mirror of
https://github.com/HolgerHatGarKeineNode/einundzwanzig-nostr.git
synced 2026-02-04 15:53:17 +00:00
5b814d631b
- 🛡️ Introduce `SecurityMonitor` service for tampering and malicious activity detection. - 🏷️ Add `SecurityAttempt` model and migration to log, categorize, and query security attempts. - 🖥️ Create `SecurityAttemptsCommand` for filtering, statistics, and top IP analysis. - ✅ Add extensive tests to ensure the reliability of security monitoring and logging. - 🔗 Integrate `SecurityMonitor` into the exception handling pipeline for real-time monitoring.
167 lines
5.1 KiB
PHP
167 lines
5.1 KiB
PHP
<?php
|
|
|
|
use App\Models\SecurityAttempt;
|
|
use App\Services\SecurityMonitor;
|
|
use Illuminate\Http\Request;
|
|
use Livewire\Features\SupportLockedProperties\CannotUpdateLockedPropertyException;
|
|
|
|
beforeEach(function () {
|
|
$this->monitor = app(SecurityMonitor::class);
|
|
});
|
|
|
|
it('records locked property exceptions', function () {
|
|
$exception = new CannotUpdateLockedPropertyException('isLoggedIn');
|
|
|
|
$request = Request::create('/livewire/update', 'POST', [
|
|
'components' => [
|
|
[
|
|
'snapshot' => json_encode([
|
|
'memo' => ['name' => 'auth-button'],
|
|
]),
|
|
'updates' => ['isLoggedIn' => true],
|
|
],
|
|
],
|
|
]);
|
|
|
|
$request->setRouteResolver(fn () => null);
|
|
|
|
app()->instance('request', $request);
|
|
|
|
$this->monitor->recordFromException($exception, $request);
|
|
|
|
expect(SecurityAttempt::count())->toBe(1);
|
|
|
|
$attempt = SecurityAttempt::first();
|
|
expect($attempt->exception_class)->toBe(CannotUpdateLockedPropertyException::class)
|
|
->and($attempt->target_property)->toBe('isLoggedIn')
|
|
->and($attempt->component_name)->toBe('auth-button')
|
|
->and($attempt->severity)->toBe('medium');
|
|
});
|
|
|
|
it('detects high severity injection attempts', function () {
|
|
$exception = new CannotUpdateLockedPropertyException('isLoggedIn');
|
|
|
|
$request = Request::create('/livewire/update', 'POST', [
|
|
'components' => [
|
|
[
|
|
'snapshot' => json_encode([
|
|
'memo' => ['name' => 'auth-button'],
|
|
]),
|
|
'updates' => [
|
|
'isLoggedIn' => [
|
|
'__toString' => 'phpinfo',
|
|
'SerializableClosure' => [],
|
|
],
|
|
],
|
|
],
|
|
],
|
|
]);
|
|
|
|
$request->setRouteResolver(fn () => null);
|
|
|
|
$this->monitor->recordFromException($exception, $request);
|
|
|
|
$attempt = SecurityAttempt::first();
|
|
expect($attempt->severity)->toBe('high');
|
|
});
|
|
|
|
it('does not record non-security exceptions', function () {
|
|
$exception = new RuntimeException('Something went wrong');
|
|
|
|
$this->monitor->recordFromException($exception);
|
|
|
|
expect(SecurityAttempt::count())->toBe(0);
|
|
});
|
|
|
|
it('never throws exceptions itself', function () {
|
|
$exception = new CannotUpdateLockedPropertyException('test');
|
|
|
|
// Create a request that might cause issues
|
|
$request = Request::create('/test', 'POST');
|
|
$request->setRouteResolver(fn () => null);
|
|
|
|
// This should not throw even if there are issues
|
|
$this->monitor->recordFromException($exception, $request);
|
|
|
|
// If we get here without exception, the test passes
|
|
expect(true)->toBeTrue();
|
|
});
|
|
|
|
it('tracks attempts from same IP', function () {
|
|
$exception = new CannotUpdateLockedPropertyException('test');
|
|
|
|
$request = Request::create('/livewire/update', 'POST', [
|
|
'components' => [
|
|
['snapshot' => '{}', 'updates' => []],
|
|
],
|
|
], server: ['REMOTE_ADDR' => '192.168.1.100']);
|
|
|
|
$request->setRouteResolver(fn () => null);
|
|
|
|
// Record multiple attempts
|
|
$this->monitor->recordFromException($exception, $request);
|
|
$this->monitor->recordFromException($exception, $request);
|
|
$this->monitor->recordFromException($exception, $request);
|
|
|
|
expect($this->monitor->getAttemptsFromIp('192.168.1.100'))->toBe(3);
|
|
});
|
|
|
|
it('identifies suspicious IPs', function () {
|
|
$exception = new CannotUpdateLockedPropertyException('test');
|
|
|
|
$request = Request::create('/livewire/update', 'POST', [
|
|
'components' => [
|
|
['snapshot' => '{}', 'updates' => []],
|
|
],
|
|
], server: ['REMOTE_ADDR' => '10.0.0.1']);
|
|
|
|
$request->setRouteResolver(fn () => null);
|
|
|
|
// Record 10 attempts (threshold)
|
|
for ($i = 0; $i < 10; $i++) {
|
|
$this->monitor->recordFromException($exception, $request);
|
|
}
|
|
|
|
expect($this->monitor->isIpSuspicious('10.0.0.1', threshold: 10))->toBeTrue()
|
|
->and($this->monitor->isIpSuspicious('10.0.0.2', threshold: 10))->toBeFalse();
|
|
});
|
|
|
|
it('truncates long values', function () {
|
|
$exception = new CannotUpdateLockedPropertyException('test');
|
|
|
|
$longUserAgent = str_repeat('a', 1000);
|
|
|
|
$request = Request::create('/livewire/update', 'POST', [
|
|
'components' => [
|
|
['snapshot' => '{}', 'updates' => []],
|
|
],
|
|
], server: ['HTTP_USER_AGENT' => $longUserAgent]);
|
|
|
|
$request->setRouteResolver(fn () => null);
|
|
|
|
$this->monitor->recordFromException($exception, $request);
|
|
|
|
$attempt = SecurityAttempt::first();
|
|
expect(strlen($attempt->user_agent))->toBeLessThanOrEqual(500);
|
|
});
|
|
|
|
it('handles X-Forwarded-For header', function () {
|
|
$exception = new CannotUpdateLockedPropertyException('test');
|
|
|
|
$request = Request::create('/livewire/update', 'POST', [
|
|
'components' => [
|
|
['snapshot' => '{}', 'updates' => []],
|
|
],
|
|
], server: [
|
|
'REMOTE_ADDR' => '127.0.0.1',
|
|
'HTTP_X_FORWARDED_FOR' => '203.0.113.50, 70.41.3.18',
|
|
]);
|
|
|
|
$request->setRouteResolver(fn () => null);
|
|
|
|
$this->monitor->recordFromException($exception, $request);
|
|
|
|
$attempt = SecurityAttempt::first();
|
|
expect($attempt->ip_address)->toBe('203.0.113.50');
|
|
});
|