fix: address security review findings

This commit is contained in:
Marek Miklewicz
2026-06-30 11:41:40 +02:00
parent 3b096b67bb
commit 54b2e620ff
12 changed files with 188 additions and 31 deletions
+19 -2
View File
@@ -16,11 +16,11 @@ final class DirectAdminContext
*/
public static function fromServer(array $server, Settings $settings): self
{
$username = trim((string)($server['USERNAME'] ?? $server['USER'] ?? ''));
$username = trim((string)($server['USERNAME'] ?? ''));
if (!preg_match('/^[A-Za-z0-9][A-Za-z0-9._-]{0,31}$/', $username)) {
throw new InvalidArgumentException('Invalid DirectAdmin username');
}
$host = Settings::normalizeHost((string)($server['HTTP_HOST'] ?? $server['SERVER_NAME'] ?? ''));
$host = self::trustedSourceHost($server, $settings);
if ($host === '') {
throw new InvalidArgumentException('Missing source host');
}
@@ -34,6 +34,23 @@ final class DirectAdminContext
return new self($username, $host, $serverName, strtoupper((string)($server['REQUEST_METHOD'] ?? 'GET')));
}
/**
* @param array<string,mixed> $server
*/
private static function trustedSourceHost(array $server, Settings $settings): string
{
$configuredName = $settings->sourceServerName();
if ($configuredName !== '') {
foreach ($settings->allowedSourceHosts() as $allowedHost) {
$label = $settings->sanitizeServerName(explode('.', $allowedHost)[0] ?? '');
if ($label === $configuredName) {
return $allowedHost;
}
}
}
return Settings::normalizeHost((string)($server['SERVER_NAME'] ?? ''));
}
public function username(): string
{
return $this->username;