feature #30385 [SecurityBundle] Validate the IPs configured in access_control (javiereguiluz)

Robin Chalas · Robin Chalas · commit ddd676723ffe · 2019-03-07T21:34:44.000+01:00
This PR was squashed before being merged into the 4.3-dev branch (closes #30385). Discussion ---------- [SecurityBundle] Validate the IPs configured in access_control | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #30299 | License | MIT | Doc PR | - Commits ------- 857ac95 [SecurityBundle] Validate the IPs configured in access_control
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
@@ -143,6 +143,15 @@ private function addAccessControlSection(ArrayNodeDefinition $rootNode)
                             ->integerNode('port')->defaultNull()->end()
                             ->arrayNode('ips')
                                 ->beforeNormalization()->ifString()->then(function ($v) { return [$v]; })->end()
+                                ->beforeNormalization()->always()->then(function ($v) {
+                                    foreach ($v as $ip) {
+                                        if (false === $this->isValidIp($ip)) {
+                                            throw new \LogicException(sprintf('The given "%s" value in the "access_control" config option is not a valid IP address.', $ip));
+                                        }
+                                    }
+
+                                    return $v;
+                                })->end()
                                 ->prototype('scalar')->end()
                             ->end()
                             ->arrayNode('methods')
@@ -419,4 +428,30 @@ private function addEncodersSection(ArrayNodeDefinition $rootNode)
             ->end()
         ;
     }
+
+    private function isValidIp(string $cidr): bool
+    {
+        $cidrParts = explode('/', $cidr);
+
+        if (1 === \count($cidrParts)) {
+            return false !== filter_var($cidrParts[0], FILTER_VALIDATE_IP);
+        }
+
+        $ip = $cidrParts[0];
+        $netmask = $cidrParts[1];
+
+        if (!ctype_digit($netmask)) {
+            return false;
+        }
+
+        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            return $netmask <= 32;
+        }
+
+        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+            return $netmask <= 128;
+        }
+
+        return false;
+    }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/FormLoginBundle/Resources/config/routing.yml b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/FormLoginBundle/Resources/config/routing.yml
@@ -31,6 +31,15 @@ secured-by-one-ip:
 secured-by-two-ips:
     path:     /secured-by-two-ips
 
+secured-by-one-real-ip:
+    path:     /secured-by-one-real-ip
+
+secured-by-one-real-ip-with-mask:
+    path:     /secured-by-one-real-ip-with-mask
+
+secured-by-one-real-ipv6:
+    path:     /secured-by-one-real-ipv6
+
 form_logout:
     path:     /logout_path
 
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/SecurityRoutingIntegrationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/SecurityRoutingIntegrationTest.php
@@ -71,10 +71,16 @@ public function testSecurityConfigurationForMultipleIPAddresses($config)
     {
         $allowedClientA = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => $config], ['REMOTE_ADDR' => '1.1.1.1']);
         $allowedClientB = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => $config], ['REMOTE_ADDR' => '2.2.2.2']);
+        $allowedClientC = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => $config], ['REMOTE_ADDR' => '203.0.113.0']);
         $barredClient = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => $config], ['REMOTE_ADDR' => '192.168.1.1']);
 
         $this->assertAllowed($allowedClientA, '/secured-by-two-ips');
         $this->assertAllowed($allowedClientB, '/secured-by-two-ips');
+
+        $this->assertRestricted($allowedClientA, '/secured-by-one-real-ip');
+        $this->assertRestricted($allowedClientA, '/secured-by-one-real-ipv6');
+        $this->assertAllowed($allowedClientC, '/secured-by-one-real-ip-with-mask');
+
         $this->assertRestricted($barredClient, '/secured-by-two-ips');
     }
 
@@ -100,6 +106,15 @@ public function testSecurityConfigurationForExpression($config)
         $this->assertAllowed($allowedClient, '/protected-via-expression');
     }
 
+    public function testInvalidIpsInAccessControl()
+    {
+        $this->expectException(\LogicException::class);
+        $this->expectExceptionMessage('The given "256.357.458.559" value in the "access_control" config option is not a valid IP address.');
+
+        $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'invalid_ip_access_control.yml']);
+        $client->request('GET', '/unprotected_resource');
+    }
+
     private function assertAllowed($client, $path)
     {
         $client->request('GET', $path);
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/config.yml b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/config.yml
@@ -39,6 +39,10 @@ security:
         - { path: ^/secure-but-not-covered-by-access-control$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/secured-by-one-ip$, ip: 10.10.10.10, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/secured-by-two-ips$, ips: [1.1.1.1, 2.2.2.2], roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        # these real IP addresses are reserved for docs/examples (https://tools.ietf.org/search/rfc5737)
+        - { path: ^/secured-by-one-real-ip$, ips: 198.51.100.0, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/secured-by-one-real-ip-with-mask$, ips: '203.0.113.0/24', roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/secured-by-one-real-ipv6$, ips: 0:0:0:0:0:ffff:c633:6400, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/highly_protected_resource$, roles: IS_ADMIN }
         - { path: ^/protected-via-expression$, allow_if: "(is_anonymous() and request.headers.get('user-agent') matches '/Firefox/i') or is_granted('ROLE_USER')" }
         - { path: .*, roles: IS_AUTHENTICATED_FULLY }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/invalid_ip_access_control.yml b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/invalid_ip_access_control.yml
@@ -0,0 +1,22 @@
+imports:
+    - { resource: ./../config/default.yml }
+
+security:
+    encoders:
+        Symfony\Component\Security\Core\User\User: plaintext
+
+    providers:
+        in_memory:
+            memory:
+                users:
+                    johannes: { password: test, roles: [ROLE_USER] }
+
+    firewalls:
+        default:
+            form_login: ~
+            logout: ~
+            anonymous: ~
+
+    access_control:
+        # the '256.357.458.559' IP is wrong on purpose, to check invalid IP errors
+        - { path: ^/unprotected_resource$, ips: [1.1.1.1, 256.357.458.559], roles: IS_AUTHENTICATED_ANONYMOUSLY }
