codebox/Events.php at master · GreenMeteor/codebox · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
<?php

namespace humhub\modules\codebox;

use Yii;
use yii\helpers\Url;
use yii\base\BaseObject;
use humhub\modules\ui\menu\MenuLink;
use humhub\modules\ui\icon\widgets\Icon;
use humhub\modules\admin\widgets\AdminMenu;
use humhub\modules\codebox\widgets\CodeboxFrame;
use humhub\modules\codebox\models\ConfigureForm;
use humhub\modules\admin\permissions\ManageModules;

class Events extends BaseObject
{

    public static function onAdminMenuInit($event)
    {
        if (!Yii::$app->user->can(ManageModules::class)) {
            return;
        }

        /** @var AdminMenu $menu */
        $menu = $event->sender;

        $menu->addEntry(new MenuLink([
            'label' => Yii::t('CodeboxModule.base', 'Codebox Settings'),
            'url' => Url::toRoute('/codebox/admin/index'),
            'icon' => Icon::get('code'),
            'isActive' => Yii::$app->controller->module && Yii::$app->controller->module->id == 'codebox' && Yii::$app->controller->id == 'admin',
            'sortOrder' => 600,
            'isVisible' => true,
        ]));
    }

    public static function addCodeboxFrame($event)
    {
        $module = Yii::$app->getModule('codebox');

        if ($module !== null) {
            $entries = ConfigureForm::find()->asArray()->all();

            // Process entries to ensure they have the correct structure for the enhanced widget
            $processedEntries = [];
            foreach ($entries as $entry) {
                $processedEntries[] = [
                    'title' => $entry['title'] ?? '',
                    'htmlCode' => $entry['htmlCode'] ?? '',
                    'codeType' => $entry['codeType'] ?? 'html', // Default to HTML if not specified
                    'sortOrder' => $entry['sortOrder'] ?? 0,
                    'id' => $entry['id'] ?? null,
                ];
            }

            $event->sender->addWidget(
                CodeboxFrame::class,
                [
                    'entries' => $processedEntries,
                    'enablePhpExecution' => $module->enablePhpExecution ?? true, // Get from module config
                    'showPanelMenu' => true
                ],
                ['sortOrder' => $module->getOrder()]
            );
        }
    }

    /**
     * Process code based on its type for backward compatibility
     * @param string $code The code to process
     * @param string $codeType The type of code (html, php, yii2)
     * @return string Processed code
     */
    public static function processCode($code, $codeType = 'html')
    {
        switch (strtolower($codeType)) {
            case 'php':
                return self::processPhpCode($code);
            case 'yii2':
                return self::processYii2Code($code);
            case 'html':
            case 'javascript':
            case 'css':
            default:
                return self::processHtmlCode($code);
        }
    }

    /**
     * Process HTML/CSS/JavaScript code
     * @param string $code
     * @return string
     */
    protected static function processHtmlCode($code)
    {
        // Generate nonce attribute if needed
        if (strpos($code, '{{nonce}}') !== false) {
            $nonce = Yii::$app->security->generateRandomString(16);
            $code = str_replace('{{nonce}}', $nonce, $code);
        }

        return $code;
    }

    /**
     * Process PHP code safely
     * @param string $code
     * @return string
     */
    protected static function processPhpCode($code)
    {
        $module = Yii::$app->getModule('codebox');

        if (!$module || !($module->enablePhpExecution ?? true)) {
            return '<pre class="prettyprint lang-php">' . \yii\helpers\Html::encode($code) . '</pre>';
        }

        // Security check
        if (!self::validatePhpCode($code)) {
            return '<div class="alert alert-danger">Security: PHP code contains restricted functions</div>';
        }

        try {
            // Start output buffering
            ob_start();

            // Add PHP opening tag if not present
            if (strpos($code, '<?php') === false && strpos($code, '<?=') === false) {
                $code = '<?php ' . $code;
            }

            // Execute PHP code
            eval('?>' . $code);

            // Get the output
            $output = ob_get_clean();

            return $output;

        } catch (\Exception $e) {
            ob_end_clean();
            return '<div class="alert alert-danger">PHP Error: ' . \yii\helpers\Html::encode($e->getMessage()) . '</div>';
        } catch (\ParseError $e) {
            ob_end_clean();
            return '<div class="alert alert-danger">PHP Parse Error: ' . \yii\helpers\Html::encode($e->getMessage()) . '</div>';
        }
    }

    /**
     * Process Yii2 specific code
     * @param string $code
     * @return string
     */
    protected static function processYii2Code($code)
    {
        $module = Yii::$app->getModule('codebox');

        if (!$module || !($module->enablePhpExecution ?? true)) {
            return '<pre class="prettyprint lang-php">' . \yii\helpers\Html::encode($code) . '</pre>';
        }

        // Security check
        if (!self::validatePhpCode($code)) {
            return '<div class="alert alert-danger">Security: PHP code contains restricted functions</div>';
        }

        try {
            // Start output buffering
            ob_start();

            // Make Yii2 components available in the code context
            $app = Yii::$app;
            $user = Yii::$app->user;
            $request = Yii::$app->request;
            $response = Yii::$app->response;

            // Add PHP opening tag if not present
            if (strpos($code, '<?php') === false && strpos($code, '<?=') === false) {
                $code = '<?php ' . $code;
            }

            // Execute Yii2 code with context
            eval('?>' . $code);

            // Get the output
            $output = ob_get_clean();

            return $output;

        } catch (\Exception $e) {
            ob_end_clean();
            return '<div class="alert alert-danger">Yii2 Error: ' . \yii\helpers\Html::encode($e->getMessage()) . '</div>';
        } catch (\ParseError $e) {
            ob_end_clean();
            return '<div class="alert alert-danger">Yii2 Parse Error: ' . \yii\helpers\Html::encode($e->getMessage()) . '</div>';
        }
    }

    /**
     * Validate PHP code for security
     * @param string $code
     * @return bool
     */
    protected static function validatePhpCode($code)
    {
        // List of dangerous functions to block
        $dangerousFunctions = [
            'exec', 'system', 'shell_exec', 'passthru', 'eval', 'file_get_contents',
            'file_put_contents', 'fopen', 'fwrite', 'unlink', 'mkdir', 'rmdir',
            'chmod', 'chown', 'curl_exec', 'curl_init', 'mail', 'header',
            'exit', 'die', 'include', 'require', 'include_once', 'require_once'
        ];

        // Check for dangerous functions
        foreach ($dangerousFunctions as $func) {
            if (strpos($code, $func) !== false) {
                return false;
            }
        }

        return true;
    }
}