From 65512ca984a86ac2c20eaf938d2d5f8cdf76ca29 Mon Sep 17 00:00:00 2001
From: bruno DA SILVA <bruno.dasilva@combodo.com>
Date: Wed, 16 Oct 2019 18:00:54 +0200
Subject: [PATCH] 2498 - restrict access to module's assets  - into env-*  -
 into datamodels  - into extensions

---
 datamodels/.htaccess         |  13 +++
 datamodels/web.config        |   8 ++
 extensions/.htaccess         |  13 +++
 extensions/web.config        |   8 ++
 setup/compiler.class.inc.php | 208 +++++++++++++++++++++++++++--------
 5 files changed, 206 insertions(+), 44 deletions(-)
 create mode 100644 datamodels/.htaccess
 create mode 100644 datamodels/web.config
 create mode 100644 extensions/.htaccess
 create mode 100644 extensions/web.config

diff --git a/datamodels/.htaccess b/datamodels/.htaccess
new file mode 100644
index 000000000..782472c78
--- /dev/null
+++ b/datamodels/.htaccess
@@ -0,0 +1,13 @@
+# Apache 2.4
+<ifModule mod_authz_core.c>
+Require all denied
+</ifModule>
+
+# Apache 2.2
+<ifModule !mod_authz_core.c>
+deny from all
+Satisfy All
+</ifModule>
+
+# Apache 2.2 and 2.4
+IndexIgnore *
diff --git a/datamodels/web.config b/datamodels/web.config
new file mode 100644
index 000000000..599a5f260
--- /dev/null
+++ b/datamodels/web.config
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+          <authorization>
+                  <deny users="*" /> <!-- Denies all users -->
+          </authorization>
+  </system.web>
+</configuration>
\ No newline at end of file
diff --git a/extensions/.htaccess b/extensions/.htaccess
new file mode 100644
index 000000000..782472c78
--- /dev/null
+++ b/extensions/.htaccess
@@ -0,0 +1,13 @@
+# Apache 2.4
+<ifModule mod_authz_core.c>
+Require all denied
+</ifModule>
+
+# Apache 2.2
+<ifModule !mod_authz_core.c>
+deny from all
+Satisfy All
+</ifModule>
+
+# Apache 2.2 and 2.4
+IndexIgnore *
diff --git a/extensions/web.config b/extensions/web.config
new file mode 100644
index 000000000..599a5f260
--- /dev/null
+++ b/extensions/web.config
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+          <authorization>
+                  <deny users="*" /> <!-- Denies all users -->
+          </authorization>
+  </system.web>
+</configuration>
\ No newline at end of file
diff --git a/setup/compiler.class.inc.php b/setup/compiler.class.inc.php
index 2fc52b3a9..4fb64227d 100644
--- a/setup/compiler.class.inc.php
+++ b/setup/compiler.class.inc.php
@@ -225,26 +225,49 @@ class MFCompiler
 		$iStart = strlen(realpath(APPROOT));
 		$sRelFinalTargetDir = substr($sFinalTargetDir, strlen(APPROOT));
 
-		$sModuleDesignHtaccessFileName = $sTempTargetDir.'/core/module_designs/.htaccess';
-		// every xml files present in here must not be publicly accessible
+		$sModuleDesignDir = $sTempTargetDir.'/core/module_designs/';
+		SetupUtils::builddir($sModuleDesignDir);
+
+		$sModuleDesignHtaccessFileName = $sModuleDesignDir.'.htaccess';
 		$sModuleDesignHtaccessFileContent = <<<EOF
-<Files  "*.xml">
-    Order deny,allow
-    Deny from all
-</Files>
+# This file was automatically generated by iTop.
+
+# Apache 2.4
+<ifModule mod_authz_core.c>
+Require all denied
+</ifModule>
+
+# Apache 2.2
+<ifModule !mod_authz_core.c>
+deny from all
+Satisfy All
+</ifModule>
+
+# Apache 2.2 and 2.4
+IndexIgnore *
+
 
 EOF;
-		SetupUtils::builddir(dirname($sModuleDesignHtaccessFileName));
-		$ret = file_put_contents($sModuleDesignHtaccessFileName, $sModuleDesignHtaccessFileContent);
-		if ($ret === false)
-		{
-			$iLen = strlen($sModuleDesignHtaccessFileContent);
-			$fFree = @disk_free_space(dirname($sModuleDesignHtaccessFileName));
-			$aErr = error_get_last();
-			throw new Exception("Failed to write '$sModuleDesignHtaccessFileName'. Last error: '{$aErr['message']}', content to write: $iLen bytes, available free space on disk: $fFree.");
-		}
+		$this->WriteFileIfNotExists($sModuleDesignHtaccessFileName, $sModuleDesignHtaccessFileContent);
 		unset($sModuleDesignHtaccessFileContent, $sModuleDesignHtaccessFileName);
 
+		$sModuleDesignHtaccessFileName = $sModuleDesignDir.'web.config';
+		$sModuleDesignHtaccessFileContent = <<<XML
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- This file was automatically generated by iTop -->
+<configuration>
+  <system.web>
+          <authorization>
+                  <deny users="*" /> <!-- Denies all users -->
+          </authorization>
+  </system.web>
+</configuration>
+
+XML;
+		$this->WriteFileIfNotExists($sModuleDesignHtaccessFileName, $sModuleDesignHtaccessFileContent);
+		unset($sModuleDesignHtaccessFileContent, $sModuleDesignHtaccessFileName);
+
+
 		foreach($aModules as $foo => $oModule)
 		{
 			$sModuleName = $oModule->GetName();
@@ -267,37 +290,10 @@ EOF;
 				// Push the other module files
 				SetupUtils::copydir($sModuleRootDir, $sTempTargetDir.'/'.$sRelativeDir, $bUseSymbolicLinks);
 
-				$sModuleHtaccessFileName = $sTempTargetDir.'/'.$sRelativeDir.'/.htaccess';
-				if (!file_exists($sModuleHtaccessFileName))
-				{
-					// if no .htaccess is present, add a generic one prohibiting  access to potentially sensible files (ie: even if it is quite a bad practice, it may happen that a developer put a secret into the xml)
-					$sModuleHtaccessFileContent = <<<EOF
-<Files  "datamodel.*.xml">
-    Order deny,allow
-    Deny from all
-</Files>
+				$this->WriteModuleHtaccess($sTempTargetDir, $sFinalTargetDir, $sRelativeDir, $sModuleName, $sModuleVersion);
+				$this->WriteModuleWebConfig($sTempTargetDir, $sFinalTargetDir, $sRelativeDir, $sModuleName, $sModuleVersion);
 
-<Files  "composer.json">
-    Order deny,allow
-    Deny from all
-</Files>
 
-<Files  "composer.lock">
-    Order deny,allow
-    Deny from all
-</Files>
-
-EOF;
-					$ret = file_put_contents($sModuleHtaccessFileName, $sModuleHtaccessFileContent);
-					if ($ret === false)
-					{
-						$iLen = strlen($sModuleHtaccessFileContent);
-						$fFree = @disk_free_space(dirname($sModuleHtaccessFileName));
-						$aErr = error_get_last();
-						throw new Exception("Failed to write '$sModuleHtaccessFileName'. Last error: '{$aErr['message']}', content to write: $iLen bytes, available free space on disk: $fFree.");
-					}
-					SetupLog::Warning("Added a generic .htaccess into {$sFinalTargetDir}/{$sRelativeDir} during the compilation.");;
-				}
 			}
 			else
 			{
@@ -2938,4 +2934,128 @@ EOF;
 
 		return $sPHP;
 	}
+
+	/**
+	 * Write a file only if not exists
+	 * Also add some informations in case of a write failleure
+	 * @param $sFilename
+	 * @param $sContent
+	 *
+	 * @return bool|int
+	 * @throws \Exception
+	 */
+	protected function WriteFileIfNotExists($sFilename, $sContent)
+	{
+		if (file_exists($sFilename))
+		{
+			return false;
+		}
+
+		$ret = file_put_contents($sFilename, $sContent);
+		if ($ret === false)
+		{
+			$iLen = strlen($sContent);
+			$fFree = @disk_free_space(dirname($sFilename));
+			$aErr = error_get_last();
+			throw new Exception("Failed to write '$sFilename'. Last error: '{$aErr['message']}', content to write: $iLen bytes, available free space on disk: $fFree.");
+		}
+
+		return $ret;
+}
+
+	/**
+	 * if no ".htaccess" is present, add a generic one prohibiting access to potentially sensible files (ie: even if it is quite a bad practice, it may happen that a developer put a secret into the xml)
+	 *
+	 * @param $sTempTargetDir
+	 * @param $sFinalTargetDir
+	 * @param $sRelativeDir
+	 * @param $sModuleName
+	 * @param $sModuleVersion
+	 *
+	 * @throws \Exception
+	 */
+	protected function WriteModuleHtaccess($sTempTargetDir, $sFinalTargetDir, $sRelativeDir, $sModuleName, $sModuleVersion)
+	{
+		$sContent = <<<EOF
+# This file was automatically generated by iTop, because there was no .htaccess in this module {$sModuleName}/{$sModuleVersion}
+
+# Apache 2.4
+<ifModule mod_authz_core.c>
+Require all denied
+	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff)$">
+	    Require all granted
+	</FilesMatch>
+</ifModule>
+
+# Apache 2.2
+<ifModule !mod_authz_core.c>
+deny from all
+Satisfy All
+	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff)$">
+	    Order Allow,Deny
+	    Allow from all
+	</FilesMatch>
+</ifModule>
+
+# Apache 2.2 and 2.4
+IndexIgnore *
+
+EOF;
+
+		$sFilename = $sTempTargetDir.'/'.$sRelativeDir.'/.htaccess';
+
+		$bWritten = $this->WriteFileIfNotExists($sFilename, $sContent);
+		if ($bWritten)
+		{
+			SetupLog::Warning("Added a generic .htaccess into {$sFinalTargetDir}/{$sRelativeDir} during the compilation.");;
+		}
+	}
+
+	/**
+	 *  if no "web.config" is present, add a generic one prohibiting access to potentially sensible files (ie: even if it is quite a bad practice, it may happen that a developer put a secret into the xml)
+	 *
+	 * @param $sTempTargetDir
+	 * @param $sFinalTargetDir
+	 * @param $sRelativeDir
+	 * @param $sModuleName
+	 * @param $sModuleVersion
+	 *
+	 * @throws \Exception
+	 */
+	protected function WriteModuleWebConfig($sTempTargetDir, $sFinalTargetDir, $sRelativeDir, $sModuleName, $sModuleVersion)
+	{
+		$sContent = <<<EOF
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- This file was automatically generated by iTop, because there was no web.config in this module {$sModuleName}/{$sModuleVersion} -->
+<configuration>
+  <system.web>
+      <security>
+         <requestFiltering>
+            <fileExtensions applyToWebDAV="false" allowUnlisted="false" >
+               <add fileExtension=".css" allowed="true" />
+               <add fileExtension=".scss" allowed="true" />
+               <add fileExtension=".js" allowed="true" />
+               <add fileExtension=".png" allowed="true" />
+               <add fileExtension=".bmp" allowed="true" />
+               <add fileExtension=".gif" allowed="true" />
+               <add fileExtension=".jpeg" allowed="true" />
+               <add fileExtension=".jpg" allowed="true" />
+               <add fileExtension=".svg" allowed="true" />
+               <add fileExtension=".tiff" allowed="true" />
+            </fileExtensions>
+         </requestFiltering>
+      </security>
+  </system.web>
+</configuration>
+
+EOF;
+
+		$sFilename = $sTempTargetDir.'/'.$sRelativeDir.'/web.config';
+
+		$bWritten = $this->WriteFileIfNotExists($sFilename, $sContent);
+		if ($bWritten)
+		{
+			SetupLog::Warning("Added a generic web.config into {$sFinalTargetDir}/{$sRelativeDir} during the compilation.");;
+		}
+	}
 }