Added test for .env visibility for setup page

2024-05-31 17:33:57 +01:00
parent 45cfec5b29
commit c63c17d49f
2 changed files with 118 additions and 28 deletions
@@ -14,6 +14,7 @@ use App\Models\Asset;
 use App\Models\User;
 use App\Notifications\FirstAdminNotification;
 use App\Notifications\MailTest;
+use Illuminate\Http\Client\HttpClientException;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\App;
 use Illuminate\Support\Facades\Storage;
@@ -24,7 +25,9 @@ use Illuminate\Support\Facades\Artisan;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Crypt;
 use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Http;
 use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\URL;
 use Illuminate\Support\Facades\Validator;

 /**
@@ -89,20 +92,7 @@ class SettingsController extends Controller
        $start_settings['php_version_min'] = true;

        // Curl the .env file to make sure it's not accessible via a browser
-        $ch = curl_init($protocol.$host.'/.env');
-        curl_setopt($ch, CURLOPT_HEADER, true);    // we want headers
-        curl_setopt($ch, CURLOPT_NOBODY, true);    // we don't need body
-        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-        curl_setopt($ch, CURLOPT_TIMEOUT, 10);
-        $output = curl_exec($ch);
-        $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
-        curl_close($ch);
-
-        if (404 == $httpcode || 403 == $httpcode || 0 == $httpcode) {
-            $start_settings['env_exposed'] = false;
-        } else {
-            $start_settings['env_exposed'] = true;
-        }
+        $start_settings['env_exposed'] = $this->dotEnvFileIsExposed();

        if (App::Environment('production') && (true == config('app.debug'))) {
            $start_settings['debug_exposed'] = true;
@@ -155,6 +145,25 @@ class SettingsController extends Controller
            ->with('section', 'Pre-Flight Check');
    }

+    /**
+     * Determine if the .env file accessible via a browser.
+     *
+     * @return bool This method will return true when exceptions (such as curl exception) is thrown.
+     * Check the log files to see more details about the exception.
+     */
+    protected function dotEnvFileIsExposed()
+    {
+        try {
+            return Http::timeout(10)
+                ->accept('*/*')
+                ->get(URL::to('.env'))
+                ->successful();
+        } catch (HttpClientException $e) {
+            Log::debug($e->getMessage());
+            return true;
+        }
+    }
+
    /**
     * Save the first admin user from Setup.
     *
@@ -458,7 +467,6 @@ class SettingsController extends Controller
                Storage::disk('public')->delete($setting->favicon);
                $setting->favicon = null;
            }
-
        }

        if ($setting->save()) {
@@ -966,8 +974,6 @@ class SettingsController extends Controller
            $setting->ldap_dept = $request->input('ldap_dept');
            $setting->ldap_client_tls_cert   = $request->input('ldap_client_tls_cert');
            $setting->ldap_client_tls_key    = $request->input('ldap_client_tls_key');
-
-
        }

        if ($setting->save()) {
@@ -1114,8 +1120,6 @@ class SettingsController extends Controller

                    ];
                }
-
-
            }
        }

@@ -1209,7 +1213,6 @@ class SettingsController extends Controller
                    } catch (\Exception $e) {
                        Log::debug($e);
                    }
-
                } else {
                    return redirect()->route('settings.backups.index')->with('error', trans('admin/settings/message.backup.file_not_found'));
                }
@@ -1256,15 +1259,10 @@ class SettingsController extends Controller
                }

                return redirect()->route('settings.backups.index')->withErrors($validator);
-
            }
-
        } else {
            return redirect()->route('settings.backups.index')->with('error', trans('general.feature_disabled'));
        }
-
-
-
    }

    /**
@@ -1330,7 +1328,6 @@ class SettingsController extends Controller
                Auth::logout();

                return redirect()->route('login')->with('success', 'Your system has been restored. Please login again.');
-
            } else {
                return redirect()->route('settings.backups.index')->with('error', trans('admin/settings/message.backup.file_not_found'));
            }
@@ -1358,7 +1355,6 @@ class SettingsController extends Controller
        }

        return redirect()->route('settings.index')->with('error', trans('general.purge_not_allowed'));
-
    }

    /**
@@ -1389,7 +1385,6 @@ class SettingsController extends Controller

                    return redirect()->route('settings.index')
                        ->with('output', $output)->with('success', trans('admin/settings/message.purge.success'));
-
                } else {
                    return redirect()->route('settings.purge.index')
                        ->with('error', trans('admin/settings/message.purge.validation_failed'));