├── .codacy.yml
├── .gitattributes
├── .github
├── ISSUE_TEMPLATE
│ ├── bug_report.md
│ └── feature_request.md
└── workflows
│ ├── automatic-releases.yml
│ ├── dependency-review.yml
│ └── snyk-infrastructure.yml
├── .gitignore
├── .htaccess
├── .security-scan
├── .version
├── LICENSE
├── Modules
├── .htaccess
├── Database_example.env
└── functions.php
├── Public
├── assets
│ ├── css
│ │ ├── error.css
│ │ └── style.css
│ ├── img
│ │ ├── favicon-1000x1000.png
│ │ ├── favicon-100x100.png
│ │ ├── favicon-255x255.png
│ │ ├── favicon-500x500.png
│ │ └── favicon-50x50.png
│ └── js
│ │ ├── autoConfigurationChecks.js
│ │ ├── buttonCopyURL.js
│ │ ├── formContentUpdate.js
│ │ └── globalFunctions.js
├── dataProcessing.php
├── error_docs
│ ├── 403.php
│ ├── 404.php
│ ├── 500.php
│ ├── DatabaseConfig.php
│ ├── DatabaseCredentials.php
│ └── ServerConfiguration.php
├── index.php
└── view.php
├── README.md
├── SECURITY.md
├── actions.yml
├── favicon.ico
└── index.php
/.codacy.yml:
--------------------------------------------------------------------------------
1 | ---
2 | engines:
3 | rubocop:
4 | exclude_paths:
5 | - config/engines.yml
6 | duplication:
7 | exclude_paths:
8 | - config/engines.yml
9 | metric:
10 | exclude_paths:
11 | - config/engines.yml
12 | languages:
13 | css:
14 | extensions:
15 | - '.scss'
16 | exclude_paths:
17 | - "Public/assets/css/**"
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | *.env linguist-language=ENV
2 | ./* linguist-documentation
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Bug report
3 | about: Create a report to help us improve
4 | title: Bug/Issue Report
5 | labels: bug, security, enhancement
6 | assignees: axtonprice
7 |
8 | ---
9 |
10 | **Describe the bug**
11 | A clear and concise description of what the bug is. Do not submit bug report if you are not using the latest QuickBlaze version!
12 |
13 | **To Reproduce**
14 | Steps to reproduce the behavior:
15 | 1. Go to '...'
16 | 2. Click on '....'
17 | 3. Scroll down to '....'
18 | 4. See error
19 |
20 | **Expected behavior**
21 | A clear and concise description of what you expected to happen.
22 |
23 | **Screenshots**
24 | If applicable, add screenshots to help explain your problem.
25 |
26 | **Desktop (please complete the following information):**
27 | - OS: [e.g. iOS]
28 | - Browser [e.g. chrome, safari]
29 | - Version [e.g. 22]
30 |
31 | **Smartphone (please complete the following information):**
32 | - Device: [e.g. iPhone6]
33 | - OS: [e.g. iOS8.1]
34 | - Browser [e.g. stock browser, safari]
35 | - Version [e.g. 22]
36 |
37 | **Additional context**
38 | Add any other context about the problem here.
39 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature request
3 | about: Suggest an idea for this project
4 | title: Feature Request
5 | labels: enhancement, feature-request
6 | assignees: axtonprice
7 |
8 | ---
9 |
10 | **Is your feature request related to a problem? Please describe.**
11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
12 |
13 | **Describe the solution you'd like**
14 | A clear and concise description of what you want to happen.
15 |
16 | **Describe alternatives you've considered**
17 | A clear and concise description of any alternative solutions or features you've considered.
18 |
19 | **Additional context**
20 | Add any other context or screenshots about the feature request here.
21 |
--------------------------------------------------------------------------------
/.github/workflows/automatic-releases.yml:
--------------------------------------------------------------------------------
1 | name: 'Release'
2 |
3 | on:
4 | push:
5 | branches:
6 | - "main"
7 | workflow_dispatch:
8 | inputs:
9 | semver:
10 | description: 'Which version you want to increment? Use MAJOR, MINOR or PATCH'
11 | required: true
12 | default: 'PATCH'
13 | label:
14 | description: 'Add Labels. i.e final, alpha, rc'
15 | required: true
16 | default: ' Stable'
17 |
18 | jobs:
19 | release:
20 | name: 'Release'
21 | runs-on: 'ubuntu-latest'
22 |
23 | steps:
24 | - name: 'Checkout'
25 | uses: actions/checkout@v2
26 |
27 | # ...
28 | - name: '👷♂️ Build'
29 | run: |
30 | echo "BUILD COMPLETE 👍"
31 |
32 | # ...
33 | - name: '🧪 TEST'
34 | run: |
35 | echo "TESTS PASSED 🎉"
36 |
37 | - uses: 'rui-costa/action-automatic-semver-releases@latest'
38 | name: "Automatic Release Update"
39 | with:
40 | TOKEN: '${{ secrets.GITHUB_TOKEN }}'
41 | SEMVER: '${{ github.event.inputs.semver }}'
42 | LABEL: '${{ github.event.inputs.label }}'
43 | NOTES: '${{ steps.gen-notes.outputs.notes }}'
44 |
--------------------------------------------------------------------------------
/.github/workflows/dependency-review.yml:
--------------------------------------------------------------------------------
1 | # Dependency Review Action
2 | #
3 | # This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
4 | #
5 | # Source repository: https://github.com/actions/dependency-review-action
6 | # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
7 | name: 'Dependency Review'
8 | on: [pull_request]
9 |
10 | permissions:
11 | contents: read
12 |
13 | jobs:
14 | dependency-review:
15 | runs-on: ubuntu-latest
16 | steps:
17 | - name: 'Checkout Repository'
18 | uses: actions/checkout@v3
19 | - name: 'Dependency Review'
20 | uses: actions/dependency-review-action@v1
21 |
--------------------------------------------------------------------------------
/.github/workflows/snyk-infrastructure.yml:
--------------------------------------------------------------------------------
1 | # This workflow uses actions that are not certified by GitHub.
2 | # They are provided by a third-party and are governed by
3 | # separate terms of service, privacy policy, and support
4 | # documentation.
5 |
6 | # A sample workflow which checks out your Infrastructure as Code Configuration files,
7 | # such as Kubernetes, Helm & Terraform and scans them for any security issues.
8 | # The results are then uploaded to GitHub Security Code Scanning
9 | #
10 | # For more examples, including how to limit scans to only high-severity issues
11 | # and fail PR checks, see https://github.com/snyk/actions/
12 |
13 | name: Snyk Infrastructure as Code
14 |
15 | on:
16 | push:
17 | branches: [ main ]
18 | pull_request:
19 | # The branches below must be a subset of the branches above
20 | branches: [ main ]
21 | schedule:
22 | - cron: '35 8 * * 1'
23 |
24 | permissions:
25 | contents: read
26 |
27 | jobs:
28 | snyk:
29 | permissions:
30 | contents: read # for actions/checkout to fetch code
31 | security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
32 | runs-on: ubuntu-latest
33 | steps:
34 | - uses: actions/checkout@v3
35 | - name: Run Snyk to check configuration files for security issues
36 | # Snyk can be used to break the build when it detects security issues.
37 | # In this case we want to upload the issues to GitHub Code Scanning
38 | continue-on-error: true
39 | uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4
40 | env:
41 | # In order to use the Snyk Action you will need to have a Snyk API token.
42 | # More details in https://github.com/snyk/actions#getting-your-snyk-token
43 | # or you can signup for free at https://snyk.io/login
44 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
45 | with:
46 | # Add the path to the configuration file that you would like to test.
47 | # For example `deployment.yaml` for a Kubernetes deployment manifest
48 | # or `main.tf` for a Terraform configuration file
49 | file: null
50 | - name: Upload result to GitHub Code Scanning
51 | uses: github/codeql-action/upload-sarif@v2
52 | with:
53 | sarif_file: .security-scan
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Quickblaze Files
2 | .vscode/
3 | .stashed/
4 | .gitattributes
5 | .dccache
6 |
7 | # QuickBlaze Security
8 | local-storage
9 | Modules/Database.env
10 | .config
11 |
12 | # QuickBlaze Composer
13 | vendor/
14 | composer.lock
15 |
16 | # Docker (Unreleased)
17 | Dockerfile
18 | .dockerignore
19 |
--------------------------------------------------------------------------------
/.htaccess:
--------------------------------------------------------------------------------
1 | # URL handling
2 | RewriteEngine on
3 | RewriteCond %{REQUEST_FILENAME} !-f
4 | RewriteCond %{REQUEST_FILENAME} !-d
5 | RewriteRule ^.* index.php [L,QSA]
6 |
7 | # Error handling
8 | ErrorDocument 404 /404
9 | ErrorDocument 403 /403
10 | ErrorDocument 500 /500
11 |
12 | # File security
13 |
14 | Order allow,deny
15 | Deny from all
16 |
--------------------------------------------------------------------------------
/.security-scan:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
3 | "version": "2.1.0",
4 | "runs": [
5 | {
6 | "tool": {
7 | "driver": {
8 | "name": "SnykCode",
9 | "semanticVersion": "1.0.0",
10 | "version": "1.0.0",
11 | "rules": [
12 | {
13 | "id": "php/PT",
14 | "name": "PT",
15 | "shortDescription": {
16 | "text": "Path Traversal"
17 | },
18 | "defaultConfiguration": {
19 | "level": "error"
20 | },
21 | "help": {
22 | "markdown": "## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`.\n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```",
23 | "text": ""
24 | },
25 | "properties": {
26 | "tags": [
27 | "php"
28 | ],
29 | "categories": [
30 | "Security"
31 | ],
32 | "exampleCommitFixes": [
33 | {
34 | "commitURL": "https://github.com/pfsense/pfsense-packages/commit/0d2f8f00a6a442f5672e5fe8f62a1f4d21da6a9b?diff=split#diff-7d40bbc944bdd9d0ac99f1e375807fb3L98",
35 | "lines": [
36 | {
37 | "line": "if (isset($_POST['upload'])) {",
38 | "lineNumber": 96,
39 | "lineChange": "none"
40 | },
41 | {
42 | "line": " if ($_FILES[\"sidmods_fileup\"][\"error\"] == UPLOAD_ERR_OK) {",
43 | "lineNumber": 97,
44 | "lineChange": "none"
45 | },
46 | {
47 | "line": " $tmp_name = $_FILES[\"sidmods_fileup\"][\"tmp_name\"];",
48 | "lineNumber": 98,
49 | "lineChange": "none"
50 | },
51 | {
52 | "line": " $name = $_FILES[\"sidmods_fileup\"][\"name\"];",
53 | "lineNumber": 99,
54 | "lineChange": "removed"
55 | },
56 | {
57 | "line": " $name = basename($_FILES[\"sidmods_fileup\"][\"name\"]);",
58 | "lineNumber": 99,
59 | "lineChange": "added"
60 | },
61 | {
62 | "line": " move_uploaded_file($tmp_name, \"{$sidmods_path}{$name}\");",
63 | "lineNumber": 100,
64 | "lineChange": "none"
65 | },
66 | {
67 | "line": " }",
68 | "lineNumber": 101,
69 | "lineChange": "none"
70 | },
71 | {
72 | "line": " else",
73 | "lineNumber": 102,
74 | "lineChange": "none"
75 | }
76 | ]
77 | },
78 | {
79 | "commitURL": "https://github.com/ExchangeWorld/ExchangeWorld/commit/606aa8b3eb707f1cd1831fb663a8f415a463aa05?diff=split#diff-041d983df8c7b46dbc24f32fb39de8feL4",
80 | "lines": [
81 | {
82 | "line": " 'URL parameter not found'];",
329 | "lineNumber": 130,
330 | "lineChange": "none"
331 | },
332 | {
333 | "line": "}",
334 | "lineNumber": 131,
335 | "lineChange": "none"
336 | },
337 | {
338 | "line": "header('Access-Control-Allow-Origin: *');",
339 | "lineNumber": 132,
340 | "lineChange": "removed"
341 | },
342 | {
343 | "line": "$urlHost = $_SERVER['HTTP_HOST'];",
344 | "lineNumber": 133,
345 | "lineChange": "added"
346 | },
347 | {
348 | "line": "header('Access-Control-Allow-Origin: '.$urlHost);",
349 | "lineNumber": 135,
350 | "lineChange": "added"
351 | },
352 | {
353 | "line": "header('Content-type: application/json', true);",
354 | "lineNumber": 136,
355 | "lineChange": "none"
356 | }
357 | ]
358 | },
359 | {
360 | "commitURL": "https://github.com/wgenial/cartrolandofc/commit/3d69f64001ffe84e89404bcd4ca627d2d1e95a33?diff=split#diff-5b9b7bac226602d432ba9969f7986f37L9",
361 | "lines": [
362 | {
363 | "line": " */",
364 | "lineNumber": 6,
365 | "lineChange": "none"
366 | },
367 | {
368 | "line": "header(\"Access-Control-Allow-Origin: *\");",
369 | "lineNumber": 8,
370 | "lineChange": "removed"
371 | },
372 | {
373 | "line": "header('Content-type: application/json');",
374 | "lineNumber": 9,
375 | "lineChange": "removed"
376 | },
377 | {
378 | "line": "header('Content-type: application/json;charset=UTF-8');",
379 | "lineNumber": 8,
380 | "lineChange": "added"
381 | },
382 | {
383 | "line": " if (isset($_GET[\"api\"]) and $_GET[\"api\"] !== \"\") {",
384 | "lineNumber": 11,
385 | "lineChange": "none"
386 | }
387 | ]
388 | }
389 | ],
390 | "exampleCommitDescriptions": [
391 | "CORS added, DEMO constant deleted",
392 | "added handling of response headers overrides by config"
393 | ],
394 | "precision": "very-high",
395 | "repoDatasetSize": 26,
396 | "cwe": [
397 | "CWE-942",
398 | "CWE-346"
399 | ]
400 | }
401 | },
402 | {
403 | "id": "php/XSS",
404 | "name": "XSS",
405 | "shortDescription": {
406 | "text": "Cross-site Scripting (XSS)"
407 | },
408 | "defaultConfiguration": {
409 | "level": "error"
410 | },
411 | "help": {
412 | "markdown": "## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser's Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they've been correctly escaped in the application code and in this way the attempted attack is diverted.\n\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.\n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user's browser.|\n|**DOM-based**|Client|The attacker forces the user's browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code:\n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents.\n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.",
413 | "text": ""
414 | },
415 | "properties": {
416 | "tags": [
417 | "php"
418 | ],
419 | "categories": [
420 | "Security"
421 | ],
422 | "exampleCommitFixes": [
423 | {
424 | "commitURL": "https://github.com/minkphp/Mink/commit/232919c0c44a2b35d410373c12db404b709ec25c?diff=split#diff-b51e2215d4bd4e189c9360d91a412970L6",
425 | "lines": [
426 | {
427 | "line": " setcookie(\"tc\", $_POST['cookie_value'], null, '/');",
428 | "lineNumber": 3,
429 | "lineChange": "none"
430 | },
431 | {
432 | "line": "} elseif (isset($_GET[\"show_value\"])) {",
433 | "lineNumber": 4,
434 | "lineChange": "none"
435 | },
436 | {
437 | "line": " echo $_COOKIE[\"tc\"];",
438 | "lineNumber": 5,
439 | "lineChange": "removed"
440 | },
441 | {
442 | "line": " echo htmlspecialchars($_COOKIE[\"tc\"], ENT_QUOTES, 'UTF-8');",
443 | "lineNumber": 5,
444 | "lineChange": "added"
445 | },
446 | {
447 | "line": " die();",
448 | "lineNumber": 6,
449 | "lineChange": "none"
450 | },
451 | {
452 | "line": "}",
453 | "lineNumber": 7,
454 | "lineChange": "none"
455 | }
456 | ]
457 | },
458 | {
459 | "commitURL": "https://github.com/yunluo/Git/commit/1cb7eddf43f770c055cd685c7f73bb3dac713789?diff=split#diff-34390932035b5d4fd059e5e9a4c629b6L69",
460 | "lines": [
461 | {
462 | "line": " the_content(); ?>",
463 | "lineNumber": 66,
464 | "lineChange": "none"
465 | },
466 | {
467 | "line": "