Began work on the core_image.php reader

e107_handlers/e107_class.php

@@ -193,6 +193,7 @@ class e107
 		'e_bb_base'                      => '{e_HANDLER}bbcode_handler.php',
 		'e_customfields'                 => '{e_HANDLER}e_customfields_class.php',
 		'e_file'                         => '{e_HANDLER}file_class.php',
+		'e_file_inspector'               => '{e_HANDLER}e_file_inspector_json.php',
 		'e_form'                         => '{e_HANDLER}form_handler.php',
 		'e_jshelper'                     => '{e_HANDLER}js_helper.php',
 		'e_media'                        => '{e_HANDLER}media_class.php',
@@ -1601,6 +1602,18 @@ class e107
 		return self::getObject('e_file', null, true);
 	}
 
+	/**
+	 * Create a new file inspector object
+	 *
+	 * Note: Only the core file inspector is supported right now.
+	 *
+	 * @return e_file_inspector
+	 */
+	public static function getFileInspector()
+	{
+		return self::getSingleton('e_file_inspector');
+	}
+
 	/**
 	 * Retrieve form handler singleton or new fresh object
 	 *

e107_handlers/e_file_inspector.php

@@ -0,0 +1,101 @@
+<?php
+/**
+ * e107 website system
+ *
+ * Copyright (C) 2008-2020 e107 Inc (e107.org)
+ * Released under the terms and conditions of the
+ * GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
+ */
+
+require_once("e_file_inspector_interface.php");
+
+abstract class e_file_inspector implements e_file_inspector_interface
+{
+	/**
+	 * Check the integrity of the provided path
+	 *
+	 * @param $path string Relative path of the file to look up
+	 * @param $version string The desired software release to match.
+	 *                        Leave blank for the latest version.
+	 *                        Do not prepend the version number with "v".
+	 * @return int Validation code (see the constants of this class)
+	 */
+	public function validate($path, $version = null)
+	{
+		$absolutePath = realpath($path);
+		$actualChecksum = $this->checksumPath($absolutePath);
+		$dbChecksum = $this->getChecksum($path, $version);
+
+		if ($dbChecksum === false) return self::VALIDATION_IGNORE;
+		if (!file_exists($absolutePath)) return self::VALIDATION_MISSING;
+		if ($this->isInsecure($path)) return self::VALIDATION_INSECURE;
+		if ($actualChecksum === false) return self::VALIDATION_INCALCULABLE;
+		if ($actualChecksum === $dbChecksum) return self::VALIDATION_PASS;
+
+		foreach ($this->getChecksums($path) as $dbVersion => $dbChecksum)
+		{
+			if (version_compare($dbVersion, $version, ">=")) continue;
+
+			if ($dbChecksum === $actualChecksum) return self::VALIDATION_OLD;
+		}
+
+		return self::VALIDATION_FAIL;
+	}
+
+	/**
+	 * Get the file integrity hash for the provided path and version
+	 *
+	 * @param $path string Relative path of the file to look up
+	 * @param $version string The software release version corresponding to the file hash.
+	 *                        Leave blank for the latest version.
+	 *                        Do not prepend the version number with "v".
+	 * @return string|bool The database hash for the path and version specified. FALSE if the record does not exist.
+	 */
+	public function getChecksum($path, $version = null)
+	{
+		$checksums = $this->getChecksums($path);
+		return isset($checksums[$version]) ? $checksums[$version] : false;
+	}
+
+	/**
+	 * Calculate the hash of a path to compare with the hash database
+	 *
+	 * @param $absolutePath string Absolute path of the file to hash
+	 * @return string|bool The actual hash for the path. FALSE if the hash was incalculable.
+	 */
+	public function checksumPath($absolutePath)
+	{
+		if (!is_file($absolutePath) || !is_readable($absolutePath)) return false;
+
+		return $this->checksum(file_get_contents($absolutePath));
+	}
+
+	/**
+	 * Calculate the hash of a string, which would be used to compare with the hash database
+	 *
+	 * @param $content string Full content to hash
+	 * @return string
+	 */
+	public function checksum($content)
+	{
+		return md5(str_replace(array(chr(13),chr(10)), "",  $content));
+	}
+
+	/**
+	 * Get the matching version of the provided path
+	 *
+	 * Useful for looking up the versions of old files that no longer exist in the latest image
+	 *
+	 * @param $path string Relative path of the file to look up
+	 * @return string|bool PHP-standardized version of the file. FALSE if there is no match.
+	 */
+	public function getVersion($path)
+	{
+		$actualChecksum = $this->checksumPath($path);
+		foreach ($this->getChecksums($path) as $dbVersion => $dbChecksum)
+		{
+			if ($actualChecksum === $dbChecksum) return $dbVersion;
+		}
+		return false;
+	}
+}

e107_handlers/e_file_inspector_interface.php

@@ -0,0 +1,65 @@
+<?php
+/**
+ * e107 website system
+ *
+ * Copyright (C) 2008-2020 e107 Inc (e107.org)
+ * Released under the terms and conditions of the
+ * GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
+ */
+
+interface e_file_inspector_interface
+{
+	/**
+	 * The file is present, and its hash matches the specified version.
+	 */
+	const VALIDATION_PASS = 1;
+	/**
+	 * The file is present, but the hash does not match the specified version. VALIDATION_OLD takes precedence.
+	 */
+	const VALIDATION_FAIL = 2;
+	/**
+	 * The file is absent, but a hash exists for the specified version.
+	 */
+	const VALIDATION_MISSING = 3;
+	/**
+	 * The file is present, and its hash matches a version older than the specified version.
+	 */
+	const VALIDATION_OLD = 4;
+	/**
+	 * A hash cannot be determined for the provided file.
+	 */
+	const VALIDATION_INCALCULABLE = 5;
+	/**
+	 * The file is present, but it should be deleted due to security concerns
+	 */
+	const VALIDATION_INSECURE = 6;
+	/**
+	 * The file, present or absent, is not in this database.
+	 */
+	const VALIDATION_IGNORE = 7;
+
+	/**
+	 * Get all the known file integrity hashes for the provided path
+	 *
+	 * @param $path string Relative path of the file to look up
+	 * @return array Associative array where the keys are the PHP-standardized versions and the values are the checksums
+	 *               for those versions.
+	 */
+	public function getChecksums($path);
+
+	/**
+	 * List of versions of the provided path for which the database has hashes
+	 *
+	 * @param $path string Relative path of the file to look up
+	 * @return array PHP-standardized versions. Empty if there are none.
+	 */
+	public function getVersions($path);
+
+	/**
+	 * Check if the file is insecure
+	 *
+	 * @param $path string Relative path of the file to look up
+	 * @return bool TRUE if the file should be deleted due to known security flaws; FALSE otherwise
+	 */
+	public function isInsecure($path);
+}

e107_handlers/e_file_inspector_json.php

@@ -0,0 +1,89 @@
+<?php
+/**
+ * e107 website system
+ *
+ * Copyright (C) 2008-2020 e107 Inc (e107.org)
+ * Released under the terms and conditions of the
+ * GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
+ */
+
+require_once("e_file_inspector.php");
+
+class e_file_inspector_json extends e_file_inspector
+{
+	private $coreImage;
+
+	public function __construct()
+	{
+		global $core_image;
+		require(e_ADMIN . "core_image.php");
+		$this->coreImage = json_decode($core_image, true);
+		unset($core_image);
+	}
+
+	/**
+	 * @inheritDoc
+	 */
+	public function getChecksums($path)
+	{
+		$path = $this->pathToDefaultPath($path);
+		return self::array_get($this->coreImage, $path, []);
+	}
+
+	/**
+	 * @inheritDoc
+	 */
+	public function getVersions($path)
+	{
+		$path = $this->pathToDefaultPath($path);
+		return array_keys(self::array_get($this->coreImage, $path, []));
+	}
+
+	/**
+	 * @inheritDoc
+	 */
+	public function isInsecure($path)
+	{
+		# TODO
+		return false;
+	}
+
+	/**
+	 * Get an item from an array using "slash" notation.
+	 *
+	 * Based on Illuminate\Support\Arr::get()
+	 *
+	 * @param array $array
+	 * @param string $key
+	 * @param mixed $default
+	 * @return mixed
+	 * @copyright Copyright (c) Taylor Otwell
+	 * @license https://github.com/illuminate/support/blob/master/LICENSE.md MIT License
+	 */
+	private static function array_get($array, $key, $default = null)
+	{
+		if (is_null($key)) return $array;
+
+		if (isset($array[$key])) return $array[$key];
+
+		foreach (explode('/', $key) as $segment) {
+			if (!is_array($array) || !array_key_exists($segment, $array)) {
+				return $default;
+			}
+
+			$array = $array[$segment];
+		}
+
+		return $array;
+	}
+
+	private function pathToDefaultPath($path)
+	{
+		$defaultDirs = e107::getInstance()->defaultDirs();
+		foreach ($defaultDirs as $dirType => $defaultDir) {
+			$customDir = e107::getFolder(preg_replace("/_DIRECTORY$/i", "", $dirType));
+			$path = preg_replace("/^" . preg_quote($customDir, "/") . "/", $defaultDir, $path);
+		}
+		return $path;
+	}
+}

e107_tests/tests/unit/e_file_inspectorTest.php

@@ -0,0 +1,33 @@
+<?php
+/**
+ * e107 website system
+ *
+ * Copyright (C) 2008-2020 e107 Inc (e107.org)
+ * Released under the terms and conditions of the
+ * GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
+ */
+
+class e_file_inspectorTest extends \Codeception\Test\Unit
+{
+	/**
+	 * @var e_file_inspector_json
+	 */
+	private $e_integrity;
+
+	public function _before()
+	{
+		require_once(e_HANDLER."e_file_inspector_json.php");
+		$this->e_integrity = new e_file_inspector_json();
+	}
+
+	public function testGetChecksums()
+	{
+		$checksums = $this->e_integrity->getChecksums("e107_admin/e107_update.php");
+		$this->assertIsArray($checksums);
+		$this->assertNotEmpty($checksums);
+
+		$checksums = $this->e_integrity->getChecksums("e107_handlers/nonexistent.php");
+		$this->assertIsArray($checksums);
+		$this->assertEmpty($checksums);
+	}
+}