Security issues, refactoring

Classes/TechDivision/DocViewer/AccessManager.php

@@ -0,0 +1,30 @@
+<?php
+namespace TechDivision\DocViewer;
+
+use TYPO3\Flow\Annotations as Flow;
+use TYPO3\Neos\Controller\Module\AbstractModuleController;
+
+/**
+ *
+ * @Flow\Scope("singleton")
+ */
+class AccessManager extends AbstractModuleController
+{
+
+	/**
+	 * Files which are used as entry files
+	 * @Flow\InjectConfiguration("packages")
+	 * @var array
+	 */
+	protected $packagesConfiguration;
+
+	/**
+	 * Determines if given package key should be accessable
+	 *
+	 * @param string $packageKey
+	 * @return bool
+	 */
+	public function isPackageAccessable($packageKey) {
+		return !in_array($packageKey, $this->packagesConfiguration['hide']);
+	}
+}

Classes/TechDivision/DocViewer/Controller/ModuleController.php

@@ -4,13 +4,20 @@
 /*
  * This file is part of the TechDivision.DocViewer package.
  */
+use TechDivision\DocViewer\Exceptions\PackageNotAccessableException;
 use TechDivision\DocViewer\Exceptions\ParsingNotAllowedException;
 use TechDivision\DocViewer\File\Parser;
 use TechDivision\DocViewer\File\Tree;
 use TechDivision\DocViewer\Util;
+
 use TYPO3\Flow\Annotations as Flow;
+use TYPO3\Neos\Controller\Module\AbstractModuleController;
 
-class ModuleController extends \TYPO3\Flow\Mvc\Controller\ActionController
+/**
+ *
+ * @Flow\Scope("singleton")
+ */
+class ModuleController extends AbstractModuleController
 {
 
 	/**
@@ -26,19 +33,26 @@ class ModuleController extends \TYPO3\Flow\Mvc\Controller\ActionController
 	 */
 	protected $packagesConfiguration;
 
+	/**
+	 * @Flow\Inject
+	 * @var \TechDivision\DocViewer\AccessManager
+	 */
+	protected $accessManager;
+
     /**
      * @return void
      */
     public function indexAction()
     {
+
 		$packageGroups = array();
 
 		foreach($this->packagesConfiguration['visibleTypes'] as $type) {
 			$packageGroups[$type] = array();
 		}
 		foreach ($this->packageManager->getAvailablePackages() as $package) {
 
-			if(in_array($package->getPackageKey(), $this->packagesConfiguration['hide'])) {
+			if(!$this->accessManager->isPackageAccessable($package->getPackageKey())) {
 				continue;
 			}
 
@@ -50,7 +64,7 @@ public function indexAction()
 				continue;
 			}
 
-			$tree = new Tree($packageGroup, $package->getPackageKey());
+			$tree = new Tree($packageGroup, $package->getPackageKey(), $this->controllerContext->getRequest()->getHttpRequest()->getBaseUri());
 
 			if(!$tree->isDirectoryWithContent()) {
 				continue;
@@ -82,14 +96,16 @@ public function indexAction()
 	 */
 	public function showAction($packageKey, $packageType, $filePath = null) {
 
-		// @TODO check for visibility by given Settings.yaml
+		$baseUri = $this->controllerContext->getRequest()->getHttpRequest()->getBaseUri();
+
+		if (!$this->accessManager->isPackageAccessable($packageKey)) {
+			throw new PackageNotAccessableException("You are not allowed to access the package " . $packageKey);
+		}
 
 		$this->view->assign('packageKey', $packageKey);
 		$this->view->assign('packageType', $packageType);
 
-		$docDir = Util::getDocumentPath($packageType, $packageKey);
-
-		$tree = new Tree($packageType, $packageKey);
+		$tree = new Tree($packageType, $packageKey, $baseUri);
 
 		if(!$tree->isDirectoryWithContent()) {
 			$this->addFlashMessage('No documention could be found');
@@ -103,7 +119,7 @@ public function showAction($packageKey, $packageType, $filePath = null) {
 		}
 
 		if($file) {
-			$parser = new Parser();
+			$parser = new Parser($baseUri);
 			$this->view->assign('currentFile', $file);
 			try {
 				$documentContent = $parser->parseFile($file);

Classes/TechDivision/DocViewer/Controller/ResourceController.php

@@ -4,6 +4,8 @@
 /*
  * This file is part of the TechDivision.DocViewer package.
  */
+use TechDivision\DocViewer\Exceptions\FileNotInsideDocumentationException;
+use TechDivision\DocViewer\Exceptions\PackageNotAccessableException;
 use TechDivision\DocViewer\File\Parser;
 use TechDivision\DocViewer\Util;
 use TYPO3\Flow\Annotations as Flow;
@@ -16,11 +18,12 @@
  */
 class ResourceController extends \TYPO3\Flow\Mvc\Controller\ActionController
 {
+
 	/**
 	 * @Flow\Inject
-	 * @var PrivilegeManagerInterface
+	 * @var \TechDivision\DocViewer\AccessManager
 	 */
-	protected $privilegeManager;
+	protected $accessManager;
 
 	/**
 	 * @param string $packageType
@@ -29,12 +32,19 @@ class ResourceController extends \TYPO3\Flow\Mvc\Controller\ActionController
 	 * @return mixed
 	 */
 	public function rawAction($packageType, $packageKey, $filePath) {
-
-		// @TODO check for visibility by given Settings.yaml
 		// @TODO fix for working Policy.yaml
 
+		if (!$this->accessManager->isPackageAccessable($packageKey)) {
+			throw new PackageNotAccessableException("You are not allowed to access the package " . $packageKey);
+		}
+
 		$docDir = Util::getDocumentPath($packageType, $packageKey);
-		$filePath = $docDir . DIRECTORY_SEPARATOR . Parser::urlDecodeFilePath($filePath);
+		$filePath = realpath($docDir . DIRECTORY_SEPARATOR . Parser::urlDecodeFilePath($filePath));
+
+		if(strpos($filePath, $docDir) === false) {
+			throw new FileNotInsideDocumentationException("You are not allowed to acces files outside the documentation folder");
+		}
+
 		$contentType = finfo_file(finfo_open(FILEINFO_MIME_TYPE), $filePath);
 		$this->response->setHeader("Content-Type", $contentType);
 

Classes/TechDivision/DocViewer/Exceptions/FileNotInsideDocumentationException.php

@@ -0,0 +1,9 @@
+<?php
+namespace TechDivision\DocViewer\Exceptions;
+
+/**
+ * Parsing is not allowed exception
+ */
+class FileNotInsideDocumentationException extends \TYPO3\Flow\Exception
+{
+}

Classes/TechDivision/DocViewer/Exceptions/PackageNotAccessableException.php

@@ -0,0 +1,9 @@
+<?php
+namespace TechDivision\DocViewer\Exceptions;
+
+/**
+ * Parsing is not allowed exception
+ */
+class PackageNotAccessableException extends \TYPO3\Flow\Exception
+{
+}

Classes/TechDivision/DocViewer/File/Node.php

@@ -4,6 +4,8 @@
 /*
  * This file is part of the TechDivision.DocViewer package.
  */
+use TechDivision\DocViewer\Exceptions\FileNotInsideDocumentationException;
+use TechDivision\DocViewer\Util;
 use TYPO3\Flow\Annotations as Flow;
 
 class Node {
@@ -72,6 +74,13 @@ public function __construct($packageType, $packageKey, $path)
 		$this->isDir = is_dir($path);
 		$this->absolutePath = realpath($path);
 
+		if(!$this->absolutePath) {
+			return null;
+		}
+		if(strpos($this->absolutePath, Util::getDocumentPath($packageType, $packageKey)) === false) {
+			throw new FileNotInsideDocumentationException("You are not allowed to acces files outside the documentation folder");
+		}
+
 		if(!$this->isDir) {
 			$this->info = pathinfo($path);
 		}

Classes/TechDivision/DocViewer/File/Parser.php

@@ -15,6 +15,15 @@ class Parser {
 	 */
 	protected static $resourceSuffix = '__docviwer';
 
+	/**
+	 * @var string
+	 */
+	protected $baseUri;
+
+	public function __construct($baseUri) {
+		$this->baseUri = $baseUri;
+	}
+
 	/**
 	 * @param Node $node
 	 * @return bool
@@ -59,11 +68,11 @@ public static function urlDecodeFilePath($path) {
 	 * @param string $path
 	 * @return string
 	 */
-	public static function buildResourceUrl($node, $path = null) {
+	public static function buildResourceUrl($node, $path = null, $baseUri = '') {
 		if(!$path) {
 			$path = $node->getPath();
 		}
-		return 'techdivision-docviewer/' . $node->getPackageType() . "/" . $node->getPackageKey() . "/" . self::urlEncodeFilePath($path);
+		return $baseUri . 'techdivision-docviewer/' . $node->getPackageType() . "/" . $node->getPackageKey() . "/" . self::urlEncodeFilePath($path);
 	}
 
 	/**
@@ -77,7 +86,9 @@ protected function replaceSrcValues($dom, $node) {
 			'/src\s*=\s*\"(.+?)\"/',
 			function ($matches) use ($node) {
 				$src = $matches[1];
-				$src = self::buildResourceUrl($node, $src);
+				if(strpos($src, 'http') !== 0) {
+					$src = self::buildResourceUrl($node, $src, $this->baseUri);
+				}
 				return 'src="' . $src . '"';
 			},
 			$dom);

Classes/TechDivision/DocViewer/File/Tree.php

@@ -27,9 +27,9 @@ class Tree {
 	 */
 	protected $parser;
 
-	public function __construct($packageType, $packageKey)
+	public function __construct($packageType, $packageKey, $baseUri)
 	{
-		$this->parser = new Parser();
+		$this->parser = new Parser($baseUri);
 		$this->rootNode = $this->buildFsNode($packageType, $packageKey);
 	}
 

Classes/TechDivision/DocViewer/Util.php

@@ -17,7 +17,7 @@ class Util {
 	 * @return string
 	 */
 	public static function getDocumentPath($packageType, $packageKey) {
-		$path = FLOW_PATH_PACKAGES . DIRECTORY_SEPARATOR . $packageType . DIRECTORY_SEPARATOR . $packageKey . '/Documentation';
+		$path = FLOW_PATH_PACKAGES . $packageType . DIRECTORY_SEPARATOR . $packageKey . '/Documentation';
 		if(!file_exists($path)) {
 			return null;
 		}

Classes/TechDivision/DocViewer/ViewHelpers/ResourceUrlViewHelper.php

@@ -19,6 +19,6 @@ class ResourceUrlViewHelper extends AbstractViewHelper
 	 */
     public function render($packageType, $packageKey, $filePath)
     {
-        return Parser::buildResourceUrl(new Node($packageType, $packageKey, $filePath));
+        return Parser::buildResourceUrl(new Node($packageType, $packageKey, $filePath), null, $this->controllerContext->getRequest()->getHttpRequest()->getBaseUri());
     }
 }

Configuration/Policy.yaml

@@ -6,7 +6,7 @@ privilegeTargets:
       matcher: 'method(TechDivision\DocViewer\Controller\ResourceController->.*Action())'
 
 roles:
-  'TYPO3.Neos:Editor':
+  'TYPO3.Flow:Everybody':
     privileges:
       -
         privilegeTarget: 'TechDivision.DocViewer:Module'

Configuration/Settings.yaml

@@ -4,11 +4,15 @@ TYPO3:
       management:
         submodules:
           techDivisionDocViewer:
-            label: 'DocViewer'
-            controller: 'TechDivision\DocViewer\Controller\ModuleController'
-            description: 'View the docs of installed packages'
+            label: 'TechDivision.DocViewer:Main:module.label'
+            controller: '\TechDivision\DocViewer\Controller\ModuleController'
+            description: 'TechDivision.DocViewer:Main:module.description'
             icon: 'icon-book'
-            privilegeTarget: 'TechDivision.DocViewer:BackendModule'
+            privilegeTarget: 'TechDivision.DocViewer:Module'
+    userInterface:
+      translation:
+        autoInclude:
+          'TechDivision.DocViewer': ['Main']
   Flow:
     mvc:
       routes:
@@ -20,7 +24,7 @@ TechDivision:
   DocViewer:
     packages:
       # defines which types of packages are visible in which order
-      visibleTypes: [ 'Sites', 'Application', 'Framework' ]
+      visibleTypes: [ 'Sites', 'Application' ]
       hide:
         - TYPO3.TypoScript
         - TYPO3.Imagine
@@ -31,7 +35,7 @@ TechDivision:
         - TYPO3.Fluid
         - TYPO3.Eel
         - TYPO3.Flow
-        # - TechDivision.Neos.DocViewer
+       # - TechDivision.DocViewer
     # Files are searched for as entry file
     entryFiles: [ 'Readme', 'index', 'Index' ]
     parser:

Documentation/Readme.md

@@ -1,35 +1,46 @@
-# TechDivision Neos DocViwer
+# TechDivision DocViwer
 
 ![TechDivision Logo](assets/TechDivisionLogo.jpeg)
 
 This packages provides a docviewer module for the neos backend.
 
-![TechDivision Logo](./assets/TechDivisionLogo.jpeg)
+Some examples:
 
-```
-var $some = "code";
-```
-
-# Headline 1
-
-![TechDivision Logo](assets/test.png)
+[Internal link](./Ref.md)
 
-## Headline 2
+[Internal link subdir](subdir/Ref.md)
 
-- [Ref](./Ref.md)
-- [Ref](Ref.md)
-- [Subdir ref](./subdir/SubDirRef.md)
-- [Subdir ref](subdir/SubDirRef.md)
-- [https://test.cherry-mx-com.cherry.cms.tdintern.de/](https://test.cherry-mx-com.cherry.cms.tdintern.de/)
-### Headline 3
+[External link](https://google.com/)
 
 *This text will be italic*
+
 _This will also be italic_
 
 **This text will be bold**
+
 __This will also be bold__
 
 _You **can** combine them_
 
-> We're living the future so
-> the present is our past.
+> An awesome quote
+
+```
+var $some = "code";
+```
+some ```inline``` code
+
+- an
+- unordered
+- list
+
+1. an 
+2. ordered
+3. list
+
+# Headline 1
+
+## Headline 2
+
+### Headline 3
+
+![Dummy image](https://dummyimage.com/300)

Documentation/subdir/Ref.md

@@ -0,0 +1,3 @@
+# SubDir ref file
+
+[Internal link parent dir](../Readme.md)