Skip to content

Http

Http

Class: Drutiny\Http\Audit\Http
Extends: Drutiny\Audit
Package: drutiny/http

NOTE: This Audit is abstract and cannot be used directly by a policy.

HttpAnalysis

Class: Drutiny\Http\Audit\HttpAnalysis
Extends: Drutiny\Audit\AbstractAnalysis
Package: drutiny/http

Parameters

Name Type Description Default
expression string The expression language to evaludate. See https://symfony.com/doc/current/components/expression_language/syntax.html 'true'
not_applicable string The expression language to evaludate if the analysis is not applicable. See https://symfony.com/doc/current/components/expression_language/syntax.html 'false'
send_warming_request boolean Send a warming request and store headers into cold_headers parameter. false
use_cache boolean Indicator if Guzzle client should use cache middleware. true
options array An options array passed to the Guzzle client request method. { }

Tokens

Name Type Description Default
expression string The expression language to evaludate. See https://symfony.com/doc/current/components/expression_language/syntax.html 'true'
not_applicable string The expression language to evaludate if the analysis is not applicable. See https://symfony.com/doc/current/components/expression_language/syntax.html 'false'
send_warming_request boolean Send a warming request and store headers into cold_headers parameter. false
use_cache boolean Indicator if Guzzle client should use cache middleware. true
options array An options array passed to the Guzzle client request method. { }
Source
  protected function gather(Sandbox $sandbox)
  {
    $use_cache = $sandbox->getParameter('use_cache', FALSE);
    // For checking caching functionality, add a listener
    // to pre-warm the origin.
    if ($sandbox->setParameter('send_warming_request', FALSE)) {
      $sandbox->setParameter('use_cache', FALSE);
      $response = $this->getHttpResponse($sandbox);
      $sandbox->setParameter('cold_headers', $this->gatherHeaders($response));
    }

    $sandbox->setParameter('use_cache', $use_cache);
    $response = $this->getHttpResponse($sandbox);
    $sandbox->setParameter('headers', $this->gatherHeaders($response));
  }
  final public function audit(Sandbox $sandbox)
  {
    $this->gather($sandbox);

    $expressionLanguage = new ExpressionLanguage($sandbox);

    $variables  = $sandbox->getParameterTokens();
    $sandbox->logger()->debug(__CLASS__ . ': ' . Yaml::dump($variables));

    $expression = $sandbox->getParameter('not_applicable', 'false');
    $sandbox->logger()->debug(__CLASS__ . ': ' . $expression);
    if (@$expressionLanguage->evaluate($expression, $variables)) {
      return self::NOT_APPLICABLE;
    }

    $expression = $sandbox->getParameter('expression', 'true');
    $sandbox->logger()->info(__CLASS__ . ': ' . $expression);
    return @$expressionLanguage->evaluate($expression, $variables);
  }

HttpHeaderExists

Class: Drutiny\Http\Audit\HttpHeaderExists
Extends: Drutiny\Http\Audit\Http
Package: drutiny/http

Policies

These are the policies that use this class:

Name Title
HTTP:X-Frame-Options HTTP X-Frame-Options
HTTP:HSTS HTTP HSTS
HTTP:Content-Security-Policy HTTP Content-Security-Policy
HTTP:ReferrerPolicy HTTP Referrer Policy

Parameters

Name Type Description Default
header string The HTTP header to check the value of. null

Tokens

Name Type Description Default
header string The HTTP header to check the value of. null
header_value string The value to check against. null
Source
  public function audit(Sandbox $sandbox)
  {
    $res = $this->getHttpResponse($sandbox);
    if ($has_header = $res->hasHeader($sandbox->getParameter('header'))) {
        $headers = $res->getHeader($sandbox->getParameter('header'));
        $sandbox->setParameter('header_value', $headers[0]);
    }
    return $has_header;
  }

HttpHeaderMatch

Class: Drutiny\Http\Audit\HttpHeaderMatch
Extends: Drutiny\Http\Audit\Http
Package: drutiny/http

Policies

These are the policies that use this class:

Name Title
HTTP:X-XSS-Protection HTTP X-XSS-Protection
HTTP:X-Content-Type-Options HTTP X-Content-Type-Options
Acquia:CloudEdgeCaching Cloud Edge Caching

Parameters

Name Type Description Default
header string The HTTP header to check the value of. null
header_value string The value to check against. null

Tokens

Name Type Description Default
header string The HTTP header to check the value of. null
header_value string The value to check against. null
Source
  public function audit(Sandbox $sandbox)
  {
    $value = $sandbox->getParameter('header_value');
    $res = $this->getHttpResponse($sandbox);
    $header = $sandbox->getParameter('header');

    if (!$res->hasHeader($header)) {
      return FALSE;
    }
    $headers = $res->getHeader($header);
    return $value == $headers[0];
  }

HttpHeaderNotExists

Class: Drutiny\Http\Audit\HttpHeaderNotExists
Extends: Drutiny\Http\Audit\HttpHeaderExists
Package: drutiny/http

Policies

These are the policies that use this class:

Name Title
HTTP:X-Drupal-Cache-Tags X-Drupal-Cache-Tags Header Disabled
HTTP:Authorization HTTP Authorization Disabled

Parameters

Name Type Description Default
header string The HTTP header to check the value of. null

Tokens

Name Type Description Default
header string The HTTP header to check the value of. null
header_value string The value to check against. null
Source
  public function audit(Sandbox $sandbox)
  {
    return !parent::audit($sandbox);
  }

HttpHeaderRegex

Class: Drutiny\Http\Audit\HttpHeaderRegex
Extends: Drutiny\Http\Audit\Http
Package: drutiny/http

Policies

These are the policies that use this class:

Name Title
HTTP:Cache-Control HTTP Cache-Control

Parameters

Name Type Description Default
header string The HTTP header to check the value of. null
regex string A regular expressions to validate the header value against. null

Tokens

Name Type Description Default
header string The HTTP header to check the value of. null
regex string A regular expressions to validate the header value against. null
Source
  public function audit(Sandbox $sandbox)
  {
    $regex = $sandbox->getParameter('regex');
    $regex = "/$regex/";
    $res = $this->getHttpResponse($sandbox);
    $header = $sandbox->getParameter('header');

    if (!$res->hasHeader($header)) {
      return FALSE;
    }
    $headers = $res->getHeader($header);
    return preg_match($regex, $headers[0]);
  }

HttpStatusCode

Class: Drutiny\Http\Audit\HttpStatusCode
Extends: Drutiny\Http\Audit\Http
Package: drutiny/http

Policies

These are the policies that use this class:

Name Title
HTTP:ValidSSL HTTPS Valid SSL Certificate

Parameters

Name Type Description Default
status_code string The expected status code from the HTTP response 200

Tokens

Name Type Description Default
status_code string The expected status code from the HTTP response 200
Source
  public function audit(Sandbox $sandbox)
  {
    $status_code = $sandbox->getParameter('status_code', 200);
    $res = $this->getHttpResponse($sandbox);
    return $status_code == $res->getStatusCode();
  }

HttpsRedirect

Class: Drutiny\Http\Audit\HttpsRedirect
Extends: Drutiny\Http\Audit\Http
Package: drutiny/http

Policies

These are the policies that use this class:

Name Title
HTTP:ForceHTTPS Force HTTPS
Source
  public function audit(Sandbox $sandbox)
  {
    $url = $sandbox->getParameter('url', $uri = $sandbox->getTarget()->uri());
    $url = strtr($url, [
      'https://' => 'http://',
    ]);
    $sandbox->setParameter('url', $url);
    $sandbox->setParameter('expected_location', strtr($url, [
      'http://' => 'https://',
    ]));

    // Ensure the redirect is not followed.
    $options = $sandbox->getParameter('options', []);
    $options['allow_redirects'] = FALSE;
    $sandbox->setParameter('options', $options);

    $res = $this->getHttpResponse($sandbox);

    if (!$res->hasHeader('Location')) {
      return FALSE;
    }
    if ($res->getStatusCode() < 300 || $res->getStatusCode() > 400) {
      return FALSE;
    }
    $headers = $res->getHeader('Location');

    $sandbox->setParameter('location', $headers[0]);

    return strpos($headers[0], 'https://') !== FALSE;
  }

SslAssertion

Class: Drutiny\Http\Audit\SslAssertion
Extends: Drutiny\Audit\AbstractAnalysis
Package: drutiny/http

Policies

These are the policies that use this class:

Name Title
SSL:DistrustedSymantecPKI Chrome distrusted Symantec PKI

Parameters

Name Type Description Default
host string The domain name to connect to. false
port integer The SSL port to connect to 443
expression string The expression language to evaludate. See https://symfony.com/doc/current/components/expression_language/syntax.html 'true'

Tokens

Name Type Description Default
host string The domain name to connect to. false
port integer The SSL port to connect to 443
expression string The expression language to evaludate. See https://symfony.com/doc/current/components/expression_language/syntax.html 'true'
cert array An multidimension array of representing the certificate info null
Source
  public function gather(Sandbox $sandbox)
  {
    if (!$url = $sandbox->getParameter('host')) {
      $url = $sandbox->getTarget()->uri();
    }

    $host = (strpos($url, '://') !== FALSE) ? parse_url($url, PHP_URL_HOST) : $url;
    $sandbox->setParameter('host', $host);
    $port = $sandbox->getParameter('port');

    $url = 'ssl://' . $host . ':' . $port;

    $context = stream_context_create(["ssl" => ["capture_peer_cert" => true]]);
    if (!$client = @stream_socket_client($url, $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context)) {
      throw new AuditValidationException("$host did not accept an SSL connection on port $port");
    }

    $cert = stream_context_get_params($client);
    $certinfo = openssl_x509_parse($cert['options']['ssl']['peer_certificate']);

    $certinfo['issued'] = date('Y-m-d H:i:s', $certinfo['validFrom_time_t']);

    $sandbox->setParameter('cert', $certinfo);
  }
  final public function audit(Sandbox $sandbox)
  {
    $this->gather($sandbox);

    $expressionLanguage = new ExpressionLanguage($sandbox);

    $variables  = $sandbox->getParameterTokens();
    $sandbox->logger()->debug(__CLASS__ . ': ' . Yaml::dump($variables));

    $expression = $sandbox->getParameter('not_applicable', 'false');
    $sandbox->logger()->debug(__CLASS__ . ': ' . $expression);
    if (@$expressionLanguage->evaluate($expression, $variables)) {
      return self::NOT_APPLICABLE;
    }

    $expression = $sandbox->getParameter('expression', 'true');
    $sandbox->logger()->info(__CLASS__ . ': ' . $expression);
    return @$expressionLanguage->evaluate($expression, $variables);
  }