fix: address security review findings
This commit is contained in:
@@ -16,11 +16,11 @@ final class DirectAdminContext
|
||||
*/
|
||||
public static function fromServer(array $server, Settings $settings): self
|
||||
{
|
||||
$username = trim((string)($server['USERNAME'] ?? $server['USER'] ?? ''));
|
||||
$username = trim((string)($server['USERNAME'] ?? ''));
|
||||
if (!preg_match('/^[A-Za-z0-9][A-Za-z0-9._-]{0,31}$/', $username)) {
|
||||
throw new InvalidArgumentException('Invalid DirectAdmin username');
|
||||
}
|
||||
$host = Settings::normalizeHost((string)($server['HTTP_HOST'] ?? $server['SERVER_NAME'] ?? ''));
|
||||
$host = self::trustedSourceHost($server, $settings);
|
||||
if ($host === '') {
|
||||
throw new InvalidArgumentException('Missing source host');
|
||||
}
|
||||
@@ -34,6 +34,23 @@ final class DirectAdminContext
|
||||
return new self($username, $host, $serverName, strtoupper((string)($server['REQUEST_METHOD'] ?? 'GET')));
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string,mixed> $server
|
||||
*/
|
||||
private static function trustedSourceHost(array $server, Settings $settings): string
|
||||
{
|
||||
$configuredName = $settings->sourceServerName();
|
||||
if ($configuredName !== '') {
|
||||
foreach ($settings->allowedSourceHosts() as $allowedHost) {
|
||||
$label = $settings->sanitizeServerName(explode('.', $allowedHost)[0] ?? '');
|
||||
if ($label === $configuredName) {
|
||||
return $allowedHost;
|
||||
}
|
||||
}
|
||||
}
|
||||
return Settings::normalizeHost((string)($server['SERVER_NAME'] ?? ''));
|
||||
}
|
||||
|
||||
public function username(): string
|
||||
{
|
||||
return $this->username;
|
||||
|
||||
Reference in New Issue
Block a user