From ea13be2426e5fbe0b026f5d80f14a2377d560401 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 2 Mar 2018 13:45:33 +0100
Subject: Add some rules for Typo3, courtesy of @kjojo

---
 config/typo3.rules          | 55 +++++++++++++++++++++++++++++++++++++++++++++
 src/tests/config_typo3.phpt | 12 ++++++++++
 2 files changed, 67 insertions(+)
 create mode 100644 config/typo3.rules
 create mode 100644 src/tests/config_typo3.phpt

diff --git a/config/typo3.rules b/config/typo3.rules
new file mode 100644
index 0000000..57fafd1
--- /dev/null
+++ b/config/typo3.rules
@@ -0,0 +1,55 @@
+# Harden the `chmod` function
+sp.disable_function.function("chmod").param("mode").filename_r("typo3/sysext/core/Classes/Utility/GeneralUtility.php$").value_r("^[0-9]{2}6$").allow();
+sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
+
+# Prevent various `mail`-related vulnerabilities
+sp.disable_function.function("mail").param("additional_parameters").value("").allow();
+# use swiftmailer to send email
+sp.disable_function.function("mail").drop();
+
+
+##Prevent various `include`-related vulnerabilities
+sp.disable_function.function_r("^(?:require|include)_once$").value_r("\.php$").allow();
+sp.disable_function.function_r("^require|include$").value_r("\.php$").allow();
+sp.disable_function.function_r("^(?:require|include)_once$").drop();
+sp.disable_function.function_r("^require|include$").drop();
+
+# Prevent `system`-related injections
+sp.disable_function.function("system").drop();
+sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_function.function("exec").param("command").filename_r("typo3/sysext/core/Classes/Utility/CommandUtility.php$").value_r("^'/usr/bin/convert' [a-zA-Z0-9_\\-\\.\\*'\+\\[\\] \/]+ 2>&1$").allow();
+sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop();
+
+# Prevent runtime modification of interesting things
+sp.disable_function.function("ini_set").param("var_name").filename_r("typo3/sysext/core/Classes/Core/Bootstrap.php$").value("memory_limit").allow();
+sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop();
+sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop();
+sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop();
+sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
+sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();
+
+# Detect some backdoors via environnement recon
+sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/core/Classes/Cache/Backend/SimpleFileBackend.php$").value("open_basedir").allow();
+sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/Check.php$").value("open_basedir").allow();
+sp.disable_function.function("ini_get").param("var_name").filename_r("typo3/sysext/install/Classes/SystemEnvironment/SetupCheck.php$").value("allow_url_fopen").allow();
+sp.disable_function.function("ini_get").param("var_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value("allow_url_fopen").allow();
+sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop();
+
+#need to be allow for example to execute Scheduled tasks
+sp.disable_function.function("function_exists").param("function_name").filename_r("vendor/guzzlehttp/guzzle/src/functions.php$").value_r("^curl_multi_exec$|^curl_exec$").allow();
+sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop();
+sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop();
+
+# Ghetto sqli hardening
+sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("/\\*").drop();
+sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("--").drop();
+sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("#").drop();
+sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r(";.*;").drop();
+sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("benchmark").drop();
+sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("sleep").drop();
+sp.disable_function.function_r("QueryBuilder::setParameter").param("value").value_r("information_schema").drop();
+
+#File upload
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
diff --git a/src/tests/config_typo3.phpt b/src/tests/config_typo3.phpt
new file mode 100644
index 0000000..1b678ca
--- /dev/null
+++ b/src/tests/config_typo3.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Rules for Typo3
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/../../config/typo3.rules
+--FILE--
+<?php 
+echo "ok"
+?>
+--EXPECT--
+ok
-- 
cgit v1.3