115 lines
3.6 KiB
PHP
115 lines
3.6 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace UploadLogger\Detectors;
|
|
|
|
use UploadLogger\Core\Context;
|
|
use UploadLogger\Core\DetectorInterface;
|
|
use UploadLogger\Core\Config;
|
|
|
|
final class ContentDetector implements DetectorInterface
|
|
{
|
|
private ?Config $config;
|
|
|
|
public function __construct(?Config $config = null)
|
|
{
|
|
$this->config = $config;
|
|
}
|
|
|
|
public function getName(): string
|
|
{
|
|
return 'content';
|
|
}
|
|
|
|
/**
|
|
* @param array<string, mixed> $input
|
|
* @return array<string, mixed>
|
|
*/
|
|
public function detect(Context $context, array $input = []): array
|
|
{
|
|
$tmp = (string)($input['tmp'] ?? '');
|
|
$size = (int)($input['size'] ?? 0);
|
|
$realMime = (string)($input['real_mime'] ?? '');
|
|
|
|
$suspicious = false;
|
|
$reasons = [];
|
|
|
|
if ($tmp === '' || !is_file($tmp)) {
|
|
return ['suspicious' => false, 'reasons' => []];
|
|
}
|
|
|
|
// Determine limits from Config if provided, otherwise use defaults
|
|
$maxBytes = 8192;
|
|
$maxFilesize = 2 * 1024 * 1024;
|
|
$allowXmlEval = false;
|
|
$customPatterns = [];
|
|
|
|
if ($this->config instanceof Config) {
|
|
$maxBytes = (int)$this->config->get('detectors.content.sniff_max_bytes', $this->config->get('limits.sniff_max_bytes', $maxBytes));
|
|
$maxFilesize = (int)$this->config->get('detectors.content.sniff_max_filesize', $this->config->get('limits.sniff_max_filesize', $maxFilesize));
|
|
$allowXmlEval = (bool)$this->config->get('detectors.content.allow_xml_eval', false);
|
|
$customPatterns = (array)$this->config->get('detectors.content.custom_patterns', []);
|
|
}
|
|
|
|
if ($size <= 0) {
|
|
$size = @filesize($tmp) ?: 0;
|
|
}
|
|
if ($size <= 0 || $size > $maxFilesize) {
|
|
return ['suspicious' => false, 'reasons' => []];
|
|
}
|
|
|
|
$bytes = min($maxBytes, $size);
|
|
$maxlen = $bytes > 0 ? $bytes : null;
|
|
$head = @file_get_contents($tmp, false, null, 0, $maxlen);
|
|
if ($head === false || $head === '') {
|
|
return ['suspicious' => false, 'reasons' => []];
|
|
}
|
|
|
|
$scan = $head;
|
|
|
|
// Detect PHP open tags (avoid matching <?xml)
|
|
if (preg_match('/<\?php|<\?=|<\?(?!xml)/i', $scan)) {
|
|
$suspicious = true;
|
|
$reasons[] = 'php_tag';
|
|
}
|
|
|
|
// Built-in function patterns
|
|
$funcPatterns = [
|
|
'passthru\s*\(', 'system\s*\(', 'exec\s*\(', 'shell_exec\s*\(',
|
|
'proc_open\s*\(', 'popen\s*\(', 'pcntl_exec\s*\(',
|
|
];
|
|
|
|
foreach ($funcPatterns as $pat) {
|
|
if (preg_match('/' . $pat . '/i', $scan)) {
|
|
$suspicious = true;
|
|
$reasons[] = 'danger_func';
|
|
break;
|
|
}
|
|
}
|
|
|
|
// Base64/eval/assert patterns often indicate obfuscated payloads
|
|
if (preg_match('/base64_decode\s*\(|eval\s*\(|assert\s*\(/i', $scan)) {
|
|
$isXmlLike = preg_match('/xml|svg/i', $realMime);
|
|
if (!preg_match('/eval\s*\(/i', $scan) || !$isXmlLike || $allowXmlEval === true) {
|
|
$suspicious = true;
|
|
$reasons[] = 'obf_func';
|
|
}
|
|
}
|
|
|
|
// Custom patterns from config
|
|
foreach ($customPatterns as $p) {
|
|
try {
|
|
if (@preg_match($p, $scan)) {
|
|
$suspicious = true;
|
|
$reasons[] = 'custom_pattern';
|
|
}
|
|
} catch (\Throwable $e) {
|
|
// ignore invalid patterns
|
|
}
|
|
}
|
|
|
|
return ['suspicious' => $suspicious, 'reasons' => array_values(array_unique($reasons))];
|
|
}
|
|
}
|