  Laurent Destailleur     <eldy@users.sourceforge.net>
 * Copyright (C) 2025       Frédéric France         <frederic.france@free.fr>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <https://www.gnu.org/licenses/>.
 */
 
// To disable the WAF for GET and POST and PHP_SELF, uncomment this
//define('NOSCANPHPSELFFORINJECTION', 1);
//define('NOSCANGETFORINJECTION', 1);
//define('NOSCANPOSTFORINJECTION', 1 or array('param1', 'param2'...));
//define('NOSCANAUDIOFORINJECTION', 1);
//define('NOSCANIFRAMEFORINJECTION', 1);
//define('NOSCANOBJECTFORINJECTION', 1);
 
 
function getArrayOfEmoji()
{
  $arrayofcommonemoji = array(
    'misc' => array('2600', '26FF'),    // Miscellaneous Symbols
    'ding' => array('2700', '27BF'),    // Dingbats
    '????' => array('9989', '9989'),    // Variation Selectors
    'vars' => array('FE00', 'FE0F'),    // Variation Selectors
    'pict' => array('1F300', '1F5FF'),    // Miscellaneous Symbols and Pictographs
    'emot' => array('1F600', '1F64F'),    // Emoticons
    'tran' => array('1F680', '1F6FF'),    // Transport and Map Symbols
    'flag' => array('1F1E0', '1F1FF'),    // Flags (note: may be 1F1E6 instead of 1F1E0)
    'supp' => array('1F900', '1F9FF'),    // Supplemental Symbols and Pictographs
  );
 
  return $arrayofcommonemoji;
}
 
function realCharForNumericEntities($matches)
{
  $newstringnumentity = preg_replace('/;$/', '', $matches[1]);
  //print  ' $newstringnumentity='.$newstringnumentity;
 
  if (preg_match('/^x/i', $newstringnumentity)) {   // if numeric is hexadecimal
    $newstringnumentity = hexdec(preg_replace('/^x/i', '', $newstringnumentity));
  } else {
    $newstringnumentity = (int) $newstringnumentity;
  }
 
  // The numeric values we don't want as entities because they encode ascii char, and why using html entities on ascii except for hacking ?
  if (($newstringnumentity >= 47 && $newstringnumentity <= 59) || ($newstringnumentity >= 65 && $newstringnumentity <= 90) || ($newstringnumentity >= 97 && $newstringnumentity <= 122)) {
    return chr((int) $newstringnumentity);
  }
 
  // The numeric values we want in UTF8 instead of entities because it is emoji
  $arrayofemojis = getArrayOfEmoji();
  foreach ($arrayofemojis as $valarray) {
    if ($newstringnumentity >= hexdec($valarray[0]) && $newstringnumentity <= hexdec($valarray[1])) {
      // This is a known emoji
      return html_entity_decode($matches[0], ENT_COMPAT | ENT_HTML5, 'UTF-8');
    }
  }
 
  return '&#'.$matches[1]; // Value will be unchanged because regex was /&#(  )/
}
 
function testSqlAndScriptInject($val, $type)
{
  // Decode string first because a lot of things are obfuscated by encoding or multiple encoding.
  // So <svg o&#110;load='console.log(&quot;123&quot;)' become <svg onload='console.log(&quot;123&quot;)'
  // So "&colon;&apos;" become ":'" (due to ENT_HTML5)
  // So "&Tab;&NewLine;" become ""
  // So "&lpar;&rpar;" become "()"
 
  // Loop to decode until no more things to decode.
  //print "before decoding $val\n";
  do {
    $oldval = $val;
    $val = html_entity_decode($val, ENT_QUOTES | ENT_HTML5);  // Decode '&colon;', '&apos;', '&Tab;', '&NewLine', ...
    // Sometimes we have entities without the ; at end so html_entity_decode does not work but entities is still interpreted by browser.
    $val = preg_replace_callback(
      '/&#(x?[0-9][0-9a-f]+;?)/i',
      static function ($m) {
        // Decode '&#110;', ...
        return realCharForNumericEntities($m);
      },
      $val
    );
 
    // We clean html comments because some hacks try to obfuscate evil strings by inserting HTML comments. Example: on<!-- -->error=alert(1)
    $val = preg_replace('/<!--[^>]*-->/', '', $val);
    $val = preg_replace('/[\r\n\t]/', '', $val);
  } while ($oldval != $val);
  //print "type = ".$type." after decoding: ".$val."\n";
 
  $inj = 0;
 
  // We check string because some hacks try to obfuscate evil strings by inserting non printable chars. Example: 'java(ascci09)scr(ascii00)ipt' is processed like 'javascript' (whatever is place of evil ascii char)
  // We should use dol_string_nounprintableascii but function is not yet loaded/available
  // Example of valid UTF8 chars:
  // utf8 or utf8mb3: '\x09', '\x0A', '\x0D', '\x7E'
  // utf8 or utf8mb3: '\xE0\xA0\x80'
  // utf8mb4:     '\xF0\x9D\x84\x9E'   (so this may be refused by the database insert if pagecode is utf8=utf8mb3)
  $newval = preg_replace('/[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]/u', '', $val); // /u operator makes UTF8 valid characters being ignored so are not included into the replace
 
  // Note that $newval may also be completely empty '' when non valid UTF8 are found.
  if ($newval != $val) {
    // If $val has changed after removing non valid UTF8 chars, it means we have an evil string.
    $inj += 1;
  }
  //print 'inj='.$inj.'-type='.$type.'-val='.$val.'-newval='.$newval."\n";
 
  // For SQL Injection (only GET are used to scan for such injection strings)
  if ($type == 1 || $type == 3) {
    // Note the \s+ is replaced into \s* because some spaces may have been modified or removed in previous loop
    $inj += preg_match('/delete[\/\*\s]*from/i', $val);
    $inj += preg_match('/create[\/\*\s]*table/i', $val);
    $inj += preg_match('/insert[\/\*\s]*into/i', $val);
    $inj += preg_match('/select[\/\*\s]*from/i', $val);
    $inj += preg_match('/from[\/\*\s]*dual/i', $val);
    $inj += preg_match('/into[\/\*\s]*(outfile|dumpfile)/i', $val);
    $inj += preg_match('/user[\/\*\s]*\‍(/i', $val); // avoid to use function user() or mysql_user() that return current database login
    $inj += preg_match('/information_schema/i', $val); // avoid to use request that read information_schema database
    $inj += preg_match('/<svg/i', $val); // <svg can be allowed in POST
    $inj += preg_match('/update[^&=\w].*set.+=/i', $val); // the [^&=\w] test is to avoid error when request is like action=update&...set... or &updatemodule=...set...
    $inj += preg_match('/union.+select/i', $val);
  }
  if ($type == 3) {
    // Note the \s+ is replaced into \s* because some spaces may have been modified in previous loop
    $inj += preg_match('/select|update|delete|truncate|replace|group\s*by|concat|count|from|union/i', $val);
  }
  if ($type != 2) { // Not common key strings, so we can check them both on GET and POST
    $inj += preg_match('/updatexml\‍(/i', $val);
    $inj += preg_match('/(\.\.%2f)+/i', $val);
    $inj += preg_match('/\s@@/', $val);
  }
  // For XSS Injection done by closing textarea to execute content into a textarea field
  $inj += preg_match('/<\/textarea/i', $val);
  // For XSS Injection done by adding javascript with script
  // This is all cases a browser consider text is javascript:
  // When it found '<script', 'javascript:', '<style', 'onload\s=' on body tag, '="&' on a tag size with old browsers
  // All examples on page: http://ha.ckers.org/xss.html#XSScalc
  // More on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  $inj += preg_match('/<embed/i', $val);
  if (!defined('NOSCANAUDIOFORINJECTION')) {
    $inj += preg_match('/<audio/i', $val);
  }
  if (!defined('NOSCANIFRAMEFORINJECTION')) {
    $inj += preg_match('/<iframe/i', $val);
  }
  if (!defined('NOSCANOBJECTFORINJECTION')) {
    $inj += preg_match('/<object/i', $val);
  }
  $inj += preg_match('/<script/i', $val);
  $inj += preg_match('/Set\.constructor/i', $val); // ECMA script 6
  if (!defined('NOSTYLECHECK')) {
    $inj += preg_match('/<style/i', $val);
  }
  $inj += preg_match('/base\s+href/si', $val);
  $inj += preg_match('/=data:/si', $val);
 
  // List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp and https://developer.mozilla.org/en-US/docs/Web/Events
  $inj += preg_match('/on(abort|after|animation|auxclick|before|blur|bounce|cancel|canplay|canplaythrough|change|click|close|content|contextmenu|cuechange|copy|cut)[a-z]*\s*=/i', $val);
  $inj += preg_match('/on(dblclick|drag|drop|durationchange|emptied|end|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)[a-z]*\s*=/i', $val);
  $inj += preg_match('/on(key|load|lostpointercapture|mouse)[a-z]*\s*=/i', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
  $inj += preg_match('/on(offline|online|pagehide|pageshow|pointer)[a-z]*\s*=/i', $val);
  $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|select|search|seeked|seeking|show|stalled|start|submit|suspend)[a-z]*\s*=/i', $val);
  $inj += preg_match('/on(timeupdate|touch|transition|toggle|unload|volumechange|waiting|wheel)[a-z]*\s*=/i', $val);
  // More not into the previous list
  $inj += preg_match('/on(repeat|begin|finish)[a-z]*\s*=/i', $val);
 
  // We refuse html into html because some hacks try to obfuscate evil strings by inserting HTML into HTML.
  // Example: <img on<a>error=alert(1) or <img onerror<>=alert(1) to bypass test on onerror=
  $tmpval = preg_replace('/<[^<]*>/', '', $val);
 
  // List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp and https://developer.mozilla.org/en-US/docs/Web/Events
  $inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)[a-z]*\s*=/i', $tmpval); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
  $inj += preg_match('/on(abort|after|animation|auxclick|before|blur|bounce|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)[a-z]*\s*=/i', $tmpval);
  $inj += preg_match('/on(dblclick|drop|durationchange|emptied|end|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)[a-z]*\s*=/i', $tmpval);
  $inj += preg_match('/on(lostpointercapture|offline|online|pagehide|pageshow)[a-z]*\s*=/i', $tmpval);
  $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeked|seeking|show|stalled|start|submit|suspend)[a-z]*\s*=/i', $tmpval);
  $inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)[a-z]*\s*=/i', $tmpval);
  // More not into the previous list
  $inj += preg_match('/on(repeat|begin|finish)[a-z]*\s*=/i', $tmpval);
 
  //$inj += preg_match('/on[A-Z][a-z]+\*=/', $val);   // To lock event handlers onAbort(), ...
  $inj += preg_match('/&#58;|&#0000058|&#x3A/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...'
  $inj += preg_match('/j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t\s*:/i', $val);
  $inj += preg_match('/vbscript\s*:/i', $val);
  // For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
  if ($type == 1 || $type == 3) {
    $val = str_replace('enclosure="', 'enclosure=X', $val); // We accept enclosure=" for the export/import module
    if (!defined("SECURITY_WAF_ALLOW_QUOTES_IN_GET") || !constant("SECURITY_WAF_ALLOW_QUOTES_IN_GET")) {
      $inj += preg_match('/"/i', $val); // We refused " in GET parameters value.
    }
  }
  if ($type == 2) {
    $inj += preg_match('/[:;"\'<>\?\‍(\‍){}\$%#]/', $val); // PHP_SELF is a file system (or url path without parameters). It can contains spaces.
  }
 
  return $inj;
}
 
function analyseVarsForSqlAndScriptsInjection(&$var, $type, $stopcode = 1)
{
  if (is_array($var)) {
    foreach ($var as $key => $value) {  // Warning, $key may also be used for attacks
      // Exclude check for some variable keys
      if ($type === 0 && defined('NOSCANPOSTFORINJECTION') && is_array(constant('NOSCANPOSTFORINJECTION')) && in_array($key, (array) constant('NOSCANPOSTFORINJECTION'))) {
        continue;
      }
 
      // Test on both the key (we force type to 1 for test on key, we must accept key like "delete=1" blocked with type 3) and the value
      if (analyseVarsForSqlAndScriptsInjection($key, 1, $stopcode) && analyseVarsForSqlAndScriptsInjection($value, $type, $stopcode)) {
        //$var[$key] = $value;  // This is useless
      } else {
        http_response_code(403);
 
        // Get remote IP: PS: We do not use getUserRemoteIP(), function is not yet loaded and we need a value that can't be spoofed
        $ip = (empty($_SERVER['REMOTE_ADDR']) ? 'unknown' : $_SERVER['REMOTE_ADDR']);
 
        if ($stopcode) {
          $errormessage = 'Access refused to '.htmlentities($ip, ENT_COMPAT, 'UTF-8').' by SQL or Script injection protection in main.inc.php:analyseVarsForSqlAndScriptsInjection type='.htmlentities((string) $type, ENT_COMPAT, 'UTF-8');
          //$errormessage .= ' paramkey='.htmlentities($key, ENT_COMPAT, 'UTF-8');  // Disabled to avoid text injection
 
          $errormessage2 = 'page='.htmlentities((empty($_SERVER["REQUEST_URI"]) ? '' : $_SERVER["REQUEST_URI"]), ENT_COMPAT, 'UTF-8');
          $errormessage2 .= ' paramtype='.htmlentities((string) $type, ENT_COMPAT, 'UTF-8');
          $errormessage2 .= ' paramkey='.htmlentities($key, ENT_COMPAT, 'UTF-8');
          $errormessage2 .= ' paramvalue='.htmlentities($value, ENT_COMPAT, 'UTF-8');
 
          print $errormessage;
          print "<br>\n";
          print 'Try to go back, fix data of your form and resubmit it. You can contact also your technical support.';
 
          print "\n".'<!--'."\n";
          print $errormessage2;
          print "\n".'-->';
 
          // Add entry into the PHP server error log
          if (function_exists('error_log')) {
            error_log($errormessage.' '.substr($errormessage2, 2000));
          }
 
          // Note: No addition into security audit table is done because we don't want to execute code in such a case.
          // Detection of too many such requests can be done with a fail2ban rule on 403 error code or into the PHP server error log.
 
 
          if (class_exists('PHPUnit\Framework\TestSuite')) {
            $message = $errormessage.' '.substr($errormessage2, 2000);
            throw new Exception("Security injection exception: $message");
          }
          exit;
        } else {
          return false;
        }
      }
    }
    return true;
  } else {
    return (testSqlAndScriptInject($var, $type) <= 0);
  }
}
 
// Prevent the use of method TRACE in case of the web server authorizes it (some do it by default). TRACE method can be used by attacker to steal cookies or other sensitive information.
if (!empty($_SERVER["REQUEST_METHOD"]) && $_SERVER["REQUEST_METHOD"] == "TRACE") {
  print 'Access refused with request method TRACE';
  http_response_code(405);
  exit();
}
 
// Sanity check on URL
if (!defined('NOSCANPHPSELFFORINJECTION') && !empty($_SERVER["PHP_SELF"])) {
  $morevaltochecklikepost = array($_SERVER["PHP_SELF"]);
  analyseVarsForSqlAndScriptsInjection($morevaltochecklikepost, 2);
}
// Sanity check on GET parameters
if (!defined('NOSCANGETFORINJECTION') && !empty($_SERVER["QUERY_STRING"])) {
  // Note: QUERY_STRING is url encoded, but $_GET and $_POST are already decoded
  // Because the analyseVarsForSqlAndScriptsInjection is designed for already url decoded value, we must decode QUERY_STRING
  // Another solution is to provide $_GET as parameter with analyseVarsForSqlAndScriptsInjection($_GET, 1);
  $morevaltochecklikeget = array(urldecode($_SERVER["QUERY_STRING"]));
  analyseVarsForSqlAndScriptsInjection($morevaltochecklikeget, 1);
}
// Sanity check on POST
if (!defined('NOSCANPOSTFORINJECTION') || is_array(constant('NOSCANPOSTFORINJECTION'))) {
  analyseVarsForSqlAndScriptsInjection($_POST, 0);
}