[HttpClient] adding NoPrivateNetworkHttpClient decorator

Author: hallboav

src/Symfony/Component/HttpClient/CHANGELOG.md

@@ -4,6 +4,7 @@ CHANGELOG
 5.1.0
 -----
 
+* added `NoPrivateNetworkHttpClient` decorator
 * added `LoggerAwareInterface` to `ScopingHttpClient` and `TraceableHttpClient`
 
 4.4.0

src/Symfony/Component/HttpClient/NoPrivateNetworkHttpClient.php

@@ -0,0 +1,128 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\HttpClient;
+
+use Psr\Log\LoggerAwareInterface;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpClient\Exception\InvalidArgumentException;
+use Symfony\Component\HttpClient\Exception\TransportException;
+use Symfony\Component\HttpFoundation\IpUtils;
+use Symfony\Contracts\HttpClient\HttpClientInterface;
+use Symfony\Contracts\HttpClient\ResponseInterface;
+use Symfony\Contracts\HttpClient\ResponseStreamInterface;
+
+/**
+ * Decorator that block requests to private network by default.
+ *
+ * @author Hallison Boaventura <[email protected]>
+ */
+final class NoPrivateNetworkHttpClient implements HttpClientInterface, LoggerAwareInterface
+{
+    use HttpClientTrait;
+
+    const IPV4_PRIVATE_SUBNETS = [
+        '127.0.0.0/8',
+        '10.0.0.0/8',
+        '192.168.0.0/16',
+        '172.16.0.0/12',
+        '169.254.0.0/16',
+        '0.0.0.0/8',
+        '240.0.0.0/4',
+    ];
+
+    const IPV6_PRIVATE_SUBNETS = [
+        '::1/128',
+        'fc00::/7',
+        'fe80::/10',
+        '::ffff:0:0/96',
+        '::/128',
+    ];
+
+    /**
+     * @var HttpClientInterface
+     */
+    private $client;
+
+    /**
+     * Subnets in CIDR notation that IpUtils will make use of.
+     *
+     * @var string|array|null
+     */
+    private $subnets;
+
+    /**
+     * Constructor.
+     *
+     * @param HttpClientInterface $client  A HttpClientInterface instance.
+     * @param string|array|null   $subnets String or array of subnets using CIDR notation that will be used by IpUtils.
+     *                                     If its value is null, then default private subnets will be used.
+     */
+    public function __construct(HttpClientInterface $client, $subnets = null)
+    {
+        $this->client = $client;
+
+        if (!(\is_string($subnets) || \is_array($subnets) || null === $subnets)) {
+            throw new InvalidArgumentException('$subnets argument must be string, array or null.');
+        }
+
+        $this->subnets = $subnets;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function request(string $method, string $url, array $options = []): ResponseInterface
+    {
+        $subnets = $this->subnets;
+
+        $lastPrimaryIp = '';
+        $onProgress = $options['on_progress'] ?? null;
+
+        $options['on_progress'] = function (int $dlNow, int $dlSize, array $info) use ($onProgress, $subnets, &$lastPrimaryIp): void {
+            if ($info['primary_ip'] !== $lastPrimaryIp) {
+                if (
+                    (null !== $subnets && IpUtils::checkIp($info['primary_ip'], $subnets)) ||
+                    (null === $subnets && (
+                        (0 < substr_count($info['primary_ip'], '.') && IpUtils::checkIp($info['primary_ip'], self::IPV4_PRIVATE_SUBNETS)) ||
+                        (0 < substr_count($info['primary_ip'], ':') && IpUtils::checkIp($info['primary_ip'], self::IPV6_PRIVATE_SUBNETS))
+                    ))
+                ) {
+                    throw new TransportException(sprintf('IP "%s" is blacklisted.', $info['primary_ip']));
+                }
+
+                $lastPrimaryIp = $info['primary_ip'];
+            }
+
+            \is_callable($onProgress) && $onProgress($dlNow, $dlSize, $info);
+        };
+
+        return $this->client->request($method, $url, $options);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function stream($responses, float $timeout = null): ResponseStreamInterface
+    {
+        return $this->client->stream($responses, $timeout);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function setLogger(LoggerInterface $logger): void
+    {
+        if ($this->client instanceof LoggerAwareInterface) {
+            $this->client->setLogger($logger);
+        }
+    }
+}

src/Symfony/Component/HttpClient/Tests/NoPrivateNetworkHttpClientTest.php

@@ -0,0 +1,147 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\HttpClient\Tests;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpClient\Exception\InvalidArgumentException;
+use Symfony\Component\HttpClient\Exception\TransportException;
+use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient;
+use Symfony\Component\HttpClient\Response\MockResponse;
+use Symfony\Contracts\HttpClient\HttpClientInterface;
+use Symfony\Contracts\HttpClient\ResponseInterface;
+
+class NoPrivateNetworkHttpClientTest extends TestCase
+{
+    public function getBlacklistData(): array
+    {
+        return [
+            // private
+            ['0.0.0.1',     null,          true],
+            ['169.254.0.1', null,          true],
+            ['127.0.0.1',   null,          true],
+            ['240.0.0.1',   null,          true],
+            ['10.0.0.1',    null,          true],
+            ['172.16.0.1',  null,          true],
+            ['192.168.0.1', null,          true],
+            ['::1',         null,          true],
+            ['::ffff:0:1',  null,          true],
+            ['fe80::1',     null,          true],
+            ['fc00::1',     null,          true],
+            ['fd00::1',     null,          true],
+            ['10.0.0.1',    '10.0.0.0/24', true],
+            ['10.0.0.1',    '10.0.0.1',    true],
+            ['fc00::1',     'fc00::1/120', true],
+            ['fc00::1',     'fc00::1',     true],
+
+            ['172.16.0.1',  ['10.0.0.0/8', '192.168.0.0/16'], false],
+            ['fc00::1',     ['fe80::/10', '::ffff:0:0/96'],   false],
+
+            // public
+            ['104.26.14.6',            null,                false],
+            ['104.26.14.6',            '104.26.14.0/24',    true],
+            ['2606:4700:20::681a:e06', null,                false],
+            ['2606:4700:20::681a:e06', '2606:4700:20::/43', true],
+
+            // no ipv4/ipv6 at all
+            ['2606:4700:20::681a:e06', '::/0',      true],
+            ['104.26.14.6',            '0.0.0.0/0', true],
+
+            // weird scenarios (e.g.: when trying to match ipv4 address on ipv6 subnet)
+            ['10.0.0.1', 'fc00::/7',   false],
+            ['fc00::1',  '10.0.0.0/8', false],
+        ];
+    }
+
+    /**
+     * @dataProvider getBlacklistData
+     */
+    public function testBlacklist(string $ipAddr, $subnets, bool $mustThrow): void
+    {
+        if ($mustThrow) {
+            $this->expectException(TransportException::class);
+            $this->expectExceptionMessage(sprintf('IP "%s" is blacklisted.', $ipAddr));
+        }
+
+        $content = 'foo';
+        $url = sprintf('http://%s/', 0 < substr_count($ipAddr, ':') ? sprintf('[%s]', $ipAddr) : $ipAddr);
+
+        $previousHttpClient = $this->getHttpClientMock($url, $ipAddr, $content);
+        $client = new NoPrivateNetworkHttpClient($previousHttpClient, $subnets);
+        $response = $client->request('GET', $url);
+
+        if (!$mustThrow) {
+            $this->assertEquals($content, $response->getContent());
+            $this->assertEquals(200, $response->getStatusCode());
+        }
+    }
+
+    public function testCustomOnProgressCallback()
+    {
+        $ipAddr = '104.26.14.6';
+        $url = sprintf('http://%s/', $ipAddr);
+        $content = 'foo';
+        $executionCount = 0;
+        $customCallback = function (int $dlNow, int $dlSize, array $info) use (&$executionCount): void {
+            ++$executionCount;
+        };
+
+        $previousHttpClient = $this->getHttpClientMock($url, $ipAddr, $content);
+        $client = new NoPrivateNetworkHttpClient($previousHttpClient);
+        $response = $client->request('GET', $url, ['on_progress' => $customCallback]);
+
+        $this->assertEquals(1, $executionCount);
+        $this->assertEquals($content, $response->getContent());
+        $this->assertEquals(200, $response->getStatusCode());
+    }
+
+    public function testConstructor()
+    {
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage('$subnets argument must be string, array or null.');
+
+        $previousHttpClient = $this->getMockBuilder(HttpClientInterface::class)
+            ->getMock();
+
+        new NoPrivateNetworkHttpClient($previousHttpClient, 3);
+    }
+
+    private function getHttpClientMock(string $url, string $ipAddr, string $content)
+    {
+        $previousHttpClient = $this
+            ->getMockBuilder(HttpClientInterface::class)
+            ->getMock();
+
+        $previousHttpClient
+            ->expects($this->once())
+            ->method('request')
+            ->with(
+                'GET',
+                $url,
+                $this->callback(function ($options) {
+                    $this->assertArrayHasKey('on_progress', $options);
+                    $onProgress = $options['on_progress'];
+                    $this->assertIsCallable($onProgress);
+
+                    return true;
+                })
+            )
+            ->willReturnCallback(function ($method, $url, $options) use ($ipAddr, $content): ResponseInterface {
+                $onProgress = $options['on_progress'];
+                $info = ['primary_ip' => $ipAddr];
+                $onProgress(0, 0, $info);
+
+                return MockResponse::fromRequest($method, $url, [], new MockResponse($content));
+            });
+
+        return $previousHttpClient;
+    }
+}