Code Coverage for lib/Controller.php

	Code Coverage
	Lines			Functions and Methods				Classes and Traits
Total	95.82% covered (success)	95.82%	229 / 239	76.92% covered (warning)	76.92%	10 / 13	CRAP	0.00% covered (danger)	0.00%	0 / 1
Controller	95.82% covered (success)	95.82%	229 / 239	76.92% covered (warning)	76.92%	10 / 13	56	0.00% covered (danger)	0.00%	0 / 1
__construct	90.00% covered (success)	90.00%	36 / 40	0.00% covered (danger)	0.00%	0 / 1	11.12
_init	100.00% covered (success)	100.00%	5 / 5	100.00% covered (success)	100.00%	1 / 1	1
_setDefaultLanguage	100.00% covered (success)	100.00%	5 / 5	100.00% covered (success)	100.00%	1 / 1	3
_setDefaultTemplate	60.00% covered (warning)	60.00%	6 / 10	0.00% covered (danger)	0.00%	0 / 1	5.02
_setCacheHeaders	100.00% covered (success)	100.00%	6 / 6	100.00% covered (success)	100.00%	1 / 1	1
_create	100.00% covered (success)	100.00%	41 / 41	100.00% covered (success)	100.00%	1 / 1	11
_delete	100.00% covered (success)	100.00%	15 / 15	100.00% covered (success)	100.00%	1 / 1	6
_read	100.00% covered (success)	100.00%	11 / 11	100.00% covered (success)	100.00%	1 / 1	5
_view	96.97% covered (success)	96.97%	64 / 66	0.00% covered (danger)	0.00%	0 / 1	6
_jsonld	100.00% covered (success)	100.00%	26 / 26	100.00% covered (success)	100.00%	1 / 1	4
_json_error	100.00% covered (success)	100.00%	5 / 5	100.00% covered (success)	100.00%	1 / 1	1
_json_result	100.00% covered (success)	100.00%	6 / 6	100.00% covered (success)	100.00%	1 / 1	1
_shortenerproxy	100.00% covered (success)	100.00%	3 / 3	100.00% covered (success)	100.00%	1 / 1	2

1	<?php declare(strict_types=1);
2	/**
3	* PrivateBin
4	*
5	* a zero-knowledge paste bin
6	*
7	* @link https://github.com/PrivateBin/PrivateBin
8	* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
9	* @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
10	*/
11
12	namespace PrivateBin;
13
14	use Exception;
15	use PrivateBin\Exception\JsonException;
16	use PrivateBin\Exception\TranslatedException;
17	use PrivateBin\Persistence\ServerSalt;
18	use PrivateBin\Persistence\TrafficLimiter;
19	use PrivateBin\Proxy\AbstractProxy;
20	use PrivateBin\Proxy\ShlinkProxy;
21	use PrivateBin\Proxy\YourlsProxy;
22
23	/**
24	* Controller
25	*
26	* Puts it all together.
27	*/
28	class Controller
29	{
30	/**
31	* version
32	*
33	* @const string
34	*/
35	const VERSION = '2.0.4';
36
37	/**
38	* minimal required PHP version
39	*
40	* @const string
41	*/
42	const MIN_PHP_VERSION = '7.4.0';
43
44	/**
45	* show the same error message if the document expired or does not exist
46	*
47	* @const string
48	*/
49	const GENERIC_ERROR = 'Document does not exist, has expired or has been deleted.';
50
51	/**
52	* configuration
53	*
54	* @access private
55	* @var Configuration
56	*/
57	private $_conf;
58
59	/**
60	* error message
61	*
62	* @access private
63	* @var string
64	*/
65	private $_error = '';
66
67	/**
68	* status message
69	*
70	* @access private
71	* @var string
72	*/
73	private $_status = '';
74
75	/**
76	* status message
77	*
78	* @access private
79	* @var bool
80	*/
81	private $_is_deleted = false;
82
83	/**
84	* JSON message
85	*
86	* @access private
87	* @var string
88	*/
89	private $_json = '';
90
91	/**
92	* Factory of instance models
93	*
94	* @access private
95	* @var model
96	*/
97	private $_model;
98
99	/**
100	* request
101	*
102	* @access private
103	* @var request
104	*/
105	private $_request;
106
107	/**
108	* URL base
109	*
110	* @access private
111	* @var string
112	*/
113	private $_urlBase;
114
115	/**
116	* constructor
117	*
118	* initializes and runs PrivateBin
119	*
120	* @param ?Configuration $config
121	*
122	* @access public
123	* @throws Exception
124	*/
125	public function __construct(?Configuration $config = null)
126	{
127	if (version_compare(PHP_VERSION, self::MIN_PHP_VERSION) < 0) {
128	error_log(I18n::_('%s requires php %s or above to work. Sorry.', I18n::_('PrivateBin'), self::MIN_PHP_VERSION));
129	return;
130	}
131	if (strlen(PATH) < 0 && substr(PATH, -1) !== DIRECTORY_SEPARATOR) {
132	error_log(I18n::_('%s requires the PATH to end in a "%s". Please update the PATH in your index.php.', I18n::_('PrivateBin'), DIRECTORY_SEPARATOR));
133	return;
134	}
135
136	// load config (using ini file by default) & initialize required classes
137	$this->_conf = $config ?? new Configuration();
138	$this->_init();
139
140	switch ($this->_request->getOperation()) {
141	case 'create':
142	$this->_create();
143	break;
144	case 'delete':
145	$this->_delete(
146	$this->_request->getParam('pasteid'),
147	$this->_request->getParam('deletetoken')
148	);
149	break;
150	case 'read':
151	$this->_read($this->_request->getParam('pasteid'));
152	break;
153	case 'jsonld':
154	$this->_jsonld($this->_request->getParam('jsonld'));
155	return;
156	case 'yourlsproxy':
157	$this->_shortenerproxy(new YourlsProxy($this->_conf, $this->_request->getParam('link')));
158	break;
159	case 'shlinkproxy':
160	$this->_shortenerproxy(new ShlinkProxy($this->_conf, $this->_request->getParam('link')));
161	break;
162	}
163
164	$this->_setCacheHeaders();
165
166	// output JSON or HTML
167	if ($this->_request->isJsonApiCall()) {
168	header('Content-type: ' . Request::MIME_JSON);
169	header('Access-Control-Allow-Origin: *');
170	header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
171	header('Access-Control-Allow-Headers: X-Requested-With, Content-Type');
172	header('X-Uncompressed-Content-Length: ' . strlen($this->_json));
173	header('Access-Control-Expose-Headers: X-Uncompressed-Content-Length');
174	echo $this->_json;
175	} else {
176	$this->_view();
177	}
178	}
179
180	/**
181	* initialize PrivateBin
182	*
183	* @access private
184	* @throws Exception
185	*/
186	private function _init()
187	{
188	$this->_model = new Model($this->_conf);
189	$this->_request = new Request;
190	$this->_urlBase = $this->_request->getRequestUri();
191
192	$this->_setDefaultLanguage();
193	$this->_setDefaultTemplate();
194	}
195
196	/**
197	* Set default language
198	*
199	* @access private
200	* @throws Exception
201	*/
202	private function _setDefaultLanguage()
203	{
204	$lang = $this->_conf->getKey('languagedefault');
205	I18n::setLanguageFallback($lang);
206	// force default language, if language selection is disabled and a default is set
207	if (!$this->_conf->getKey('languageselection') && strlen($lang) === 2) {
208	$_COOKIE['lang'] = $lang;
209	setcookie('lang', $lang, array('SameSite' => 'Lax', 'Secure' => true));
210	}
211	}
212
213	/**
214	* Set default template
215	*
216	* @access private
217	* @throws Exception
218	*/
219	private function _setDefaultTemplate()
220	{
221	$templates = $this->_conf->getKey('availabletemplates');
222	$template = $this->_conf->getKey('template');
223	if (!in_array($template, $templates, true)) {
224	$templates[] = $template;
225	}
226	TemplateSwitcher::setAvailableTemplates($templates);
227	TemplateSwitcher::setTemplateFallback($template);
228
229	// force default template, if template selection is disabled
230	if (!$this->_conf->getKey('templateselection') && array_key_exists('template', $_COOKIE)) {
231	unset($_COOKIE['template']); // ensure value is not re-used in template switcher
232	$expiredInAllTimezones = time() - 86400;
233	setcookie('template', '', array('expires' => $expiredInAllTimezones, 'SameSite' => 'Lax', 'Secure' => true));
234	}
235	}
236
237	/**
238	* Turn off browser caching
239	*
240	* @access private
241	*/
242	private function _setCacheHeaders()
243	{
244	// set headers to disable caching
245	$time = gmdate('D, d M Y H:i:s \G\M\T');
246	header('Cache-Control: no-store, no-cache, no-transform, must-revalidate');
247	header('Pragma: no-cache');
248	header('Expires: ' . $time);
249	header('Last-Modified: ' . $time);
250	header('Vary: Accept');
251	}
252
253	/**
254	* Store new paste or comment
255	*
256	* POST contains:
257	* JSON encoded object with mandatory keys:
258	* v = 2 (version)
259	* adata (array)
260	* ct (base64 encoded, encrypted text)
261	* meta (optional):
262	* expire = expiration delay (never,5min,10min,1hour,1day,1week,1month,1year,burn) (default:1week)
263	* parentid (optional) = in discussions, which comment this comment replies to.
264	* pasteid (optional) = in discussions, which paste this comment belongs to.
265	*
266	* @access private
267	* @throws Exception
268	* @return string
269	*/
270	private function _create()
271	{
272	// Ensure last paste from visitors IP address was more than configured amount of seconds ago.
273	ServerSalt::setStore($this->_model->getStore());
274	TrafficLimiter::setConfiguration($this->_conf);
275	TrafficLimiter::setStore($this->_model->getStore());
276	try {
277	TrafficLimiter::canPass();
278	} catch (TranslatedException $e) {
279	$this->_json_error($e->getMessage());
280	return;
281	}
282
283	$data = $this->_request->getData();
284	$isComment = array_key_exists('pasteid', $data) &&
285	!empty($data['pasteid']) &&
286	array_key_exists('parentid', $data) &&
287	!empty($data['parentid']);
288	if (!FormatV2::isValid($data, $isComment)) {
289	$this->_json_error(I18n::_('Invalid data.'));
290	return;
291	}
292	$sizelimit = $this->_conf->getKey('sizelimit');
293	// Ensure content is not too big.
294	if (strlen($data['ct']) > $sizelimit) {
295	$this->_json_error(
296	I18n::_(
297	'Document is limited to %s of encrypted data.',
298	Filter::formatHumanReadableSize($sizelimit)
299	)
300	);
301	return;
302	}
303
304	// The user posts a comment.
305	if ($isComment) {
306	$paste = $this->_model->getPaste($data['pasteid']);
307	if ($paste->exists()) {
308	try {
309	$comment = $paste->getComment($data['parentid']);
310	$comment->setData($data);
311	$comment->store();
312	$this->_json_result($comment->getId());
313	} catch (Exception $e) {
314	$this->_json_error($e->getMessage());
315	}
316	} else {
317	$this->_json_error(I18n::_('Invalid data.'));
318	}
319	}
320	// The user posts a standard paste.
321	else {
322	try {
323	$this->_model->purge();
324	$paste = $this->_model->getPaste();
325	$paste->setData($data);
326	$paste->store();
327	$this->_json_result($paste->getId(), array('deletetoken' => $paste->getDeleteToken()));
328	} catch (Exception $e) {
329	$this->_json_error($e->getMessage());
330	}
331	}
332	}
333
334	/**
335	* Delete an existing document
336	*
337	* @access private
338	* @param string $dataid
339	* @param string $deletetoken
340	*/
341	private function _delete($dataid, $deletetoken)
342	{
343	try {
344	$paste = $this->_model->getPaste($dataid);
345	if ($paste->exists()) {
346	// accessing this method ensures that the document would be
347	// deleted if it has already expired
348	$paste->get();
349	if (hash_equals($paste->getDeleteToken(), $deletetoken)) {
350	// Document exists and deletion token is valid: Delete the it.
351	$paste->delete();
352	$this->_status = 'Document was properly deleted.';
353	$this->_is_deleted = true;
354	} else {
355	$this->_error = 'Wrong deletion token. Document was not deleted.';
356	}
357	} else {
358	$this->_error = self::GENERIC_ERROR;
359	}
360	} catch (TranslatedException $e) {
361	$this->_error = $e->getMessage();
362	}
363	if ($this->_request->isJsonApiCall()) {
364	if (empty($this->_error)) {
365	$this->_json_result($dataid);
366	} else {
367	$this->_json_error(I18n::_($this->_error));
368	}
369	}
370	}
371
372	/**
373	* Read an existing document, only allowed via a JSON API call
374	*
375	* @access private
376	* @param string $dataid
377	*/
378	private function _read($dataid)
379	{
380	if (!$this->_request->isJsonApiCall()) {
381	return;
382	}
383
384	try {
385	$paste = $this->_model->getPaste($dataid);
386	if ($paste->exists()) {
387	$data = $paste->get();
388	if (array_key_exists('salt', $data['meta'])) {
389	unset($data['meta']['salt']);
390	}
391	$this->_json_result($dataid, (array) $data);
392	} else {
393	$this->_json_error(I18n::_(self::GENERIC_ERROR));
394	}
395	} catch (TranslatedException $e) {
396	$this->_json_error($e->getMessage());
397	}
398	}
399
400	/**
401	* Display frontend.
402	*
403	* @access private
404	* @throws Exception
405	*/
406	private function _view()
407	{
408	header('Content-Security-Policy: ' . $this->_conf->getKey('cspheader'));
409	header('Cross-Origin-Resource-Policy: same-origin');
410	header('Cross-Origin-Embedder-Policy: require-corp');
411	// disabled, because it prevents links from a document to the same site to
412	// be opened. Didn't work with `same-origin-allow-popups` either.
413	// See issue https://github.com/PrivateBin/PrivateBin/issues/970 for details.
414	// header('Cross-Origin-Opener-Policy: same-origin');
415	header('Permissions-Policy: browsing-topics=()');
416	header('Referrer-Policy: no-referrer');
417	header('X-Content-Type-Options: nosniff');
418	header('X-Frame-Options: deny');
419
420	// label all the expiration options
421	$expire = array();
422	foreach ($this->_conf->getSection('expire_options') as $time => $seconds) {
423	$expire[$time] = ($seconds === 0) ? I18n::_(ucfirst($time)) : Filter::formatHumanReadableTime($time);
424	}
425
426	// translate all the formatter options
427	$formatters = array_map('PrivateBin\\I18n::_', $this->_conf->getSection('formatter_options'));
428
429	// set language cookie if that functionality was enabled
430	$languageselection = '';
431	if ($this->_conf->getKey('languageselection')) {
432	$languageselection = I18n::getLanguage();
433	setcookie('lang', $languageselection, array('SameSite' => 'Lax', 'Secure' => true));
434	}
435
436	// set template cookie if that functionality was enabled
437	$templateselection = '';
438	if ($this->_conf->getKey('templateselection')) {
439	$templateselection = TemplateSwitcher::getTemplate();
440	setcookie('template', $templateselection, array('SameSite' => 'Lax', 'Secure' => true));
441	}
442
443	// strip policies that are unsupported in meta tag
444	$metacspheader = str_replace(
445	array(
446	'frame-ancestors \'none\'; ',
447	'; sandbox allow-same-origin allow-scripts allow-forms allow-modals allow-downloads',
448	),
449	'',
450	$this->_conf->getKey('cspheader')
451	);
452
453	$page = new View;
454	$page->assign('CSPHEADER', $metacspheader);
455	$page->assign('ERROR', I18n::_($this->_error));
456	$page->assign('NAME', $this->_conf->getKey('name'));
457	if (in_array($this->_request->getOperation(), array('shlinkproxy', 'yourlsproxy'), true)) {
458	$page->assign('SHORTURL', $this->_status);
459	$page->draw('shortenerproxy');
460	return;
461	}
462	$page->assign('BASEPATH', I18n::_($this->_conf->getKey('basepath')));
463	$page->assign('STATUS', I18n::_($this->_status));
464	$page->assign('ISDELETED', $this->_is_deleted);
465	$page->assign('VERSION', self::VERSION);
466	$page->assign('DISCUSSION', $this->_conf->getKey('discussion'));
467	$page->assign('OPENDISCUSSION', $this->_conf->getKey('opendiscussion'));
468	$page->assign('MARKDOWN', array_key_exists('markdown', $formatters));
469	$page->assign('SYNTAXHIGHLIGHTING', array_key_exists('syntaxhighlighting', $formatters));
470	$page->assign('SYNTAXHIGHLIGHTINGTHEME', $this->_conf->getKey('syntaxhighlightingtheme'));
471	$page->assign('FORMATTER', $formatters);
472	$page->assign('FORMATTERDEFAULT', $this->_conf->getKey('defaultformatter'));
473	$page->assign('INFO', I18n::_(str_replace("'", '"', $this->_conf->getKey('info'))));
474	$page->assign('NOTICE', I18n::_($this->_conf->getKey('notice')));
475	$page->assign('BURNAFTERREADINGSELECTED', $this->_conf->getKey('burnafterreadingselected'));
476	$page->assign('PASSWORD', $this->_conf->getKey('password'));
477	$page->assign('FILEUPLOAD', $this->_conf->getKey('fileupload'));
478	$page->assign('LANGUAGESELECTION', $languageselection);
479	$page->assign('LANGUAGES', I18n::getLanguageLabels(I18n::getAvailableLanguages()));
480	$page->assign('TEMPLATESELECTION', $templateselection);
481	$page->assign('TEMPLATES', TemplateSwitcher::getAvailableTemplates());
482	$page->assign('EXPIRE', $expire);
483	$page->assign('EXPIREDEFAULT', $this->_conf->getKey('default', 'expire'));
484	$page->assign('URLSHORTENER', $this->_conf->getKey('urlshortener'));
485	$page->assign('SHORTENBYDEFAULT', $this->_conf->getKey('shortenbydefault'));
486	$page->assign('QRCODE', $this->_conf->getKey('qrcode'));
487	$page->assign('EMAIL', $this->_conf->getKey('email'));
488	$page->assign('HTTPWARNING', $this->_conf->getKey('httpwarning'));
489	$page->assign('HTTPSLINK', 'https://' . $this->_request->getHost() . $this->_request->getRequestUri());
490	$page->assign('COMPRESSION', $this->_conf->getKey('compression'));
491	$page->assign('SRI', $this->_conf->getSection('sri'));
492	$page->draw(TemplateSwitcher::getTemplate());
493	}
494
495	/**
496	* outputs requested JSON-LD context
497	*
498	* @access private
499	* @param string $type
500	*/
501	private function _jsonld($type)
502	{
503	if (!in_array($type, array(
504	'comment',
505	'commentmeta',
506	'paste',
507	'pastemeta',
508	'types',
509	))) {
510	$type = '';
511	}
512	$content = '{}';
513	$file = PUBLIC_PATH . DIRECTORY_SEPARATOR . 'js' . DIRECTORY_SEPARATOR . $type . '.jsonld';
514	if (is_readable($file)) {
515	$content = str_replace(
516	'?jsonld=',
517	$this->_urlBase . '?jsonld=',
518	file_get_contents($file)
519	);
520	}
521	if ($type === 'types') {
522	$content = str_replace(
523	implode('", "', array_keys($this->_conf->getDefaults()['expire_options'])),
524	implode('", "', array_keys($this->_conf->getSection('expire_options'))),
525	$content
526	);
527	}
528
529	header('Content-type: application/ld+json');
530	header('Access-Control-Allow-Origin: *');
531	header('Access-Control-Allow-Methods: GET');
532	echo $content;
533	}
534
535	/**
536	* prepares JSON encoded error message
537	*
538	* @access private
539	* @param string $error
540	* @throws JsonException
541	*/
542	private function _json_error($error)
543	{
544	$result = array(
545	'status' => 1,
546	'message' => $error,
547	);
548	$this->_json = Json::encode($result);
549	}
550
551	/**
552	* prepares JSON encoded result message
553	*
554	* @access private
555	* @param string $dataid
556	* @param array $other
557	* @throws JsonException
558	*/
559	private function _json_result($dataid, $other = array())
560	{
561	$result = array(
562	'status' => 0,
563	'id' => $dataid,
564	'url' => $this->_urlBase . '?' . $dataid,
565	) + $other;
566	$this->_json = Json::encode($result);
567	}
568
569	/**
570	* Proxies a link using the specified proxy class, and updates the status or error with the response.
571	*
572	* @access private
573	* @param AbstractProxy $proxy The instance of the proxy class.
574	*/
575	private function _shortenerproxy(AbstractProxy $proxy)
576	{
577	if ($proxy->isError()) {
578	$this->_error = $proxy->getError();
579	} else {
580	$this->_status = $proxy->getUrl();
581	}
582	}
583	}