Response: Format response objects and data automatically + remove dan…

…gerous keys like password
baraja-core · Jan 6, 2020 · 4e30f6c · 4e30f6c
1 parent 4f01c70
commit 4e30f6c
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 1 deletion.
diff --git a/src/Response/BaseResponse.php b/src/Response/BaseResponse.php
@@ -5,9 +5,16 @@
 namespace Baraja\StructuredApi;
 
 
+use Tracy\Debugger;
+use Tracy\ILogger;
+
 abstract class BaseResponse
 {
 
+	public static $keysToHide = ['password', 'passwd', 'pass', 'pwd', 'creditcard', 'credit card', 'cc', 'pin'];
+
+	public static $hiddenKeyLabel = '*****';
+
 	/**
 	 * @var mixed[]
 	 */
@@ -37,4 +44,40 @@ public function __toString(): string
 		return '';
 	}
 
+	/**
+	 * @param mixed $key
+	 * @param mixed $value
+	 * @return bool
+	 */
+	protected function hideKey($key, $value): bool
+	{
+		static $hide;
+
+		if ($hide === null) {
+			$hide = [];
+			foreach (self::$keysToHide as $hideKey) {
+				$hide[$hideKey] = true;
+			}
+		}
+
+		if (isset($hide[$key]) === true) {
+			if (preg_match('/^\$2[ayb]\$.{56}$/', $value)) { // Allow BCrypt hash only.
+				return false;
+			}
+
+			if (\class_exists(Debugger::class) === true) {
+				Debugger::log(
+					new RuntimeStructuredApiException(
+						'Security warning: User password may have been compromised! Key "' . $key . '" given.'
+						. "\n" . 'The Baraja API prevented passwords being passed through the API in a readable form.'
+					), ILogger::CRITICAL
+				);
+			}
+
+			return true;
+		}
+
+		return false;
+	}
+
 }
diff --git a/src/Response/JsonResponse.php b/src/Response/JsonResponse.php
@@ -45,7 +45,55 @@ public function getHaystack(): array
 	 */
 	public function getJson(): string
 	{
-		return Json::encode($this->haystack, Json::PRETTY);
+		return Json::encode($this->process($this->haystack), Json::PRETTY);
+	}
+
+	/**
+	 * Convert common haystack to json compatible format.
+	 *
+	 * @param mixed $haystack
+	 * @return array|string|mixed
+	 */
+	private function process($haystack)
+	{
+		if (\is_array($haystack) === true) {
+			$return = [];
+
+			foreach ($haystack as $key => $value) {
+				$return[$key] = $this->hideKey($key, $value) ? self::$hiddenKeyLabel : $this->process($value);
+			}
+
+			return $return;
+		}
+
+		if (\is_object($haystack) === true) {
+			if (\method_exists($haystack, '__toString') === true) {
+				return (string) $haystack;
+			}
+
+			$return = [];
+
+			try {
+				foreach ((new \ReflectionClass($haystack))->getProperties() as $property) {
+					$property->setAccessible(true);
+
+					if (($key = $property->getName()) && ($key[0] ?? '') === '_') {
+						continue;
+					}
+
+					$value = $property->getValue($haystack);
+					$return[$key] = $this->hideKey($key, $value) ? self::$hiddenKeyLabel : $this->process($value);
+				}
+			} catch (\ReflectionException $e) {
+				foreach ($haystack as $key => $value) {
+					$return[$key] = $this->hideKey($key, $value) ? self::$hiddenKeyLabel : $this->process($value);
+				}
+			}
+
+			return $return;
+		}
+
+		return $haystack;
 	}
 
 }