headers migrados para rotas e padronização de sanitização de urls

Author: altendorfme

app/inc/URLAnalyzer.php

@@ -234,33 +234,27 @@ public function analyze($url)
         // Reset das regras ativadas para nova análise
         $this->activatedRules = [];
 
-        // 1. Clean URL / Limpa a URL
-        $cleanUrl = $this->cleanUrl($url);
-        if (!$cleanUrl) {
-            $this->throwError(self::ERROR_INVALID_URL);
-        }
-
-        // 2. Check cache / Verifica cache
-        if ($this->cache->exists($cleanUrl)) {
-            return $this->cache->get($cleanUrl);
+        // 1. Check cache / Verifica cache
+        if ($this->cache->exists($url)) {
+            return $this->cache->get($url);
         }
 
-        // 3. Check blocked domains / Verifica domínios bloqueados
-        $host = parse_url($cleanUrl, PHP_URL_HOST);
+        // 2. Check blocked domains / Verifica domínios bloqueados
+        $host = parse_url($url, PHP_URL_HOST);
         if (!$host) {
             $this->throwError(self::ERROR_INVALID_URL);
         }
         $host = preg_replace('/^www\./', '', $host);
 
         if (in_array($host, BLOCKED_DOMAINS)) {
-            Logger::getInstance()->logUrl($cleanUrl, 'BLOCKED_DOMAIN');
+            Logger::getInstance()->logUrl($url, 'BLOCKED_DOMAIN');
             $this->throwError(self::ERROR_BLOCKED_DOMAIN);
         }
 
-        // Check URL status code before proceeding
-        $redirectInfo = $this->checkStatus($cleanUrl);
+        // 3. Check URL status code before proceeding
+        $redirectInfo = $this->checkStatus($url);
         if ($redirectInfo['httpCode'] !== 200) {
-            Logger::getInstance()->logUrl($cleanUrl, 'INVALID_STATUS_CODE', "HTTP {$redirectInfo['httpCode']}");
+            Logger::getInstance()->logUrl($url, 'INVALID_STATUS_CODE', "HTTP {$redirectInfo['httpCode']}");
             if ($redirectInfo['httpCode'] === 404) {
                 $this->throwError(self::ERROR_NOT_FOUND);
             } else {
@@ -279,33 +273,33 @@ public function analyze($url)
                     $content = null;
                     switch ($fetchStrategy) {
                         case 'fetchContent':
-                            $content = $this->fetchContent($cleanUrl);
+                            $content = $this->fetchContent($url);
                             break;
                         case 'fetchFromWaybackMachine':
-                            $content = $this->fetchFromWaybackMachine($cleanUrl);
+                            $content = $this->fetchFromWaybackMachine($url);
                             break;
                         case 'fetchFromSelenium':
-                            $content = $this->fetchFromSelenium($cleanUrl, isset($domainRules['browser']) ? $domainRules['browser'] : 'firefox');
+                            $content = $this->fetchFromSelenium($url, isset($domainRules['browser']) ? $domainRules['browser'] : 'firefox');
                             break;
                     }
 
                     if (!empty($content)) {
                         $this->activatedRules[] = "fetchStrategy: $fetchStrategy";
-                        $processedContent = $this->processContent($content, $host, $cleanUrl);
-                        $this->cache->set($cleanUrl, $processedContent);
+                        $processedContent = $this->processContent($content, $host, $url);
+                        $this->cache->set($url, $processedContent);
                         return $processedContent;
                     }
                 } catch (Exception $e) {
-                    Logger::getInstance()->logUrl($cleanUrl, strtoupper($fetchStrategy) . '_ERROR', $e->getMessage());
+                    Logger::getInstance()->logUrl($url, strtoupper($fetchStrategy) . '_ERROR', $e->getMessage());
                     throw $e;
                 }
             }
 
             // 5. Try all strategies in sequence
             $fetchStrategies = [
-                ['method' => 'fetchContent', 'args' => [$cleanUrl]],
-                ['method' => 'fetchFromWaybackMachine', 'args' => [$cleanUrl]],
-                ['method' => 'fetchFromSelenium', 'args' => [$cleanUrl, 'firefox']]
+                ['method' => 'fetchContent', 'args' => [$url]],
+                ['method' => 'fetchFromWaybackMachine', 'args' => [$url]],
+                ['method' => 'fetchFromSelenium', 'args' => [$url, 'firefox']]
             ];
 
             $lastError = null;
@@ -314,8 +308,8 @@ public function analyze($url)
                     $content = call_user_func_array([$this, $strategy['method']], $strategy['args']);
                     if (!empty($content)) {
                         $this->activatedRules[] = "fetchStrategy: {$strategy['method']}";
-                        $processedContent = $this->processContent($content, $host, $cleanUrl);
-                        $this->cache->set($cleanUrl, $processedContent);
+                        $processedContent = $this->processContent($content, $host, $url);
+                        $this->cache->set($url, $processedContent);
                         return $processedContent;
                     }
                 } catch (Exception $e) {
@@ -326,7 +320,7 @@ public function analyze($url)
             }
 
             // If we get here, all strategies failed
-            Logger::getInstance()->logUrl($cleanUrl, 'GENERAL_FETCH_ERROR');
+            Logger::getInstance()->logUrl($url, 'GENERAL_FETCH_ERROR');
             if ($lastError) {
                 $message = $lastError->getMessage();
                 if (strpos($message, 'DNS') !== false) {
@@ -432,8 +426,8 @@ private function fetchContent($url)
      */
     private function fetchFromWaybackMachine($url)
     {
-        $cleanUrl = preg_replace('#^https?://#', '', $url);
-        $availabilityUrl = "https://archive.org/wayback/available?url=" . urlencode($cleanUrl);
+        $url = preg_replace('#^https?://#', '', $url);
+        $availabilityUrl = "https://archive.org/wayback/available?url=" . urlencode($url);
 
         $curl = new Curl();
         $curl->setOpt(CURLOPT_FOLLOWLOCATION, true);
@@ -552,36 +546,6 @@ private function fetchFromSelenium($url, $browser = 'firefox')
         }
     }
 
-    /**
-     * Clean and normalize a URL
-     * Limpa e normaliza uma URL
-     */
-    private function cleanUrl($url)
-    {
-        $url = trim($url);
-
-        if (!filter_var($url, FILTER_VALIDATE_URL)) {
-            return false;
-        }
-
-        if (preg_match('#https://([^.]+)\.cdn\.ampproject\.org/v/s/([^/]+)(.*)#', $url, $matches)) {
-            $url = 'https://' . $matches[2] . $matches[3];
-        }
-
-        $parts = parse_url($url);
-        if (!isset($parts['scheme']) || !isset($parts['host'])) {
-            return false;
-        }
-        
-        $cleanedUrl = $parts['scheme'] . '://' . $parts['host'];
-        
-        if (isset($parts['path'])) {
-            $cleanedUrl .= $parts['path'];
-        }
-        
-        return $cleanedUrl;
-    }
-
     /**
      * Get specific rules for a domain
      * Obtém regras específicas para um domínio

app/src/Router.php

@@ -50,21 +50,19 @@ public function __construct()
                 $message_type = '';
                 $url = '';
 
-                // Processa mensagens da query string
-                // Process query string messages
+                // Sanitize and process query string messages
                 if (isset($_GET['message'])) {
-                    $message_key = $_GET['message'];
+                    $message_key = htmlspecialchars(trim($_GET['message']), ENT_QUOTES | ENT_HTML5, 'UTF-8');
                     $messageData = \Language::getMessage($message_key);
-                    $message = $messageData['message'];
-                    $message_type = $messageData['type'];
+                    $message = htmlspecialchars($messageData['message'], ENT_QUOTES | ENT_HTML5, 'UTF-8');
+                    $message_type = htmlspecialchars($messageData['type'], ENT_QUOTES | ENT_HTML5, 'UTF-8');
                 }
 
-                // Processa submissão do formulário
                 // Process form submission
                 if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['url'])) {
-                    $url = filter_var($_POST['url'], FILTER_SANITIZE_URL);
+                    $url = $this->sanitizeUrl($_POST['url']);
                     if (filter_var($url, FILTER_VALIDATE_URL)) {
-                        header('Location: ' . SITE_URL . '/p/' . urlencode($url));
+                        header('Location: ' . SITE_URL . '/p/' . $url);
                         exit;
                     } else {
                         $messageData = \Language::getMessage('INVALID_URL');
@@ -84,7 +82,7 @@ public function __construct()
             // Rota da API - usa URLProcessor em modo API
             // API route - uses URLProcessor in API mode
             $r->addRoute('GET', '/api/{url:.+}', function($vars) {
-                $processor = new URLProcessor($vars['url'], true);
+                $processor = new URLProcessor($this->sanitizeUrl($vars['url']), true);
                 $processor->process();
             });
 
@@ -98,23 +96,23 @@ public function __construct()
             // Rota de processamento - usa URLProcessor em modo web
             // Processing route - uses URLProcessor in web mode
             $r->addRoute('GET', '/p/{url:.+}', function($vars) {
-                $processor = new URLProcessor($vars['url'], false);
+                $processor = new URLProcessor($this->sanitizeUrl($vars['url']), false);
                 $processor->process();
             });
 
-            // Rota de processamento com query parameter ou sem parâmetros
             // Processing route with query parameter or without parameters
             $r->addRoute('GET', '/p[/]', function() {
                 if (isset($_GET['url']) || isset($_GET['text'])) {
-                    $url = isset($_GET['url']) ? $_GET['url'] : '';
-                    $text = isset($_GET['text']) ? $_GET['text'] : '';
+                    // Sanitize input parameters
+                    $url = isset($_GET['url']) ? $this->sanitizeUrl($_GET['url']) : '';
+                    $text = isset($_GET['text']) ? $this->sanitizeUrl($_GET['text']) : '';
 
                     // Check which parameter is a valid URL
                     if (filter_var($url, FILTER_VALIDATE_URL)) {
-                        header('Location: /p/' . urlencode($url));
+                        header('Location: /p/' . $url);
                         exit;
                     } elseif (filter_var($text, FILTER_VALIDATE_URL)) {
-                        header('Location: /p/' . urlencode($text));
+                        header('Location: /p/' . $text);
                         exit;
                     } else {
                         header('Location: /?message=INVALID_URL');
@@ -134,11 +132,73 @@ public function __construct()
     }
 
     /**
-     * Despacha a requisição para a rota apropriada
-     * Dispatches the request to the appropriate route
+     * Sanitizes URLs to prevent XSS and injection attacks
+     * Sanitiza URLs para prevenir ataques XSS e injeções
+     * 
+     * @param string $url The URL to sanitize
+     * @return string The sanitized URL
      */
+    /**
+     * Sanitizes and normalizes URLs
+     * Sanitiza e normaliza URLs
+     * 
+     * @param string $url The URL to sanitize and normalize
+     * @return string|false The cleaned URL or false if invalid
+     */
+    private function sanitizeUrl(string $url): string
+    {
+        $url = trim($url);
+
+        // Basic URL validation
+        if (!filter_var($url, FILTER_VALIDATE_URL)) {
+            return '';
+        }
+
+        // Handle AMP URLs
+        if (preg_match('#https://([^.]+)\.cdn\.ampproject\.org/v/s/([^/]+)(.*)#', $url, $matches)) {
+            $url = 'https://' . $matches[2] . $matches[3];
+        }
+
+        // Parse and reconstruct URL to ensure proper structure
+        $parts = parse_url($url);
+        if (!isset($parts['scheme']) || !isset($parts['host'])) {
+            return '';
+        }
+        
+        $cleanedUrl = $parts['scheme'] . '://' . $parts['host'];
+        
+        if (isset($parts['path'])) {
+            $cleanedUrl .= $parts['path'];
+        }
+        
+        // Remove control characters and sanitize
+        $cleanedUrl = preg_replace('/[\x00-\x1F\x7F]/', '', $cleanedUrl);
+        $cleanedUrl = filter_var($cleanedUrl, FILTER_SANITIZE_URL);
+        
+        // Convert special characters to HTML entities
+        return htmlspecialchars($cleanedUrl, ENT_QUOTES | ENT_HTML5, 'UTF-8');
+    }
+
+    /**
+     * Sets security headers for all responses
+     * Define cabeçalhos de segurança para todas as respostas
+     */
+    private function setSecurityHeaders()
+    {
+        // Set security headers
+        header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:;");
+        header("X-Content-Type-Options: nosniff");
+        header("X-Frame-Options: DENY");
+        header("X-XSS-Protection: 1; mode=block");
+        header("Referrer-Policy: strict-origin-when-cross-origin");
+        header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
+        header("Strict-Transport-Security: max-age=31536000; includeSubDomains");
+    }
+
     public function dispatch()
     {
+        $this->setSecurityHeaders();
+        
         $httpMethod = $_SERVER['REQUEST_METHOD'];
         $uri = $_SERVER['REQUEST_URI'];
 

app/src/URLProcessor.php

@@ -31,7 +31,7 @@ public function __construct(string $url = '', bool $isApi = false)
         require_once __DIR__ . '/../inc/URLAnalyzer.php';
         require_once __DIR__ . '/../inc/Language.php';
 
-        $this->url = urldecode($url);
+        $this->url = $url;
         $this->isApi = $isApi;
         $this->analyzer = new \URLAnalyzer();
 
@@ -82,20 +82,6 @@ private function redirect(string $path, string $message = ''): void
      */
     public function process(): void
     {
-        // Validate URL format
-        if (!filter_var($this->url, FILTER_VALIDATE_URL)) {
-            if ($this->isApi) {
-                $this->sendApiResponse([
-                    'error' => [
-                        'type' => \URLAnalyzer::ERROR_INVALID_URL,
-                        'message' => \Language::getMessage('INVALID_URL')['message']
-                    ]
-                ], 400);
-            } else {
-                $this->redirect(SITE_URL, \URLAnalyzer::ERROR_INVALID_URL);
-            }
-        }
-
         try {
             // Check for redirects in web mode
             if (!$this->isApi) {

default.conf

@@ -11,26 +11,8 @@ server {
     # Oculta a versão do NGINX para reduzir informações expostas
     server_tokens off;
 
-    # Security Headers / Cabeçalhos de Segurança
-    # Enable HSTS (HTTP Strict Transport Security) to force HTTPS connections
-    # Habilita HSTS (HTTP Strict Transport Security) para forçar conexões HTTPS
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    
-    # Prevent clickjacking attacks by allowing the site to be displayed only in its own domain
-    # Previne ataques de clickjacking, permitindo que o site seja exibido apenas em seu próprio domínio
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    
-    # Enable protection against Cross-Site Scripting (XSS) attacks
-    # Ativa proteção contra ataques de Cross-Site Scripting (XSS)
-    add_header X-XSS-Protection "1; mode=block" always;
-    
-    # Prevent browsers from MIME-type sniffing
-    # Impede que navegadores tentem adivinhar (sniff) o tipo MIME dos arquivos
-    add_header X-Content-Type-Options "nosniff" always;
-    
-    # Control how referrer headers are sent
-    # Controla como os cabeçalhos de referência são enviados
-    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    # NGINX-specific security configurations
+    # Configurações de segurança específicas do NGINX
 
     # Limit upload size to prevent denial of service attacks
     # Limita o tamanho de uploads para prevenir ataques de negação de serviço