2023-11-13 11:07:25 -05:00
< ? php
declare ( strict_types = 1 );
/**
2024-06-03 04:23:34 -04:00
* SPDX - FileCopyrightText : 2023 Nextcloud GmbH and Nextcloud contributors
* SPDX - License - Identifier : AGPL - 3.0 - or - later
2023-11-13 11:07:25 -05:00
*/
namespace OCA\Settings\SetupChecks ;
use OCP\IConfig ;
use OCP\IL10N ;
use OCP\IRequest ;
use OCP\IURLGenerator ;
use OCP\SetupCheck\ISetupCheck ;
use OCP\SetupCheck\SetupResult ;
class ForwardedForHeaders implements ISetupCheck {
public function __construct (
private IL10N $l10n ,
private IConfig $config ,
private IURLGenerator $urlGenerator ,
private IRequest $request ,
) {
}
public function getCategory () : string {
return 'security' ;
}
public function getName () : string {
2023-11-23 02:39:17 -05:00
return $this -> l10n -> t ( 'Forwarded for headers' );
2023-11-13 11:07:25 -05:00
}
public function run () : SetupResult {
$trustedProxies = $this -> config -> getSystemValue ( 'trusted_proxies' , []);
$remoteAddress = $this -> request -> getHeader ( 'REMOTE_ADDR' );
2023-11-20 10:12:19 -05:00
$detectedRemoteAddress = $this -> request -> getRemoteAddress ();
2023-11-13 11:07:25 -05:00
if ( ! \is_array ( $trustedProxies )) {
2023-11-23 02:43:20 -05:00
return SetupResult :: error ( $this -> l10n -> t ( 'Your "trusted_proxies" setting is not correctly set, it should be an array.' ));
2023-11-13 11:07:25 -05:00
}
2024-03-26 07:30:57 -04:00
foreach ( $trustedProxies as $proxy ) {
$addressParts = explode ( '/' , $proxy , 2 );
if ( filter_var ( $addressParts [ 0 ], FILTER_VALIDATE_IP ) === false || ! ctype_digit ( $addressParts [ 1 ] ? ? '24' )) {
return SetupResult :: error (
$this -> l10n -> t ( 'Your "trusted_proxies" setting is not correctly set, it should be an array of IP addresses - optionally with range in CIDR notation.' ),
$this -> urlGenerator -> linkToDocs ( 'admin-reverse-proxy' ),
);
}
}
2023-11-20 10:12:19 -05:00
if (( $remoteAddress === '' ) && ( $detectedRemoteAddress === '' )) {
2023-11-20 09:52:28 -05:00
if ( \OC :: $CLI ) {
/* We were called from CLI */
2023-11-20 10:12:19 -05:00
return SetupResult :: info ( $this -> l10n -> t ( 'Your remote address could not be determined.' ));
2023-11-20 09:52:28 -05:00
} else {
/* Should never happen */
2023-11-20 10:12:19 -05:00
return SetupResult :: error ( $this -> l10n -> t ( 'Your remote address could not be determined.' ));
2023-11-20 09:52:28 -05:00
}
2023-11-13 11:07:25 -05:00
}
if ( empty ( $trustedProxies ) && $this -> request -> getHeader ( 'X-Forwarded-Host' ) !== '' ) {
2023-11-20 09:45:46 -05:00
return SetupResult :: error (
$this -> l10n -> t ( 'The reverse proxy header configuration is incorrect. This is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.' ),
2023-11-13 11:07:25 -05:00
$this -> urlGenerator -> linkToDocs ( 'admin-reverse-proxy' )
);
}
if ( \in_array ( $remoteAddress , $trustedProxies , true ) && ( $remoteAddress !== '127.0.0.1' )) {
2023-11-20 10:12:19 -05:00
if ( $remoteAddress !== $detectedRemoteAddress ) {
2023-11-13 11:07:25 -05:00
/* Remote address was successfuly fixed */
2023-11-20 12:03:15 -05:00
return SetupResult :: success ( $this -> l10n -> t ( 'Your IP address was resolved as %s' , [ $detectedRemoteAddress ]));
2023-11-13 11:07:25 -05:00
} else {
return SetupResult :: warning (
$this -> l10n -> t ( 'The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.' ),
$this -> urlGenerator -> linkToDocs ( 'admin-reverse-proxy' )
);
}
}
/* Either not enabled or working correctly */
return SetupResult :: success ();
}
}
