0
myClass.php
    public function clearCache() {
      // validate input and determine the appropriate cache folder;
      ...
      helper::removeFolder($folder);
}

helper.php
    static function removeFolder($folder) {
        ...
    }

The first method does all the input validation to ensure we're not removing the wrong folder.

I would like to protect the second method from php object injection and unauthorised use.

Right now I'm checking the calling class names using this How to get the name of the calling class (in PHP)

I am especially concerned with attackers exploiting such method to wipe sensitive data or the whole website. Is this overkill or is there a better approach?

Any ideas? Of course I am only concerned with remote attacks, if the attacker could place a file on my server and execute it, then they could wipe the disk themselves.

I am using Joomla, if the framework provides with such features please mention it.

Community
  • 1
  • 1
Riccardo Zorn
  • 5,590
  • 1
  • 20
  • 36
  • 4
    How would someone inject an object into PHP, are you eval()ing/unserializing user input or extracting variables or something? All bad ideas at any rate – simontemplar Feb 10 '15 at 10:40
  • 4
    To build on what @simontemplar said, if someone can run a function from your code remotely you have ***much bigger problems***. – Dan Smith Feb 10 '15 at 10:41
  • This is an extension for Joomla. It is not my code I'm concerned of (as I've taken every possible step to ensure it's secured), but there are thousands of extensions out there and I often see unvalidated inputs. This leads to serious vulnerabilities and I don't want to be the one offering an attacker the chance to do more damage. – Riccardo Zorn Feb 10 '15 at 11:12
  • 2
    `removeFolder` probably includes a call to `unlink` or something like that. Now, if someone is clever enough to send untrusted input to `removeFolder`, they can also do the same with `unlink` directly - you can't prevent that nor should you care. The real way to protect the filesystem is to use proper permissions, so that the web process has no access to data it's not supposed to modify. – georg Feb 10 '15 at 11:46
  • The issue isn't whether you're paranoid, but whether you're paranoid enough. Should I deduce I am paranoid enough? – Riccardo Zorn Feb 10 '15 at 13:52
  • `and unauthorised use`, so only specific usergroups are able to remove folders? If so, for starters, you can as an `if` statement checking the user is assigned to a specific group – Lodder Feb 10 '15 at 17:25

2 Answers2

2

First thing is I don't think that "checking the calling class names" is a good feature for a helper. A helper should be a generic reusable piece of code, adding that restriction seems to go againts the concept.

In the other hand what you are trying is to prevent a miss use of "removeFolder" from any other method and that is, basically, impossible (same situation happens with built-in functions like eval and exec). Where you should be taking care of the validation is in the methods that are using the function, you should make sure all the methods that use that function are properly secured instead of trying to lock "removeFolder" inside a darkroom.

EDIT: Maybe a more paranoic measure could be make the method "foolproof" and limit it to remove non critical files\folders.

Jhuliano Moreno
  • 929
  • 8
  • 23
1

If you want to prevent others from easily accessing a sensitive class function, first option is to just make the method private so it can only be called internal to your class, where you can control how it is called. That's more helpful for your own benefit in controlling how the function is used than as a security measure; if someone can run their own PHP script which calls your class, the site is already compromised.

If you have a removeFolder() call that is being used to clear Joomla cache, first suggestion is that Joomla has internal cache management functions, see JFactory::getCache("component") and $cache->clean(), which are better suited to managing a Joomla cached object. If you manage you own storage, you could sanitize the function so it will only work relative to the root of your cache if you want to make it safer - probably the biggest beneficiary would be protection from your own incorrect use of the call.

Charlie
  • 128
  • 5
  • Great answer; what my component does is go behind Joomla's back and clear the cache with a rm -rf, which is the only way I can really clear the cache of a high-traffic website (Joomla JCache parses file by file recursively... ). So if the cache is being cleared while a new hit generates, temporary compressed resources such as javascripts and css may be deleted after a page that uses them is recreated; this will effectively break the site. (This is not paranoia, it actually happened on several high-traffic sites). Going this far to protect the removeFolder() function, is definitely paranoia. – Riccardo Zorn Feb 11 '15 at 20:39