magdev/wc-licensed-product-client
1
Fork 0
Code Issues Pull Requests Activity

Fix security vulnerabilities identified in audit

Browse Source 
- Add JSON encoding error handling in ResponseSignature to prevent silent failures
- Sanitize exception messages to prevent information disclosure
- Fix header normalization to treat empty values as null
- Add SSRF protection with URL validation and private IP blocking
- Replace custom key derivation with RFC 5869 compliant hash_hkdf()
- Add input validation in DTO fromArray() methods
- Add DateTime exception handling in DTOs

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Marco Grätsch
2026-01-24 14:31:13 +01:00
parent 9f513a819e
commit fa748d61d3
6 changed files with 241 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
src/LicenseClient.php
View File

@@ -18,6 +18,16 @@ final class LicenseClient implements LicenseClientInterface
private const API_PATH = '/wp-json/wc-licensed-product/v1';
private const CACHE_TTL = 300; // 5 minutes
/** @var string[] Private IPv4 ranges (CIDR notation) */
private const PRIVATE_IP_RANGES = [
'10.0.0.0/8',
'172.16.0.0/12',
'192.168.0.0/16',
'127.0.0.0/8',
'169.254.0.0/16',
'0.0.0.0/8',
];
private readonly LoggerInterface $logger;
public function __construct(
@@ -26,8 +36,10 @@ final class LicenseClient implements LicenseClientInterface
?LoggerInterface $logger = null,
private readonly ?CacheItemPoolInterface $cache = null,
private readonly int $cacheTtl = self::CACHE_TTL,
bool $allowInsecureHttp = false,
) {
$this->logger = $logger ?? new NullLogger();
$this->validateBaseUrl($baseUrl, $allowInsecureHttp);
}
public function validate(string $licenseKey, string $domain): LicenseInfo
@@ -165,13 +177,15 @@ final class LicenseClient implements LicenseClientInterface
} catch (LicenseException $e) {
throw $e;
} catch (\Throwable $e) {
// Log full error for debugging but sanitize for user-facing message
$this->logger->error('License API request failed', [
'endpoint' => $endpoint,
'error' => $e->getMessage(),
'exception_class' => $e::class,
'error_code' => $e->getCode(),
]);
throw new LicenseException(
'Failed to communicate with license server: ' . $e->getMessage(),
'Failed to communicate with license server',
null,
0,
$e
@@ -187,4 +201,69 @@ final class LicenseClient implements LicenseClientInterface
}
return $key;
}
/**
* Validate the base URL to prevent SSRF attacks.
*
* @throws \InvalidArgumentException If the URL is invalid or potentially dangerous
*/
private function validateBaseUrl(string $url, bool $allowInsecureHttp): void
{
if ($url === '') {
throw new \InvalidArgumentException('Base URL cannot be empty');
}
$parsed = parse_url($url);
if ($parsed === false || !isset($parsed['scheme'], $parsed['host'])) {
throw new \InvalidArgumentException('Invalid base URL format');
}
$scheme = strtolower($parsed['scheme']);
$host = strtolower($parsed['host']);
// Require HTTPS unless explicitly allowed for localhost
if ($scheme !== 'https') {
if ($scheme !== 'http') {
throw new \InvalidArgumentException('Base URL must use HTTP or HTTPS scheme');
}
$isLocalhost = $host === 'localhost' || $host === '127.0.0.1';
if (!$allowInsecureHttp && !$isLocalhost) {
throw new \InvalidArgumentException(
'Base URL must use HTTPS for non-localhost hosts. ' .
'Set allowInsecureHttp=true to allow HTTP (not recommended for production).'
);
}
}
// Resolve hostname and check for private IPs
$ip = gethostbyname($host);
if ($ip !== $host && $this->isPrivateIp($ip)) {
throw new \InvalidArgumentException(
'Base URL resolves to a private IP address, which is not allowed'
);
}
}
/**
* Check if an IP address is in a private range.
*/
private function isPrivateIp(string $ip): bool
{
$ipLong = ip2long($ip);
if ($ipLong === false) {
return false;
}
foreach (self::PRIVATE_IP_RANGES as $range) {
[$subnet, $bits] = explode('/', $range);
$subnetLong = ip2long($subnet);
$mask = -1 << (32 - (int) $bits);
if (($ipLong & $mask) === ($subnetLong & $mask)) {
return true;
}
}
return false;
}
}