Fix config file missing test cases

Author: nkwwk

package-lock.json

@@ -28,6 +28,7 @@
     "crypto-random-string": "^5.0.0",
     "date-fns": "^2.30.0",
     "extract-zip": "^2.0.1",
+    "ini": "^5.0.0",
     "inquirer": "^9.2.10",
     "ms": "^2.1.3",
     "mysql2": "^3.12.0",
@@ -41,6 +42,7 @@
   "devDependencies": {
     "@trivago/prettier-plugin-sort-imports": "^5.2.1",
     "@types/archiver": "^5.3.2",
+    "@types/ini": "^4.1.1",
     "@types/inquirer": "^9.0.3",
     "@types/node": "^20.5.1",
     "@types/psl": "^1.1.0",

package.json

@@ -0,0 +1 @@
+export default class PHPIdentifyMalformatError extends Error {}

src/error/PHPIdentifyMalformatError.ts

@@ -80,7 +80,7 @@ export default class InstallationService {
     createPHPErrorLogFile(phpVer, identity);
 
     // setup nginx
-    const virtualHostConfig = getNginxVirtualHostConfig(domain, identity);
+    const virtualHostConfig = getNginxVirtualHostConfig(phpVer, domain, identity);
     fs.writeFileSync(unixpath.nginx.host, virtualHostConfig);
 
     // finish directory with permission

src/service/installation.ts

@@ -201,6 +201,6 @@ server {
 
   location ~ \.php$ {
     include snippets/fastcgi-php.conf;
-    fastcgi_pass unix:/var/run/php/php8.1-fpm-{{alt_host}}.sock;
+    fastcgi_pass unix:/var/run/php/php{{phpVer}}-fpm-{{alt_host}}.sock;
   }
 }

src/template/nginx-virtual-host.conf

@@ -1,9 +1,18 @@
 import { path as appRootPath } from 'app-root-path';
 import fs from 'fs';
+import { parse } from 'ini';
 import path from 'path';
 import { describe, expect, test } from 'vitest';
 
-import { getWpConfig, getWpConfigByPath, setupInitialWpConfig } from './config';
+import {
+  getNginxVirtualHostConfig,
+  getWpConfig,
+  getWpConfigByPath,
+  setupInitialPHPConfig,
+  setupInitialWpConfig,
+} from './config';
+
+import PHPIdentifyMalformatError from '@/error/PHPIdentifyMalformatError';
 
 describe('getWpConfigByPath()', () => {
   test('should call getWpConfig()', () => {
@@ -62,3 +71,46 @@ describe('setupInitialWpConfig()', () => {
     expect(newWpConfig).equal(wpConfig);
   });
 });
+
+describe('setupInitialPHPConfig()', () => {
+  test('should throw malformat error', () => {
+    const phpWWWConfigSample = fs.readFileSync(
+      path.join(appRootPath, 'test/php/8.1/fpm/pool.d/www.conf'),
+      'utf8'
+    );
+    const siteIdentify = 'my.site';
+    const phpVer = '8.1';
+    expect(() => setupInitialPHPConfig(phpWWWConfigSample, phpVer, siteIdentify)).toThrowError(
+      PHPIdentifyMalformatError
+    );
+  });
+  test('should inject correct parameters', () => {
+    const phpWWWConfigSample = fs.readFileSync(
+      path.join(appRootPath, 'test/php/8.1/fpm/pool.d/www.conf'),
+      'utf8'
+    );
+    const siteIdentify = 'my_site';
+    const phpVer = '8.1';
+    const newConfig = setupInitialPHPConfig(phpWWWConfigSample, phpVer, siteIdentify);
+    const ini = parse(newConfig);
+    expect(ini.www).not.toBeDefined();
+    expect(ini.my_site).toBeDefined();
+    expect(ini.my_site.user).toBe(siteIdentify);
+    expect(ini.my_site.group).toBe(siteIdentify);
+    expect(ini.my_site.listen).toBe(`/run/php/php${phpVer}-fpm-$pool.sock`);
+    expect(ini.my_site.slowlog).toBe(`/var/log/php${phpVer}-fpm-$pool.log.slow`);
+    expect(ini.my_site['php_admin_value[error_log]']).toBe(
+      `/var/log/php${phpVer}-fpm-$pool.log.error`
+    );
+    expect(ini.my_site['php_admin_flag[log_errors]']).toBe('on');
+  });
+});
+
+describe('getNginxVirtualHostConfig()', () => {
+  test('should inject correct parameters', () => {
+    const phpVer = '8.1';
+    const nginxConfig = fs.readFileSync(path.join(appRootPath, 'test/nginx/my.site.conf'), 'utf8');
+    const newConfig = getNginxVirtualHostConfig(phpVer, 'my.site', 'my_site');
+    expect(newConfig).equal(nginxConfig);
+  });
+});

src/util/config.spec.ts

@@ -1,8 +1,12 @@
+import { path as appRootPath } from 'app-root-path';
 import fs from 'fs';
+import path from 'path';
 import { Engine } from 'php-parser';
 
 import { getWpConfigPath } from './path';
 
+import PHPIdentifyMalformatError from '@/error/PHPIdentifyMalformatError';
+
 export function getWpConfigByPath(wpInstalledPath: string, options?: any) {
   const fileContent = fs.readFileSync(getWpConfigPath(wpInstalledPath), 'utf8');
   return getWpConfig(fileContent, options);
@@ -56,6 +60,9 @@ export function setupInitialWpConfig(
 }
 
 export function setupInitialPHPConfig(fileContent: string, phpVer: string, siteIdentify: string) {
+  if (!/^[a-z0-9_]+$/i.test(siteIdentify)) {
+    throw new PHPIdentifyMalformatError('site identify only allow a-z, A-Z, 0-9 and underscore.');
+  }
   return fileContent
     .replace('[www]', `[${siteIdentify}]`)
     .replace('user = www-data', `user = ${siteIdentify}`)
@@ -72,7 +79,12 @@ export function setupInitialPHPConfig(fileContent: string, phpVer: string, siteI
     .replace(';php_admin_flag[log_errors] = on', 'php_admin_flag[log_errors] = on');
 }
 
-export function getNginxVirtualHostConfig(host: string, altHost: string) {
-  const config = fs.readFileSync('../template/nginx-virtual-host.conf', { encoding: 'utf8' });
-  return config.replace(/{{host}}/g, host).replace(/{{alt_host}}/g, altHost);
+export function getNginxVirtualHostConfig(phpVer: string, host: string, altHost: string) {
+  const config = fs.readFileSync(path.join(appRootPath, 'src/template/nginx-virtual-host.conf'), {
+    encoding: 'utf8',
+  });
+  return config
+    .replace(/{{phpVer}}/g, phpVer)
+    .replace(/{{host}}/g, host)
+    .replace(/{{alt_host}}/g, altHost);
 }

src/util/config.ts

@@ -0,0 +1,206 @@
+
+server {
+  listen 80;
+  listen [::]:80;
+
+  server_name my.site www.my.site;
+
+  return 301 https://$host$request_uri;
+}
+
+server {
+  listen 443 http2 ssl;
+  listen [::]:443 http2 ssl;
+
+  root /var/www/my.site;
+
+  index index.html index.htm index.php;
+
+  server_name my.site www.my.site;
+
+  client_max_body_size 500M;
+
+  ssl_certificate /etc/nginx/ssl/my.site.pem;
+  ssl_certificate_key /etc/nginx/ssl/my.site.key;
+
+  error_log /var/log/nginx/my.site_error.log;
+  access_log /var/log/nginx/my.site_access.log;
+
+  #Deny access to wp-content folders for suspicious files
+  location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)$ {
+    deny all;
+  }
+
+  location ~ ^/wp-content/uploads/sucuri {
+    deny all;
+  }
+
+  location ~ ^/wp-content/updraft {
+    deny all;
+  }
+
+  #Disable execution of scripts other than PHP from your document root
+  location ~* .(pl|cgi|py|sh|lua|asp)$ {
+    return 404;
+  }
+
+  #Disable access to your configuration files and other files that you don’t want to users are able to see
+  location ~* /(wp-config.php|readme.html|license.txt|nginx.conf) {
+    deny all;
+  }
+
+  # Disable wp-config.txt
+  location = /wp-config.txt {
+    deny all;
+    access_log off;
+    log_not_found off;
+  }
+
+  # nginx block xmlrpc.php requests
+  location = /xmlrpc.php {
+    deny all;
+    access_log off;
+    log_not_found off;
+    return 404;
+  }
+
+  # nginx block wpscann on plugins folder
+  location ~* ^/wp-content/(?:plugins|themes)/.+\.(txt|log|md)$ {
+    deny all;
+    error_page 403 =404 / ;
+  }
+
+  # block access to install.php and upgrade.php
+  location ^~ /wp-admin/(install.php|upgrade.php) {
+    deny all;
+    error_page 403 =404 / ;
+  }
+
+  #This module will allow us to pattern match certain key files and inject random text in the files that
+  # is non-destructive / non-invasive and will most importantly alter the md5sum calculated on such files. All transparent to WPScan.
+  location ~* ^/(license.txt|wp-includes/(.*)/.+\.(js|css)|wp-admin/(.*)/.+\.(js|css))$ {
+    sub_filter_types text/css text/javascript text/plain;
+    sub_filter_once on;
+    sub_filter ';' '; /* $msec */ ';
+  }
+
+  #Direct PHP File Access
+  #If somehow, a hacker successfully sneaks in a PHP file onto your site,
+  #they’ll be able to run this file by loading file which effectively becomes a backdoor to infiltrate your site.
+  #We should disable direct access to any PHP files by adding the following rules:
+  location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {
+    deny all;
+    access_log off;
+    log_not_found off;
+  }
+
+  #Dotfiles
+  #Similar to PHP file, a dotfile like .htaccess, .user.ini, and .git may contain sensitive information.
+  #To be on the safer side, it’s better to disable direct access to these files.
+  location ~ /\.(svn|git)/* {
+    deny all;
+    access_log off;
+    log_not_found off;
+  }
+
+  location ~ /\.ht {
+    deny all;
+    access_log off;
+    log_not_found off;
+  }
+
+  location ~ /\.user.ini {
+    deny all;
+    access_log off;
+    log_not_found off;
+  }
+
+  # Deny backup extensions & log files
+  location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
+    deny all;
+    access_log off;
+    log_not_found off;
+  }
+
+  # common nginx configuration to block sql injection and other attacks
+  location ~* "(eval\()" {
+    deny all;
+  }
+
+  location ~* "(127\.0\.0\.1)" {
+    deny all;
+  }
+
+  location ~* "([a-z0-9]{2000})" {
+    deny all;
+  }
+
+  location ~* "(javascript\:)(.*)(\;)" {
+    deny all;
+  }
+
+  location ~* "(base64_encode)(.*)(\()" {
+    deny all;
+  }
+
+  location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
+    deny all;
+  }
+
+  location ~* "(<|%3C).*script.*(>|%3)" {
+    deny all;
+  }
+
+  location ~ "(\|\.\.\.|\.\./|~|\`|<|>|\|)" {
+    deny all;
+  }
+
+  location ~* "(boot\.ini|etc/passwd|self/environ)" {
+    deny all;
+  }
+
+  location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
+    deny all;
+  }
+
+  location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
+    deny all;
+  }
+
+  location ~* "(https?|ftp|php):/" {
+    deny all;
+  }
+
+  location ~* "(=\\'|=\%27|/\\'/?)\." {
+    deny all;
+  }
+
+  location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\"\")" {
+    deny all;
+  }
+
+  location ~ "(~|\`|<|>|:|;|%|\|\s|\{|\}|\[|\]|\|)" {
+    deny all;
+  }
+
+  location ~* "/(=|$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
+    deny all;
+  }
+
+  location ~* "(&pws=0|_vti_|\(null\)|\{$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
+    deny all;
+  }
+
+  location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" {
+    deny all;
+  }
+
+  location / {
+    try_files $uri $uri/ /index.php?$args;
+  }
+
+  location ~ \.php$ {
+    include snippets/fastcgi-php.conf;
+    fastcgi_pass unix:/var/run/php/php8.1-fpm-my_site.sock;
+  }
+}