Merge pull request #588 from rogercgui/opac-sec

Security: Log Hardening & Input Whitelisting (is_malicious.php, log_buscas.php)

Author: fho4abcd

www/htdocs/opac/functions/is_malicious.php

@@ -1,60 +1,165 @@
 <?php
-// Function to obtain the client's real IP
+
+/**
+ * OPAC Security - Input Validation
+ * Implements Parameter Whitelisting and Malicious Pattern Detection
+ */
+
+// Obtain the customer's actual IP address
 function get_client_ip()
 {
-    $keys = [
-        'HTTP_CLIENT_IP',
-        'HTTP_X_FORWARDED_FOR',
-        'REMOTE_ADDR'
-    ];
+    $keys = ['HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'REMOTE_ADDR'];
     foreach ($keys as $key) {
         if (!empty($_SERVER[$key])) {
-            return $_SERVER[$key];
+            // In case of multiple IPs (proxies), take the first one
+            $ip_array = explode(',', $_SERVER[$key]);
+            return trim($ip_array[0]);
         }
     }
     return 'IP_desconhecido';
 }
 
-// Validation function against dangerous standards
+// Checks for dangerous patterns in VALUE (SQL Injection, XSS, Path Traversal)
 function is_malicious($str)
 {
+    // If it is an array, do not check here (it is already handled in the validation loop).
+    if (is_array($str)) return false;
+
     $patterns = [
-        '/<script\b/i',
-        '/(and|or)\s+\d+=\d+/i',
-        '/[\'"`]\s*(or|and)?\s*\d+=\d+/i',
-        '/[\'"`]\s*--/',
-        '/<.*?>/',
-        '/\b(select|union|insert|delete|update|drop|eval|alert)\b/i'
+        '/<script\b/i',             // XSS
+        '/(and|or)\s+\d+=\d+/i',    // Classic SQLi (1=1)
+        '/[\'"`]\s*(or|and)?\s*\d+=\d+/i', // SQLi with quotation marks
+        '/union\s+select/i',        // SQLi Union
+        '/information_schema/i',    // SQLi Recon
+        '/into\s+outfile/i',        // SQLi Arquivo
+        '/\.\.\//',                 // Path Traversal (../)
+        '/\.\.\\%2F/i',             // Path Traversal URL Encoded
+        '/etc\/passwd/i',           // Access to system files
+        '/cmd\.exe/i'               // Command execution
     ];
+
     foreach ($patterns as $pattern) {
         if (preg_match($pattern, $str)) return true;
     }
     return false;
 }
 
-
-// Function that validates entries
+/**
+ * Validates all inputs (GET/POST) against a whitelist of known parameters.
+ * Blocks unknown keys and malicious values.
+ */
 function validate_inputs($inputs, $source = 'INPUT')
 {
     $ip = get_client_ip();
+
+    // 1. WHITE LIST: Only these parameters are accepted in OPAC.
+    // Anything outside of this will be considered suspicious.
+    $allowed_params = [
+        // Infrastructure
+        'base',
+        'cipar',
+        'ctx',
+        'lang',
+        'db_path',
+        'modo',
+        'integrada',
+        'lista_bases',
+
+        // Search and Navigation
+        'Opcion',
+        'Expresion',
+        'Sub_Expresion',
+        'Sub_Expresiones',
+        'camp',
+        'oper',
+        'pagina',
+        'desde',
+        'count',
+        'resaltar',
+        'Formato',
+        'coleccion',
+        'alcance',
+        'prefijo',
+        'prefijoindice',
+        'campo',
+        'id',
+        'Diccio',
+        'letra',
+        'ira',
+        'posting',
+        'columnas',
+        'facetas',
+        'termosLivres',
+        'search_form',
+
+        // Actions and User
+        'cookie',
+        'Accion',
+        'sendto',
+        'mfn',
+        'k', // k = permalink
+        'login',
+        'password',
+        'conf_level',
+        'redirect',
+        'existencias',
+
+        // Preview
+        'titulo',
+        'titulo_c',
+        'submenu',
+        'mostrar_exp',
+        'home',
+        'Pft',
+        'decodificar',
+        'page',
+        'llamado_desde',
+        'Navegacion',
+        'LastKey',
+        'Seleccionados',
+
+        // Session / Admin (if applicable)
+        'sid',
+        'token'
+    ];
+
     foreach ($inputs as $key => $value) {
+
+        // 2. KEY VERIFICATION (PARAMETER NAME)
+        if (!in_array($key, $allowed_params)) {
+            // Silently attempts or blocks
+            error_log("⚠️ [OPAC SEC] IP $ip tried unknown parameter: [$key]");
+
+            // To be rigid and block:
+            die("Access Blocked: Invalid parameter detected ($key).");
+
+            // If you prefer to simply ignore the parameter (softer approach):
+            // unset($_REQUEST[$key]); 
+            // continue;
+        }
+
+        // 3. VALUE VERIFICATION (CONTENT)
         if (is_array($value)) {
+            // Recursive validation for arrays (ex: camp[], Sub_Expresiones[])
             foreach ($value as $subval) {
                 if (is_malicious($subval)) {
-                    error_log("⚠️ Blocked IP attack $ip: $source [$key] => $subval");
-                    die("Invalid input detected.<br><h1> Registered IP: $ip");
+                    error_log("⚠️ [OPAC SEC] IP $ip ataque detectado em array [$key]: $subval");
+                    die("Conteúdo inválido detectado.");
                 }
             }
         } else {
             if (is_malicious($value)) {
-                error_log("⚠️ Blocked IP attack $ip: $source [$key] => $value");
-                die("Invalid input detected. <h1> Registered IP: $ip");
+                error_log("⚠️ [OPAC SEC] IP $ip ataque detectado em [$key]: $value");
+                die("Conteúdo inválido detectado.");
             }
         }
     }
 }
 
-// Apply validation
-validate_inputs($_GET, 'GET');
-validate_inputs($_POST, 'POST');
-validate_inputs($_REQUEST, 'REQUEST');
+// Automatic execution on inclusion
+// If you want to enable it automatically, uncomment the lines below.
+// Otherwise, call validate_inputs($_REQUEST) at the beginning of the main scripts.
+/*
+if (!empty($_GET)) validate_inputs($_GET, 'GET');
+if (!empty($_POST)) validate_inputs($_POST, 'POST');
+*/

www/htdocs/opac/functions/log_buscas.php

@@ -7,44 +7,90 @@
 *
 * CHANGE LOG:
 * 2025-10-06 rogercgui Added length limits for valid search terms.
+* 2025-12-11 rogercgui Added BOT detection and System/Hack filtering.
 */
 
 /**
  * Records the search term in a monthly log file.
+ * Only records REAL searches from humans, ignoring bots and system codes.
  * * @param string $termo The search term to be registered.
  */
 function registrar_log_busca($termo)
 {
     global $db_path;
 
-    $clean_term = str_replace(["\r", "\n"], ' ', $termo);
+    // 1. BASIC CLEANING
+    $clean_term = str_replace(["\r", "\n", "\t"], ' ', $termo);
     $clean_term = strip_tags($clean_term);
     $clean_term = trim($clean_term);
-    // Sets size limits for a valid search (minimum of 2 and maximum of 255 characters).
+
+    // 2. SIZE VALIDATION
     $min_length = 2;
     $max_length = 255;
     $length_atual = mb_strlen($clean_term, 'UTF-8');
 
-    // FINAL CHECK: If the term is too short, too long, or empty, the function stops here.
     if ($length_atual < $min_length || $length_atual > $max_length) {
-        return; // Stops execution, does NOT record the log.
+        return;
+    }
+
+    // 3. DETECTION OF ROBOTS (CRAWLERS)
+    // If the visitor is an identified robot, we ignore the recording.
+    $user_agent = isset($_SERVER['HTTP_USER_AGENT']) ? strtolower($_SERVER['HTTP_USER_AGENT']) : '';
+    $bots = array(
+        'bot',
+        'crawl',
+        'spider',
+        'slurp',
+        'facebook',
+        'curl',
+        'wget',
+        'python',
+        'java',
+        'libwww',
+        'httpunit',
+        'nmap',
+        'sqlmap'
+    );
+
+    foreach ($bots as $bot) {
+        if (strpos($user_agent, $bot) !== false) {
+            return; // É robô, tchau!
+        }
+    }
+
+    // 4. SYSTEM JUNK FILTER AND ATTACKS
+    // Removes searches that are clicks on facets/indexes (e.g., FUL_, NOM_) or attacks (../)
+    // If the term begins with 3 capital letters and an underscore, it is likely a system term.
+    if (preg_match('/^[A-Z]{2,4}_/', $clean_term)) {
+        return; // É código interno (Facetas, Índices), não busca digitada.
     }
 
-    // The rest of the script only continues if the term is valid.
-    $log_dir = $db_path . "/opac_conf/logs/";
+    // Blocks Directory Traversal attempts (common attack in your logs)
+    if (strpos($clean_term, '../') !== false || strpos($clean_term, '..%2F') !== false) {
+        return; // Tentativa de ataque, não sujar o log de busca.
+    }
+
+    // --- IF YOU'VE BEEN THROUGH ALL THAT, IT'S A VALID SEARCH ---
+
+    $log_dir = $db_path . "log";
+
+    // Checks whether the log directory exists
     if (!is_dir($log_dir)) {
-        mkdir($log_dir, 0775, true);
+        if (!mkdir($log_dir, 0777, true)) {
+            return;
+        }
     }
 
-    $nome_arquivo_log = "opac_" . date("Y-m") . ".log";
-    $arquivo = $log_dir . $nome_arquivo_log;
+    $filename = $log_dir . "/opac_" . date("Y-m") . ".log";
 
+    // Get the real IP (considering proxies if necessary)
     $ip = $_SERVER['REMOTE_ADDR'];
-    $data = date("Y-m-d H:i:s");
+    if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
+    }
 
-    $line = "$data\t$ip\t$clean_term\n";
+    $log_entry = date("Y-m-d H:i:s") . "\t" . $ip . "\t" . $clean_term . PHP_EOL;
 
-    file_put_contents($arquivo, $line, FILE_APPEND | LOCK_EX);
+    // Write to file
+    file_put_contents($filename, $log_entry, FILE_APPEND | LOCK_EX);
 }
-
-?>

www/htdocs/opac/head.php

@@ -24,6 +24,7 @@
 
 include_once(dirname(__FILE__) . "/../central/config_opac.php");
 include $Web_Dir . 'functions.php';
+validate_inputs($_REQUEST);
 
 // Definition of safety headers
 $nonce = base64_encode(random_bytes(16));