N°7331 - Ensure to keep folder browsing protection files after install/update command

2026-02-13 07:24:13 +01:00 · 2024-03-11 14:46:53 +01:00
parent f3dd414a51
commit 8c1d986a03
5 changed files with 68 additions and 12 deletions
--- a/.make/dependencies/npm/restoreFolderBrowsingProtection.php
+++ b/.make/dependencies/npm/restoreFolderBrowsingProtection.php
@@ -0,0 +1,51 @@
+<?php
+/**
+ * Copyright (C) 2010-2023 Combodo SARL
+ *
+ *   This file is part of iTop.
+ *
+ *   iTop is free software; you can redistribute it and/or modify
+ *   it under the terms of the GNU Affero General Public License as published by
+ *   the Free Software Foundation, either version 3 of the License, or
+ *   (at your option) any later version.
+ *
+ *   iTop is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU Affero General Public License for more details.
+ *
+ *   You should have received a copy of the GNU Affero General Public License
+ *   along with iTop. If not, see <http: *www.gnu.org/licenses/>
+ *
+ */
+
+/**
+ * Ensure that the files for folder browsing protection (.htaccess, web.config) are kept after an "npm install/update" command
+ */
+
+$iTopFolder = __DIR__."/../../../";
+
+require_once("$iTopFolder/approot.inc.php");
+
+$sDependenciesRootFolderAbsPath = APPROOT . "node_modules/";
+$aFilesToCheck = [
+	".htaccess",
+	"web.config",
+];
+
+echo "This command aims at ensuring that folder browsing protection files (.htaccess, web.config) are present in the dependencies folder even after an install/upgrade command\n";
+echo "Checking files:\n";
+
+foreach($aFilesToCheck as $sFileToCheck) {
+	if (file_exists($sDependenciesRootFolderAbsPath . $sFileToCheck)) {
+		echo "✔️ $sFileToCheck is present\n";
+		continue;
+	}
+
+	// If missing, copy the one from /lib as it contains the necessary allow/deny directives for third-parties
+	copy(APPROOT . "lib/$sFileToCheck", $sDependenciesRootFolderAbsPath . $sFileToCheck);
+	echo "✔️ $sFileToCheck was missing and has been re-created\n";
+}
+
+// Ensure separation with following scripts
+echo "\n";
--- a/.make/dependencies/rmUnnecessaryFolders.php
+++ b/.make/dependencies/rmUnnecessaryFolders.php
@@ -71,10 +71,10 @@ foreach ($aDeniedButStillPresent as $sDir)

 	try {
 		SetupUtils::rrmdir($sDir);
-		echo "OK Remove denied test dir: '$sDir'\n";
+		echo "✔️ Remove denied test dir: '$sDir'\n";
 	}
 	catch (\Exception $e) {
-		echo "\nFAILED to remove denied test dir: '$sDir'\n";
+		echo "\n❌ FAILED to remove denied test dir: '$sDir'\n";
 	}
 }

@@ -90,3 +90,6 @@ if (false === empty($aMissing)) {
 		.'  They must be declared either in the allowed or denied list in '.$sDependenciesHandlerFQCN." (see N°2651).\n"
 		.'  List of dirs:'."\n".var_export($aMissing, true)."\n";
 }
+
+// Ensure separation with following scripts
+echo "\n";
--- a/node_modules/.htaccess
+++ b/node_modules/.htaccess
@@ -1,8 +1,11 @@
+# Allow only static resources files
+# - HTML not allowed as there could be some test pages calling server scripts or executing JS scripts
+# - PHP not allowed as they should not be publicly accessible

 # Apache 2.4
 <ifModule mod_authz_core.c>
 Require all denied
-	<FilesMatch ".+\.(css|scss|js|map|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot|html|php)$">
+	<FilesMatch ".+\.(css|scss|js|map|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot1)$">
 	    Require all granted
 	</FilesMatch>
 </ifModule>
@@ -11,7 +14,7 @@ Require all denied
 <ifModule !mod_authz_core.c>
 deny from all
 Satisfy All
-	<FilesMatch ".+\.(css|scss|js|map|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot|html|php)$">
+	<FilesMatch ".+\.(css|scss|js|map|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot)$">
 	    Order Allow,Deny
 	    Allow from all
 	</FilesMatch>
--- a/node_modules/web.config
+++ b/node_modules/web.config
@@ -1,4 +1,7 @@
 <?xml version="1.0" encoding="utf-8" ?>
+<!-- Allow only static resources files -->
+<!-- - HTML not allowed as there could be some test pages calling server scripts or executing JS scripts -->
+<!-- - PHP not allowed as they should not be publicly accessible -->
 <configuration>
  <system.webServer>
      <security>
@@ -20,10 +23,6 @@
               <add fileExtension=".woff2" allowed="true" />
               <add fileExtension=".ttf" allowed="true" />
               <add fileExtension=".eot" allowed="true" />
-               
-               <add fileExtension=".html" allowed="true" />
-               
-               <add fileExtension=".php" allowed="true" />
            </fileExtensions>
         </requestFiltering>
      </security>
--- a/package.json
+++ b/package.json
@@ -28,7 +28,7 @@
    "toastify-js": "^1.12.0"
  },
  "scripts": {
-    "postinstall": "php .make/dependencies/rmUnnecessaryFolders.php --manager npm",
-    "postupdate": "php .make/dependencies/rmUnnecessaryFolders.php --manager npm"
+    "postinstall": "php .make/dependencies/rmUnnecessaryFolders.php --manager npm && php .make/dependencies/npm/restoreFolderBrowsingProtection.php",
+    "postupdate": "php .make/dependencies/rmUnnecessaryFolders.php --manager npm && php .make/dependencies/npm/restoreFolderBrowsingProtection.php"
  }
 }