Disable executing solutions on non-local environments or from non-loc…

…al IP addresses (#364) * Solutions can only be ran from local environments and local IPs * Fix styling * Add tests * Fix styling Co-authored-by: AlexVanderbist <[email protected]>
facade · Mar 30, 2021 · 07967ce · 07967ce
1 parent 0d0d861
commit 07967ce
Show file tree

Hide file tree

Showing 2 changed files with 91 additions and 0 deletions.
diff --git a/src/Http/Controllers/ExecuteSolutionController.php b/src/Http/Controllers/ExecuteSolutionController.php
@@ -14,10 +14,33 @@ public function __invoke(
         ExecuteSolutionRequest $request,
         SolutionProviderRepository $solutionProviderRepository
     ) {
+        $this->ensureLocalEnvironment();
+        $this->ensureLocalRequest();
+
         $solution = $request->getRunnableSolution();
 
         $solution->run($request->get('parameters', []));
 
         return response('');
     }
+
+    public function ensureLocalEnvironment()
+    {
+        if (! app()->environment('local')) {
+            abort(403, "Runnable solutions are disabled in non-local environments. Please make sure `APP_ENV` is set correctly. Additionally please make sure `APP_DEBUG` is set to false on ANY production environment!");
+        }
+    }
+
+    public function ensureLocalRequest()
+    {
+        $ipIsPublic = filter_var(
+            request()->ip(),
+            FILTER_VALIDATE_IP,
+            FILTER_FLAG_IPV4 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
+        );
+
+        if ($ipIsPublic) {
+            abort(403, "Solutions can only be executed by requests from a local IP address. Please also make sure `APP_DEBUG` is set to false on ANY production environment.");
+        }
+    }
 }
diff --git a/tests/Http/Controllers/ExecuteSolutionControllerTest.php b/tests/Http/Controllers/ExecuteSolutionControllerTest.php
@@ -0,0 +1,68 @@
+<?php
+
+namespace Facade\Ignition\Tests\Http\Controllers;
+
+use Facade\Ignition\Tests\TestCase;
+
+class ExecuteSolutionControllerTest extends TestCase
+{
+    protected function resolveApplicationConfiguration($app)
+    {
+        parent::resolveApplicationConfiguration($app);
+
+        // Routes wont register in a console environment.
+        $_ENV['APP_RUNNING_IN_CONSOLE'] = false;
+    }
+
+    /** @test */
+    public function it_can_execute_solutions_on_a_local_environment_with_debugging_enabled()
+    {
+        $this->app['env'] = 'local';
+        $this->app['config']->set('app.debug', true);
+
+        $this->postJson(route('ignition.executeSolution'), $this->solutionPayload())
+            ->assertSuccessful();
+    }
+
+    /** @test */
+    public function it_wont_execute_solutions_on_a_production_environment()
+    {
+        $this->app['env'] = 'production';
+        $this->app['config']->set('app.debug', true);
+
+        $this->postJson(route('ignition.executeSolution'), $this->solutionPayload())
+            ->assertForbidden();
+    }
+
+    /** @test */
+    public function it_wont_execute_solutions_when_debugging_is_disabled()
+    {
+        $this->app['env'] = 'local';
+        $this->app['config']->set('app.debug', false);
+
+        $this->postJson(route('ignition.executeSolution'), $this->solutionPayload())
+            ->assertNotFound();
+    }
+
+    /** @test */
+    public function it_wont_execute_solutions_for_a_non_local_ip()
+    {
+        $this->app['env'] = 'local';
+        $this->app['config']->set('app.debug', true);
+        $this->withServerVariables(['REMOTE_ADDR' => '138.197.187.74']);
+
+        $this->postJson(route('ignition.executeSolution'), $this->solutionPayload())
+            ->assertForbidden();
+    }
+
+    protected function solutionPayload(): array
+    {
+        return [
+            'parameters' => [
+                'variableName' => 'test',
+                'viewFile' => 'resources/views/welcome.blade.php',
+            ],
+            'solution' => 'Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution',
+        ];
+    }
+}