rayne/virtual-path
Composer 安装命令:
composer require rayne/virtual-path
包简介
The VirtualPath library normalises paths and prevents directory traversal attacks without querying a file system.
关键字:
README 文档
README
The VirtualPath library normalises paths and
prevents directory traversal attacks
without querying a file system.
Contents
Installation
It's recommended to use the dependency manager
Composer
to install rayne/virtual-path.
composer require rayne/virtual-path
Dependencies
- PHP 5.6 or better
Usage
The VirtualPath class normalises inputs to absolute virtual paths
without querying any file system.
It also detects and flags directory traversal attacks.
The JailedPath class utilises VirtualPath to build safe paths
which can be used for working with real files.
The normalisation is done relative to a jail called path
which is used as virtual root for any path entered by the user.
As JailedPath does not query the file system
it's suited for working with local, remote or fictional paths.
Please read the Implementation Details section for more details.
TL;DR Use the JailedPath class when in doubt.
Examples
JailedPath
In this example website visitors are allowed to download any file
from the local directory /test
by specifying the relative path as GET parameter.
To prevent users from leaving the directory with directory traversal attacks,
JailedPath is used with /test as the virtual root directory.
<?php use Rayne\VirtualPath\JailedPath; $jailedPath = new JailedPath('/test', $_GET['path'] ?? ''); if ($jailedPath->hasJailbreakAttempt()) { // Log jailbreak attempt, ban user, … return; } if (is_file($jailedPath->getAbsolutePath())) { @readfile($jailedPath->getAbsolutePath()); }
The following table shows how user defined paths are normalised and how they are interpreted relative to the virtual root.
| User Input | hasJailbreakAttempt() |
getAbsolutePath() |
getRelativePath() |
|---|---|---|---|
| Empty String | false |
/test |
Empty String |
. |
false |
/test |
Empty String |
a.png/../b.png |
false |
/test/b.png |
b.png |
/a/./b |
false |
/test/a/b |
a/b |
.. |
true |
/test |
Empty String |
../example |
true |
/test/example |
example |
../etc/passwd |
true |
/test/etc/passwd |
etc/passwd |
| Array | true |
/test |
Empty String |
VirtualPath
If a fixed prefix or the sugar coating of JailedPath isn't required,
then VirtualPath is sufficient as it is the class used for normalising paths.
VirtualPath normalises the input and provides a trusted
(normalised, with a leading /)
and an untrusted
(a string representation of the probably malicious user input)
path.
The previous example can be easily recreated with VirtualPath
when the instance of VirtualPath (which is (string) cast-able)
is appended to the virtual root directory.
<?php use Rayne\VirtualPath\VirtualPath; $path = new VirtualPath($_GET['path'] ?? ''); $absolutePath = '/test' . $path;
Depending on the usage scenario it's sometimes useful to work with the normalised trusted path even if the original input is not trustworthy, e.g. when explicitly supporting relative paths and giving the user the benefit of doubt when accidentally trying to access files outside of the virtual path.
Note: VirtualPath returns the normalised path with a leading /.
When working with files it's recommended to add a trusted path as prefix
(see code example in the current section)
as otherwise files relative to the file system's root would be referenced.
To not forget to add the prefix use the JailedPath class instead when working with real files.
| Input | isTrusted() |
getTrustedPath() |
getUntrustedPath() |
|---|---|---|---|
| Array | false |
/ |
Empty String |
| Empty String | true |
/ |
Empty String |
../articles |
false |
/articles |
../articles |
tags/../../articles |
false |
/articles |
tags/../../articles |
tags/../articles |
true |
/articles |
tags/../articles |
../etc/passwd |
false |
/etc/passwd |
../etc/passwd |
/etc/passwd |
true |
/etc/passwd |
/etc/passwd |
etc/passwd |
true |
/etc/passwd |
etc/passwd |
Implementation Details
Using a pure virtual normalised path has different benefits:
-
Path normalisation is done without querying a file system
-
It's impossible to forge timing attacks for files outside of the scope of the virtual path
-
No complex comparisons are required to limit directory traversals to a specific directory and its children
-
Only
.,..,\(normalised to/) and/are interpreted for path normalisation -
No unexpected and information leaking
~expansions as seen in other libraries
The implementation of VirtualPath does not interpret,
alter or remove control characters and Unicode:
-
Directory and file paths are allowed to contain control characters on some systems
-
Removing control characters is out of scope for the library
Tests
-
Clone the repository
git clone https://github.com/rayne/virtual-path.git
-
Install the development dependencies
composer install --dev
-
Run the tests
composer test
rayne/virtual-path 适用场景与选型建议
rayne/virtual-path 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 72 次下载、GitHub Stars 达 8, 最近一次更新时间为 2017 年 10 月 06 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「path」 「directory」 「traversal」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 rayne/virtual-path 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 rayne/virtual-path 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 rayne/virtual-path 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
JSONPath implementation for querying and updating JSON objects with support for json flattening into a table
LDAP user provider bundle for Symfony 6.4
The InstantConfigurationCopy module provides easy way to copy configuration field information for admin in back office Magento 2.
simple agnostic package for IO releted (files, dir, etc..)
Simple class for encapsulating file directory object.
Service for for hash map (assoc array) traversal (fork of igorw/get-in).
统计信息
- 总下载量: 72
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 8
- 点击次数: 0
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2017-10-06