mirror of
https://github.com/Findus23/matomo-DiagnosticsExtended.git
synced 2024-09-19 16:03:46 +02:00
add Curl Version, OpenSSL Version and PHP user check
This commit is contained in:
parent
d6e785684a
commit
4c63d4b722
8 changed files with 256 additions and 13 deletions
110
Diagnostic/CurlVersionCheck.php
Normal file
110
Diagnostic/CurlVersionCheck.php
Normal file
|
@ -0,0 +1,110 @@
|
|||
<?php
|
||||
/**
|
||||
* Matomo - free/libre analytics platform
|
||||
*
|
||||
* @link https://matomo.org
|
||||
* @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
|
||||
*/
|
||||
|
||||
namespace Piwik\Plugins\DiagnosticsExtended\Diagnostic;
|
||||
|
||||
use Piwik\Http;
|
||||
use Piwik\Plugins\Diagnostics\Diagnostic\Diagnostic;
|
||||
use Piwik\Plugins\Diagnostics\Diagnostic\DiagnosticResult;
|
||||
use Psr\Log\LoggerInterface;
|
||||
|
||||
class CurlVersionCheck implements Diagnostic
|
||||
{
|
||||
/**
|
||||
* @var LoggerInterface
|
||||
*/
|
||||
private $logger;
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $label;
|
||||
|
||||
const SOCKET_TIMEOUT = 2;
|
||||
const CACHEID = "DiagnosticsExtended_CurlVulnerabilities";
|
||||
|
||||
/**
|
||||
* @var \Matomo\Cache\Lazy
|
||||
*/
|
||||
private $lazyCache;
|
||||
|
||||
|
||||
public function __construct(LoggerInterface $logger, \Matomo\Cache\Lazy $lazyCache)
|
||||
{
|
||||
$this->logger = $logger;
|
||||
$this->label = "curl version check";
|
||||
$this->lazyCache = $lazyCache;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @return DiagnosticResult[]
|
||||
*/
|
||||
public function execute()
|
||||
{
|
||||
if (!extension_loaded('curl')) {
|
||||
return [DiagnosticResult::singleResult(
|
||||
$this->label,
|
||||
DiagnosticResult::STATUS_INFORMATIONAL,
|
||||
"Your PHP setup doesn't use curl, so there is nothing to check"
|
||||
)];
|
||||
}
|
||||
$version = curl_version()["version"];
|
||||
|
||||
$url = "https://curl.se/docs/vuln.pm";
|
||||
$timeout = self::SOCKET_TIMEOUT;
|
||||
try {
|
||||
$response = $this->lazyCache->fetch(self::CACHEID);
|
||||
if (!$response) {
|
||||
$response = Http::sendHttpRequest($url, $timeout);
|
||||
$this->lazyCache->save(self::CACHEID, $response, 60 * 60 * 24 * 7);
|
||||
}
|
||||
$vulns = [];
|
||||
foreach (explode("\n", $response) as $line) {
|
||||
$line = trim($line);
|
||||
if (strpos($line, "#") === 0 || strpos($line, "@") === 0 || strpos($line, ")") === 0) {
|
||||
continue;
|
||||
}
|
||||
$line = str_replace('"', "", $line);
|
||||
$cols = explode("|", $line);
|
||||
$startVersion = $cols[1];
|
||||
$endVersion = $cols[2];
|
||||
$URL = htmlspecialchars($cols[0], ENT_QUOTES, 'UTF-8');
|
||||
$CVE = htmlspecialchars($cols[4], ENT_QUOTES, 'UTF-8');
|
||||
if (
|
||||
version_compare($version, $startVersion, ">=") &&
|
||||
version_compare($version, $endVersion, "<=")
|
||||
) {
|
||||
$vulns[] = "<a target='_blank' rel='noopener' href='https://curl.se/docs/$URL'>$CVE</a>";
|
||||
}
|
||||
}
|
||||
if (count($vulns) > 0) {
|
||||
return [DiagnosticResult::singleResult(
|
||||
$this->label,
|
||||
DiagnosticResult::STATUS_ERROR,
|
||||
"Your curl version might be vulnerable against this vulnerabilities
|
||||
(unless the distributor of your curl binary is backporting security patches): "
|
||||
. join(", ", $vulns)
|
||||
)];
|
||||
} else {
|
||||
return [DiagnosticResult::singleResult(
|
||||
$this->label,
|
||||
DiagnosticResult::STATUS_OK,
|
||||
"It seems like there are no known vulnerabilities in your curl version"
|
||||
)];
|
||||
}
|
||||
} catch (\Exception $e) {
|
||||
return [DiagnosticResult::singleResult(
|
||||
$this->label,
|
||||
DiagnosticResult::STATUS_INFORMATIONAL,
|
||||
"Matomo could not check if your curl version has vulnerabilities"
|
||||
)];
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
}
|
|
@ -8,15 +8,13 @@
|
|||
|
||||
namespace Piwik\Plugins\DiagnosticsExtended\Diagnostic;
|
||||
|
||||
use Piwik\Date;
|
||||
use Piwik\Db;
|
||||
use Piwik\Http;
|
||||
use Piwik\Date;
|
||||
use Piwik\Plugins\Diagnostics\Diagnostic\Diagnostic;
|
||||
use Piwik\Plugins\Diagnostics\Diagnostic\DiagnosticResult;
|
||||
use Piwik\Plugins\Diagnostics\Diagnostic\DiagnosticResultItem;
|
||||
use Piwik\Plugins\DiagnosticsExtended\Diagnostic\IniSettings\IniSetting;
|
||||
use Psr\Log\LoggerInterface;
|
||||
use function DI\factory;
|
||||
|
||||
class DatabaseVersionCheck implements Diagnostic
|
||||
{
|
||||
|
|
|
@ -27,9 +27,11 @@ class ExampleCheck implements Diagnostic
|
|||
|
||||
public function execute()
|
||||
{
|
||||
$result=new DiagnosticResult("label");
|
||||
$result->addItem(new DiagnosticResultItem(DiagnosticResult::STATUS_ERROR,"a"));
|
||||
$result->addItem(new DiagnosticResultItem(DiagnosticResult::STATUS_OK,"b"));
|
||||
$result = new DiagnosticResult("label");
|
||||
$result->addItem(new DiagnosticResultItem(DiagnosticResult::STATUS_ERROR, "error"));
|
||||
$result->addItem(new DiagnosticResultItem(DiagnosticResult::STATUS_WARNING, "warning"));
|
||||
$result->addItem(new DiagnosticResultItem(DiagnosticResult::STATUS_OK, "okay"));
|
||||
$result->addItem(new DiagnosticResultItem(DiagnosticResult::STATUS_INFORMATIONAL, "info"));
|
||||
return array($result);
|
||||
}
|
||||
|
||||
|
|
|
@ -8,17 +8,13 @@
|
|||
|
||||
namespace Piwik\Plugins\DiagnosticsExtended\Diagnostic;
|
||||
|
||||
use Piwik\Db;
|
||||
use Piwik\Http;
|
||||
use Piwik\Date;
|
||||
use Piwik\Plugins\Diagnostics\Diagnostic\Diagnostic;
|
||||
use Piwik\Plugins\Diagnostics\Diagnostic\DiagnosticResult;
|
||||
use Piwik\Plugins\Diagnostics\Diagnostic\DiagnosticResultItem;
|
||||
use Piwik\Plugins\DiagnosticsExtended\Diagnostic\IniSettings\IniSetting;
|
||||
use Piwik\SettingsPiwik;
|
||||
use Piwik\Tracker\TrackerCodeGenerator;
|
||||
use Psr\Log\LoggerInterface;
|
||||
use function DI\factory;
|
||||
|
||||
class GzipMatomoJsCheck implements Diagnostic
|
||||
{
|
||||
|
|
88
Diagnostic/OpensslVersionCheck.php
Normal file
88
Diagnostic/OpensslVersionCheck.php
Normal file
|
@ -0,0 +1,88 @@
|
|||
<?php
|
||||
/**
|
||||
* Matomo - free/libre analytics platform
|
||||
*
|
||||
* @link https://matomo.org
|
||||
* @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
|
||||
*/
|
||||
|
||||
namespace Piwik\Plugins\DiagnosticsExtended\Diagnostic;
|
||||
|
||||
use Piwik\Plugins\Diagnostics\Diagnostic\Diagnostic;
|
||||
use Piwik\Plugins\Diagnostics\Diagnostic\DiagnosticResult;
|
||||
use Psr\Log\LoggerInterface;
|
||||
|
||||
class OpensslVersionCheck implements Diagnostic
|
||||
{
|
||||
/**
|
||||
* @var LoggerInterface
|
||||
*/
|
||||
private $logger;
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $label;
|
||||
|
||||
/**
|
||||
* Use a rather old version as many security fixes are backported
|
||||
*/
|
||||
const MINIMUM_VERSION = "1.0.2";
|
||||
const MINIMUM_VERSION_LETTER = "b";
|
||||
|
||||
|
||||
public function __construct(LoggerInterface $logger)
|
||||
{
|
||||
$this->logger = $logger;
|
||||
$this->label = "OpenSSL version check";
|
||||
}
|
||||
|
||||
/**
|
||||
* @return DiagnosticResult
|
||||
*/
|
||||
public function noOpenSSL()
|
||||
{
|
||||
return DiagnosticResult::singleResult(
|
||||
$this->label,
|
||||
DiagnosticResult::STATUS_INFORMATIONAL,
|
||||
"Your PHP setup doesn't use OpenSSL or curl, so there is nothing to check"
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @return DiagnosticResult[]
|
||||
*/
|
||||
public function execute()
|
||||
{
|
||||
if (!extension_loaded("curl") || !extension_loaded('openssl')) {
|
||||
return [$this->noOpenSSL()];
|
||||
}
|
||||
$version = curl_version()["ssl_version"];
|
||||
if (strpos($version, "OpenSSL/") !== 0) {
|
||||
return [$this->noOpenSSL()];
|
||||
}
|
||||
$versionPart = substr($version, 8, 5);
|
||||
$letterPart = substr($version, 13, 1);
|
||||
if (
|
||||
version_compare($versionPart, self::MINIMUM_VERSION, "<")
|
||||
|| (
|
||||
version_compare($versionPart, self::MINIMUM_VERSION, "=")
|
||||
&& ord($letterPart) < ord(self::MINIMUM_VERSION_LETTER)
|
||||
)
|
||||
) {
|
||||
return [DiagnosticResult::singleResult(
|
||||
$this->label,
|
||||
DiagnosticResult::STATUS_WARNING,
|
||||
"Your OpenSSL version ($version) is pretty old.
|
||||
Check if there are known vulnerabilities for it and update it if necessary."
|
||||
)];
|
||||
} else {
|
||||
return [DiagnosticResult::singleResult(
|
||||
$this->label,
|
||||
DiagnosticResult::STATUS_INFORMATIONAL,
|
||||
"Your OpenSSL version ($version) is not really old.
|
||||
Nevertheless, check if there are known vulnerabilities for it and update it if necessary."
|
||||
)];
|
||||
}
|
||||
}
|
||||
}
|
48
Diagnostic/PhpUserCheck.php
Normal file
48
Diagnostic/PhpUserCheck.php
Normal file
|
@ -0,0 +1,48 @@
|
|||
<?php
|
||||
/**
|
||||
* Matomo - free/libre analytics platform
|
||||
*
|
||||
* @link https://matomo.org
|
||||
* @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
|
||||
*/
|
||||
|
||||
namespace Piwik\Plugins\DiagnosticsExtended\Diagnostic;
|
||||
|
||||
use Piwik\Plugins\Diagnostics\Diagnostic\Diagnostic;
|
||||
use Piwik\Plugins\Diagnostics\Diagnostic\DiagnosticResult;
|
||||
use Piwik\SettingsServer;
|
||||
use Psr\Log\LoggerInterface;
|
||||
|
||||
class PhpUserCheck implements Diagnostic
|
||||
{
|
||||
/**
|
||||
* @var LoggerInterface
|
||||
*/
|
||||
private $logger;
|
||||
|
||||
public function __construct(LoggerInterface $logger)
|
||||
{
|
||||
$this->logger = $logger;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return DiagnosticResult[]
|
||||
*/
|
||||
public function execute()
|
||||
{
|
||||
if (SettingsServer::isWindows()) {
|
||||
return [];
|
||||
}
|
||||
if (posix_getuid() === 0) {
|
||||
return [DiagnosticResult::singleResult(
|
||||
"php running as root",
|
||||
DiagnosticResult::STATUS_WARNING,
|
||||
"PHP seems to be running as root. Unless you are using Matomo inside a docker container
|
||||
you should check your setup."
|
||||
)];
|
||||
}
|
||||
return [];
|
||||
}
|
||||
|
||||
|
||||
}
|
|
@ -8,14 +8,12 @@
|
|||
|
||||
namespace Piwik\Plugins\DiagnosticsExtended\Diagnostic;
|
||||
|
||||
use Piwik\Http;
|
||||
use Piwik\Date;
|
||||
use Piwik\Http;
|
||||
use Piwik\Plugins\Diagnostics\Diagnostic\Diagnostic;
|
||||
use Piwik\Plugins\Diagnostics\Diagnostic\DiagnosticResult;
|
||||
use Piwik\Plugins\Diagnostics\Diagnostic\DiagnosticResultItem;
|
||||
use Piwik\Plugins\DiagnosticsExtended\Diagnostic\IniSettings\IniSetting;
|
||||
use Psr\Log\LoggerInterface;
|
||||
use function DI\factory;
|
||||
|
||||
class PhpVersionCheck implements Diagnostic
|
||||
{
|
||||
|
|
|
@ -15,6 +15,9 @@ return [
|
|||
DI\get('\Piwik\Plugins\DiagnosticsExtended\Diagnostic\PhpVersionCheck'),
|
||||
DI\get('\Piwik\Plugins\DiagnosticsExtended\Diagnostic\DatabaseVersionCheck'),
|
||||
DI\get('\Piwik\Plugins\DiagnosticsExtended\Diagnostic\GzipMatomoJsCheck'),
|
||||
DI\get('\Piwik\Plugins\DiagnosticsExtended\Diagnostic\CurlVersionCheck'),
|
||||
DI\get('\Piwik\Plugins\DiagnosticsExtended\Diagnostic\OpensslVersionCheck'),
|
||||
DI\get('\Piwik\Plugins\DiagnosticsExtended\Diagnostic\PhpUserCheck'),
|
||||
]),
|
||||
|
||||
];
|
||||
|
|
Loading…
Reference in a new issue