PluginProbe ʕ •ᴥ•ʔ
Matomo Analytics – Powerful, Privacy-First Insights for WordPress / trunk
Matomo Analytics – Powerful, Privacy-First Insights for WordPress vtrunk
5.11.1 5.11.0 5.10.2 5.10.1 trunk 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2 1.1.3 1.2.0 1.3.0 1.3.1 1.3.2 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.1.0 4.1.1 4.1.2 4.1.3 4.10.0 4.11.0 4.12.0 4.13.0 4.13.2 4.13.3 4.13.4 4.13.5 4.14.0 4.14.1 4.14.2 4.15.0 4.15.1 4.15.2 4.15.3 4.2.0 4.3.0 4.3.1 4.4.1 4.4.2 4.5.0 4.6.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.0.6 5.0.7 5.0.8 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.10.0 5.2.0 5.2.1 5.2.2 5.3.0 5.3.1 5.3.2 5.3.3 5.6.0 5.6.1 5.7.0 5.7.1 5.8.0 5.8.1 5.8.2
matomo / app / core / FileIntegrity.php
matomo / app / core Last commit date
API 1 month ago Access 3 months ago Application 1 month ago Archive 1 month ago ArchiveProcessor 1 month ago Archiver 2 years ago AssetManager 1 month ago Auth 6 months ago Category 6 months ago Changes 1 month ago CliMulti 1 year ago Columns 1 month ago Concurrency 1 month ago Config 1 month ago Container 1 month ago CronArchive 3 months ago DataAccess 1 month ago DataFiles 2 years ago DataTable 2 weeks ago Db 2 weeks ago DeviceDetector 1 year ago Email 2 years ago Exception 4 months ago Http 4 months ago Intl 3 months ago Log 2 years ago Mail 1 year ago Measurable 6 months ago Menu 1 month ago Metrics 3 months ago Notification 6 months ago Period 1 month ago Plugin 2 weeks ago Policy 1 month ago ProfessionalServices 1 year ago Report 1 year ago ReportRenderer 3 months ago Request 3 months ago Scheduler 1 month ago Segment 1 month ago Session 2 weeks ago Settings 1 month ago Tracker 2 weeks ago Translation 1 month ago Twig 1 year ago UpdateCheck 3 months ago Updater 1 month ago Updates 4 days ago Validators 1 year ago View 1 month ago ViewDataTable 2 weeks ago Visualization 1 year ago Widget 1 month ago .htaccess 2 years ago Access.php 1 month ago Archive.php 1 month ago ArchiveProcessor.php 1 month ago AssetManager.php 1 month ago Auth.php 6 months ago AuthResult.php 6 months ago BaseFactory.php 2 years ago Cache.php 2 years ago CacheId.php 4 months ago CliMulti.php 1 month ago Common.php 2 weeks ago Config.php 1 month ago Console.php 3 months ago Context.php 2 years ago Cookie.php 1 year ago CronArchive.php 1 month ago DI.php 3 months ago DataArray.php 1 month ago DataTable.php 1 month ago Date.php 1 month ago Db.php 1 month ago DbHelper.php 1 month ago Development.php 1 year ago ErrorHandler.php 6 months ago EventDispatcher.php 1 month ago ExceptionHandler.php 4 months ago FileIntegrity.php 1 month ago Filechecks.php 1 year ago Filesystem.php 1 month ago FrontController.php 4 months ago Http.php 1 month ago IP.php 1 year ago Log.php 3 months ago LogDeleter.php 1 year ago Mail.php 1 year ago Metrics.php 1 month ago NoAccessException.php 2 years ago Nonce.php 6 months ago Notification.php 1 month ago NumberFormatter.php 5 months ago Option.php 5 months ago Period.php 1 month ago Piwik.php 1 month ago Plugin.php 1 month ago Process.php 1 month ago Profiler.php 6 months ago ProxyHeaders.php 4 months ago ProxyHttp.php 5 months ago QuickForm2.php 3 months ago RankingQuery.php 1 month ago ReportRenderer.php 1 month ago Request.php 1 month ago Segment.php 1 month ago Sequence.php 6 months ago Session.php 2 weeks ago SettingsPiwik.php 1 month ago SettingsServer.php 1 year ago Singleton.php 2 years ago Site.php 1 month ago SiteContentDetector.php 1 month ago SupportedBrowser.php 2 years ago TCPDF.php 1 year ago Theme.php 1 year ago Timer.php 1 month ago Tracker.php 1 month ago Twig.php 1 month ago Unzip.php 1 year ago UpdateCheck.php 1 month ago Updater.php 1 month ago UpdaterErrorException.php 2 years ago Updates.php 3 months ago Url.php 3 months ago UrlHelper.php 1 month ago Version.php 4 days ago View.php 1 month ago bootstrap.php 1 year ago dispatch.php 2 years ago testMinimumPhpVersion.php 6 months ago
FileIntegrity.php
377 lines
1 <?php
2
3 /**
4 * Matomo - free/libre analytics platform
5 *
6 * @link https://matomo.org
7 * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
8 */
9 namespace Piwik;
10
11 use Piwik\Container\StaticContainer;
12 use Piwik\Plugins\CustomJsTracker\Exception\AccessDeniedException;
13 use Piwik\Plugins\CustomJsTracker\TrackerUpdater;
14 class FileIntegrity
15 {
16 /**
17 * Get file integrity information
18 *
19 * @return array(bool $success, array $messages)
20 */
21 public static function getFileIntegrityInformation()
22 {
23 $messages = array();
24 self::loadManifest();
25 if (!class_exists('Piwik\\Manifest')) {
26 $messages[] = \Piwik\Piwik::translate('General_WarningFileIntegrityNoManifest') . '<br/>' . \Piwik\Piwik::translate('General_WarningFileIntegrityNoManifestDeployingFromGit');
27 return array($success = \false, $messages);
28 }
29 $messages = self::getMessagesDirectoriesFoundButNotExpected($messages);
30 $messages = self::getMessagesFilesFoundButNotExpected($messages);
31 $messages = self::getMessagesFilesMismatch($messages);
32 return array($success = empty($messages), $messages);
33 }
34 /**
35 * Return just a list of the unexpected files
36 *
37 * @return array
38 */
39 public static function getUnexpectedFilesList() : array
40 {
41 self::loadManifest();
42 $files = self::getFilesFoundButNotExpected();
43 return $files;
44 }
45 /**
46 * Include the manifest
47 */
48 private static function loadManifest() : void
49 {
50 $manifest = PIWIK_INCLUDE_PATH . '/config/manifest.inc.php';
51 if (file_exists($manifest)) {
52 require_once $manifest;
53 }
54 }
55 protected static function getFilesNotInManifestButExpectedAnyway()
56 {
57 return StaticContainer::get('fileintegrity.ignore');
58 }
59 protected static function getMessagesDirectoriesFoundButNotExpected($messages)
60 {
61 $directoriesFoundButNotExpected = self::getDirectoriesFoundButNotExpected();
62 if (count($directoriesFoundButNotExpected) > 0) {
63 $messageDirectoriesToDelete = '';
64 foreach ($directoriesFoundButNotExpected as $directoryFoundNotExpected) {
65 $messageDirectoriesToDelete .= \Piwik\Piwik::translate('General_ExceptionDirectoryToDelete', htmlspecialchars($directoryFoundNotExpected)) . '<br/>';
66 }
67 $directories = array();
68 foreach ($directoriesFoundButNotExpected as $directoryFoundNotExpected) {
69 $directories[] = htmlspecialchars(realpath(dirname($directoryFoundNotExpected)) . \DIRECTORY_SEPARATOR . basename($directoryFoundNotExpected));
70 }
71 $deleteAllAtOnce = array();
72 $chunks = array_chunk($directories, 50);
73 $command = 'rm -Rf';
74 if (\Piwik\SettingsServer::isWindows()) {
75 $command = 'rmdir /s /q';
76 }
77 foreach ($chunks as $directories) {
78 $deleteAllAtOnce[] = sprintf('%s %s', $command, implode(' ', $directories));
79 }
80 $messages[] = \Piwik\Piwik::translate('General_ExceptionUnexpectedDirectory') . '<br/>' . '--> ' . \Piwik\Piwik::translate('General_ExceptionUnexpectedDirectoryPleaseDelete') . ' <--' . '<br/><br/>' . $messageDirectoriesToDelete . '<br/><br/>' . \Piwik\Piwik::translate('General_ToDeleteAllDirectoriesRunThisCommand') . '<br/>' . implode('<br />', $deleteAllAtOnce) . '<br/><br/>';
81 }
82 return $messages;
83 }
84 /**
85 * @param $messages
86 * @return array
87 */
88 protected static function getMessagesFilesFoundButNotExpected($messages)
89 {
90 $filesFoundButNotExpected = self::getFilesFoundButNotExpected();
91 if (count($filesFoundButNotExpected) > 0) {
92 $messageFilesToDelete = '';
93 foreach ($filesFoundButNotExpected as $fileFoundNotExpected) {
94 $messageFilesToDelete .= \Piwik\Piwik::translate('General_ExceptionFileToDelete', htmlspecialchars($fileFoundNotExpected)) . '<br/>';
95 }
96 $files = array();
97 foreach ($filesFoundButNotExpected as $fileFoundNotExpected) {
98 $files[] = '"' . htmlspecialchars(realpath(dirname($fileFoundNotExpected)) . \DIRECTORY_SEPARATOR . basename($fileFoundNotExpected)) . '"';
99 }
100 $deleteAllAtOnce = array();
101 $chunks = array_chunk($files, 50);
102 $command = 'rm';
103 if (\Piwik\SettingsServer::isWindows()) {
104 $command = 'del';
105 }
106 foreach ($chunks as $files) {
107 $deleteAllAtOnce[] = sprintf('%s %s', $command, implode(' ', $files));
108 }
109 $messages[] = \Piwik\Piwik::translate('General_ExceptionUnexpectedFile') . '<br/>' . '--> ' . \Piwik\Piwik::translate('General_ExceptionUnexpectedFilePleaseDelete') . ' <--' . '<br/><br/>' . $messageFilesToDelete . '<br/><br/>' . \Piwik\Piwik::translate('General_ToDeleteAllFilesRunThisCommand') . '<br/>' . implode('<br />', $deleteAllAtOnce) . '<br/><br/>';
110 return $messages;
111 }
112 return $messages;
113 }
114 /**
115 * Look for whole directories which are in the filesystem, but should not be
116 *
117 * @return array
118 */
119 protected static function getDirectoriesFoundButNotExpected()
120 {
121 static $cache = null;
122 if (!is_null($cache)) {
123 return $cache;
124 }
125 $pluginsInManifest = self::getPluginsFoundInManifest();
126 $directoriesInManifest = self::getDirectoriesFoundInManifest();
127 $directoriesFoundButNotExpected = array();
128 foreach (self::getPathsToInvestigate() as $file) {
129 $file = substr($file, strlen(PIWIK_DOCUMENT_ROOT));
130 // remove piwik path to match format in manifest.inc.php
131 $file = ltrim($file, "\\/");
132 $directory = dirname($file);
133 if (in_array($directory, $directoriesInManifest)) {
134 continue;
135 }
136 if (self::isFileNotInManifestButExpectedAnyway($file)) {
137 continue;
138 }
139 if (self::isFileFromPluginNotInManifest($file, $pluginsInManifest)) {
140 continue;
141 }
142 if (!in_array($directory, $directoriesFoundButNotExpected)) {
143 $directoriesFoundButNotExpected[] = $directory;
144 }
145 }
146 $cache = self::getParentDirectoriesFromListOfDirectories($directoriesFoundButNotExpected);
147 return $cache;
148 }
149 /**
150 * Look for files which are in the filesystem, but should not be
151 *
152 * @return array
153 */
154 protected static function getFilesFoundButNotExpected()
155 {
156 $files = \Piwik\Manifest::$files;
157 $pluginsInManifest = self::getPluginsFoundInManifest();
158 $filesFoundButNotExpected = array();
159 foreach (self::getPathsToInvestigate() as $file) {
160 if (is_dir($file)) {
161 continue;
162 }
163 $file = substr($file, strlen(PIWIK_DOCUMENT_ROOT));
164 // remove piwik path to match format in manifest.inc.php
165 $file = ltrim($file, "\\/");
166 if (self::isFileFromPluginNotInManifest($file, $pluginsInManifest)) {
167 continue;
168 }
169 if (self::isFileNotInManifestButExpectedAnyway($file)) {
170 continue;
171 }
172 if (self::isFileFromDirectoryThatShouldBeDeleted($file)) {
173 // we already report the directory as "Directory to delete" so no need to repeat the instruction for each file
174 continue;
175 }
176 if (!isset($files[$file])) {
177 $filesFoundButNotExpected[] = $file;
178 }
179 }
180 return $filesFoundButNotExpected;
181 }
182 protected static function isFileFromDirectoryThatShouldBeDeleted($file)
183 {
184 $directoriesWillBeDeleted = self::getDirectoriesFoundButNotExpected();
185 foreach ($directoriesWillBeDeleted as $directoryWillBeDeleted) {
186 if (strpos($file, $directoryWillBeDeleted) === 0) {
187 return \true;
188 }
189 }
190 return \false;
191 }
192 protected static function getDirectoriesFoundInManifest()
193 {
194 $files = \Piwik\Manifest::$files;
195 $directories = array();
196 foreach ($files as $file => $manifestIntegrityInfo) {
197 $directory = $file;
198 // add this directory and each parent directory
199 while (($directory = dirname($directory)) && $directory != '.' && $directory != '/') {
200 $directories[] = $directory;
201 }
202 }
203 $directories = array_unique($directories);
204 return $directories;
205 }
206 protected static function getPluginsFoundInManifest()
207 {
208 $files = \Piwik\Manifest::$files;
209 $pluginsInManifest = array();
210 foreach ($files as $file => $manifestIntegrityInfo) {
211 if (strpos($file, 'plugins/') === 0) {
212 $pluginName = self::getPluginNameFromFilepath($file);
213 $pluginsInManifest[] = $pluginName;
214 }
215 }
216 return $pluginsInManifest;
217 }
218 /**
219 * If a plugin folder is not tracked in the manifest then we don't try to report any files in this folder
220 * Could be a third party plugin or any plugin from the Marketplace
221 *
222 * @param $file
223 * @param $pluginsInManifest
224 * @return bool
225 */
226 protected static function isFileFromPluginNotInManifest($file, $pluginsInManifest)
227 {
228 if (strpos($file, 'plugins/') !== 0) {
229 return \false;
230 }
231 if (substr_count($file, '/') < 2) {
232 // must be a file plugins/abc.xyz and not a plugin directory
233 return \false;
234 }
235 $pluginName = self::getPluginNameFromFilepath($file);
236 if (in_array($pluginName, $pluginsInManifest)) {
237 return \false;
238 }
239 return \true;
240 }
241 protected static function isFileNotInManifestButExpectedAnyway($file)
242 {
243 $expected = self::getFilesNotInManifestButExpectedAnyway();
244 foreach ($expected as $expectedPattern) {
245 if (fnmatch($expectedPattern, $file, defined('FNM_CASEFOLD') ? \FNM_CASEFOLD : 0)) {
246 return \true;
247 }
248 }
249 return \false;
250 }
251 protected static function getMessagesFilesMismatch($messages)
252 {
253 $messagesMismatch = array();
254 $hasHashFile = function_exists('hash_file');
255 $files = \Piwik\Manifest::$files;
256 foreach ($files as $path => $props) {
257 $file = PIWIK_INCLUDE_PATH . '/' . $path;
258 if (!file_exists($file) || !is_readable($file)) {
259 $messagesMismatch[] = \Piwik\Piwik::translate('General_ExceptionMissingFile', $file);
260 } elseif (filesize($file) != $props[0]) {
261 if (self::isModifiedPathValid($path)) {
262 continue;
263 }
264 if (in_array(substr($path, -4), array('.gif', '.ico', '.jpg', '.png', '.swf'))) {
265 // files that contain binary data (e.g., images) must match the file size
266 $messagesMismatch[] = \Piwik\Piwik::translate('General_ExceptionFilesizeMismatch', array($file, $props[0], filesize($file)));
267 } else {
268 // convert end-of-line characters and re-test text files
269 $content = @file_get_contents($file);
270 $content = str_replace("\r\n", "\n", $content);
271 if (strlen($content) != $props[0] || @hash('sha256', $content) !== $props[1]) {
272 $messagesMismatch[] = \Piwik\Piwik::translate('General_ExceptionFilesizeMismatch', array($file, $props[0], filesize($file)));
273 }
274 }
275 } elseif ($hasHashFile && @hash_file('sha256', $file) !== $props[1]) {
276 if (self::isModifiedPathValid($path)) {
277 continue;
278 }
279 $messagesMismatch[] = \Piwik\Piwik::translate('General_ExceptionFileIntegrity', $file);
280 }
281 }
282 if (!$hasHashFile) {
283 $messages[] = \Piwik\Piwik::translate('General_WarningFileIntegrityNoHashFile');
284 }
285 if (!empty($messagesMismatch)) {
286 $messages[] = \Piwik\Piwik::translate('General_FileIntegrityWarningReupload');
287 $messages[] = '--> ' . \Piwik\Piwik::translate('General_FileIntegrityWarningReuploadBis') . ' <--<br/>';
288 $messages = array_merge($messages, $messagesMismatch);
289 }
290 return $messages;
291 }
292 protected static function isModifiedPathValid($path)
293 {
294 if ($path === 'piwik.js' || $path === 'matomo.js') {
295 // we could have used a postEvent hook to enrich "\Piwik\Manifest::$files;" which would also benefit plugins
296 // that want to check for file integrity but we do not want to risk to break anything right now. It is not
297 // as trivial because piwik.js might be already updated, or updated on the next request. We cannot define
298 // 2 or 3 different filesizes and md5 hashes for one file so we check it here.
299 if (\Piwik\Plugin\Manager::getInstance()->isPluginActivated('CustomJsTracker')) {
300 $trackerUpdater = new TrackerUpdater();
301 if ($trackerUpdater->getCurrentTrackerFileContent() === $trackerUpdater->getUpdatedTrackerFileContent()) {
302 // file was already updated, eg manually or via custom piwik.js, this is a valid piwik.js file as
303 // it was enriched by tracker plugins
304 return \true;
305 }
306 try {
307 // the piwik.js tracker file was not updated yet, but may be updated just after the update by
308 // one of the events CustomJsTracker is listening to or by a scheduled task.
309 // In this case, we check whether such an update will succeed later and if it will, the file is
310 // valid as well as it will be updated on the next request
311 $trackerUpdater->checkWillSucceed();
312 return \true;
313 } catch (AccessDeniedException $e) {
314 return \false;
315 }
316 }
317 }
318 return \false;
319 }
320 protected static function getPluginNameFromFilepath($file)
321 {
322 $pathRelativeToPlugins = substr($file, strlen('plugins/'));
323 $pluginName = substr($pathRelativeToPlugins, 0, strpos($pathRelativeToPlugins, '/'));
324 return $pluginName;
325 }
326 /**
327 * @return array
328 */
329 protected static function getPathsToInvestigate()
330 {
331 $filesToInvestigate = array_merge(
332 // all normal files
333 \Piwik\Filesystem::globr(PIWIK_DOCUMENT_ROOT, '*'),
334 // all hidden files
335 \Piwik\Filesystem::globr(PIWIK_DOCUMENT_ROOT, '.*')
336 );
337 return $filesToInvestigate;
338 }
339 /**
340 * @param $directoriesFoundButNotExpected
341 * @return array
342 */
343 protected static function getParentDirectoriesFromListOfDirectories($directoriesFoundButNotExpected)
344 {
345 sort($directoriesFoundButNotExpected);
346 $parentDirectoriesOnly = array();
347 foreach ($directoriesFoundButNotExpected as $directory) {
348 $directoryParent = self::getDirectoryParentFromList($directory, $directoriesFoundButNotExpected);
349 if ($directoryParent) {
350 $parentDirectoriesOnly[] = $directoryParent;
351 }
352 }
353 $parentDirectoriesOnly = array_unique($parentDirectoriesOnly);
354 return $parentDirectoriesOnly;
355 }
356 /**
357 * When the parent directory of $directory is found within $directories, return it.
358 *
359 * @param $directory
360 * @param $directories
361 * @return string
362 */
363 protected static function getDirectoryParentFromList($directory, $directories)
364 {
365 foreach ($directories as $directoryMaybeParent) {
366 if ($directory == $directoryMaybeParent) {
367 continue;
368 }
369 $isParentDirectory = strpos($directory, $directoryMaybeParent) === 0;
370 if ($isParentDirectory) {
371 return $directoryMaybeParent;
372 }
373 }
374 return null;
375 }
376 }
377