File "wfFirewall.php"

Full Path: /home/rrterraplen/public_html/wp-content-20241221212636/plugins/wordfence/models/firewall/wfFirewall.php
File size: 16.11 KB
MIME-type: text/x-php
Charset: utf-8

<?php

class wfFirewall
{
	const FIREWALL_MODE_DISABLED = 'disabled';
	const FIREWALL_MODE_LEARNING = 'learning-mode';
	const FIREWALL_MODE_ENABLED = 'enabled';
	
	const PROTECTION_MODE_EXTENDED = 'extended';
	const PROTECTION_MODE_BASIC = 'basic';
	
	const RULE_MODE_COMMUNITY = 'community';
	const RULE_MODE_PREMIUM = 'premium';
	
	const BLACKLIST_MODE_DISABLED = 'disabled';
	const BLACKLIST_MODE_ENABLED = 'enabled';
	
	const UPDATE_FAILURE_RATELIMIT = 'ratelimit';
	const UPDATE_FAILURE_UNREACHABLE = 'unreachable';
	const UPDATE_FAILURE_FILESYSTEM = 'filesystem';
	
	/**
	 * Returns a string suitable for display of the firewall status.
	 * 
	 * @param null|string $status
	 * @param null|string $protection
	 * @return string
	 */
	public function displayText($status = null, $protection = null) {
		if ($status === null) { $status = $this->firewallMode(); }
		if ($protection === null) { $protection = $this->protectionMode(); }
		
		switch ($status) {
			case self::FIREWALL_MODE_ENABLED:
				$statusText = __('Enabled', 'wordfence');
				break;
			case self::FIREWALL_MODE_LEARNING:
				$statusText = __('Learning Mode', 'wordfence');
				break;
			default:
				return __('Disabled', 'wordfence');
		}
		
		switch ($protection) {
			case self::PROTECTION_MODE_EXTENDED:
				$protectionText = __('Extended Protection', 'wordfence');
				break;
			default:
				$protectionText = __('Basic Protection', 'wordfence');
				break;
		}
		
		return sprintf('%s (%s)', $statusText, $protectionText);
	}
	
	/**
	 * Syncs the status from WAF to the wfConfig table if $toDatabase is true, the reverse if false.
	 * 
	 * @param bool $toDatabase
	 */
	public function syncStatus($toDatabase = true) {
		if ($toDatabase) {
			try {
				$status = wfWAF::getInstance()->getStorageEngine()->getConfig('wafStatus');
				if (in_array($status, array(self::FIREWALL_MODE_DISABLED, self::FIREWALL_MODE_LEARNING, self::FIREWALL_MODE_ENABLED))) {
					wfConfig::set('waf_status', $status);
				}
			}
			catch (Exception $e) {
				//Ignore
			}
		}
		else {
			try {
				$status = wfConfig::get('waf_status');
				if (in_array($status, array(self::FIREWALL_MODE_DISABLED, self::FIREWALL_MODE_LEARNING, self::FIREWALL_MODE_ENABLED))) {
					wfWAF::getInstance()->getStorageEngine()->setConfig('wafStatus', $status);
				}
			}
			catch (Exception $e) {
				//Ignore
			}
		}
	}
	
	/**
	 * Tests the WAF configuration and returns true if successful.
	 * 
	 * @return bool
	 */
	public function testConfig() {
		try {
			wfWAF::getInstance()->getStorageEngine()->isDisabled();
		}
		catch (Exception $e) {
			return false;
		}
		
		return true;
	}
	
	/**
	 * Returns a normalized percentage (i.e., in the range [0, 1]) to the corresponding display percentage
	 * based on license type.
	 * 
	 * @param float $percentage
	 * @param bool $adjust Whether or not to adjust the range to [0, 0.7]
	 * @return float
	 */
	protected function _normalizedPercentageToDisplay($percentage, $adjust = true) {
		if (wfConfig::get('isPaid') || !$adjust) {
			return round($percentage, 2);
		}
		
		return round($percentage * 0.70, 2);
	}
	
	/**
	 * Returns the percentage calculation of the overall firewall status, which is displayed under "Firewall" 
	 * on the Dashboard page.
	 *
	 * @return float
	 */
	public function overallStatus() {
		try {
			$wafStatus = $this->wafStatus();
			$bruteForceStatus = $this->bruteForceStatus();
			
			$percentage = 0.0;
			$percentage += $wafStatus * 0.80;
			$percentage += $bruteForceStatus * 0.20;
			return $this->_normalizedPercentageToDisplay($percentage, false);
		}
		catch (Exception $e) {
			//Ignore, return 0%
		}
		
		return 0.0;
	}
	
	public function statusList($section = null) {
		$statusList = array();
		$wafStatusList = $this->wafStatusList($section);
		$bruteForceStatusList = $this->bruteForceStatusList();
		
		foreach ($wafStatusList as $entry) {
			$entry['percentage'] *= 0.8;
			$statusList[] = $entry;
		}
		
		foreach ($bruteForceStatusList as $entry) {
			$entry['percentage'] *= 0.2;
			$statusList[] = $entry;
		}
			
		return array_filter($statusList);
	}
	
	/**
	 * Returns the percentage calculation of the WAF status, which is displayed under "Web Application
	 * Firewall" on the Firewall page.
	 * 
	 * @return float
	 */
	public function wafStatus() {
		try {
			$ruleStatus = $this->ruleStatus(true);
			$blacklistStatus = $this->blacklistStatus();
			$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
			$extendedProtection = $wafEnabled && WFWAF_AUTO_PREPEND && !WFWAF_SUBDIRECTORY_INSTALL;
			$rateLimitingAdvancedBlockingEnabled = wfConfig::get('firewallEnabled', 1);

			if (!$wafEnabled) {
				return 0.0;
			}
			
			$percentage = 0.0;
			$percentage += $this->_normalizedPercentageToDisplay($ruleStatus * 0.35, true);
			$percentage += $blacklistStatus * 0.35;
			$percentage += ($extendedProtection ? 0.20 : 0.0);
			$percentage += ($rateLimitingAdvancedBlockingEnabled ? 0.10 : 0.0);
			return $this->_normalizedPercentageToDisplay($percentage, false);
		}
		catch (Exception $e) {
			//Ignore, return 0%
		}
		
		return 0.0;
	}

	public function wafStatusList($section = null) {
		$statusList = array();
		try {
			$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
			if (!$wafEnabled) {
				return array(
					array(
						'percentage' => 1.0,
						'title'      => __('Enable firewall.', 'wordfence'),
					),
				);
			}

			// Get percent of rules enabled.
			$ruleStatus = $this->ruleStatusDescription(true);
			$premiumStatus = array();
			if (!wfConfig::get('isPaid')) {
				$premiumStatus = array(
					'percentage' => 0.30,
					'title'      => __('Enable Premium Rules.', 'wordfence'),
				);
			}

			if ($section === 'rules') {
				if ($ruleStatus) {
					$ruleStatus['percentage'] = $this->_normalizedPercentageToDisplay($ruleStatus['percentage']);
				}
				return array_filter(array($ruleStatus, $premiumStatus));
			}
			if ($premiumStatus) {
				$premiumStatus['percentage'] *= 0.35;
				$premiumStatus['percentage'] = $this->_normalizedPercentageToDisplay($premiumStatus['percentage'], false);
			}
			if ($ruleStatus) {
				$ruleStatus['percentage'] *= 0.35;
				$ruleStatus['percentage'] = $this->_normalizedPercentageToDisplay($ruleStatus['percentage']);
			}
			$statusList = array_merge($statusList, array($ruleStatus), array($premiumStatus));

			$blacklistStatus = $this->blacklistStatusDescription();
			if ($section === 'blacklist') {
				return array_filter(array($blacklistStatus));
			}
			if ($blacklistStatus) {
				$blacklistStatus['percentage'] *= 0.35;
				$blacklistStatus['percentage'] = $this->_normalizedPercentageToDisplay($blacklistStatus['percentage'], false);
			}
			$statusList = array_merge($statusList, array($blacklistStatus));

			$extendedProtection = $wafEnabled && WFWAF_AUTO_PREPEND && !WFWAF_SUBDIRECTORY_INSTALL;
			if (!$extendedProtection) {
				$statusList[] = array(
					'percentage' => $this->_normalizedPercentageToDisplay(0.20, false),
					'title' => __('Optimize the Wordfence Firewall.', 'wordfence'),
				);
			}

			$rateLimitingAdvancedBlockingEnabled = wfConfig::get('firewallEnabled', 1);
			if (!$rateLimitingAdvancedBlockingEnabled) {
				$statusList[] = array(
					'percentage' => $this->_normalizedPercentageToDisplay(0.10, false),
					'title' => __('Enable Rate Limiting and Advanced Blocking.', 'wordfence'),
				);
			}

			return array_filter($statusList);
		}
		catch (Exception $e) {
			//Ignore, return 0%
		}
		
		if (!WFWAF_OPERATIONAL) {
			return array(array('percentage' => 1.0, 'title' => __('Repair the Wordfence Firewall configuration.', 'wordfence')));
		}

		return array();
	}
	
	/**
	 * Returns the status of the WAF.
	 * 
	 * @return string
	 */
	public function firewallMode() {
		try {
			return (!WFWAF_ENABLED ? 'disabled' : wfWAF::getInstance()->getStorageEngine()->getConfig('wafStatus'));
		}
		catch (Exception $e) {
			//Ignore
		}
		
		return self::FIREWALL_MODE_DISABLED;
	}
	
	/**
	 * Returns the current protection mode configured for the WAF.
	 * 
	 * @return string
	 */
	public function protectionMode() {
		if (defined('WFWAF_AUTO_PREPEND') && WFWAF_AUTO_PREPEND) {
			return self::PROTECTION_MODE_EXTENDED;
		}
		return self::PROTECTION_MODE_BASIC;
	}
	
	/**
	 * Returns whether or not this installation is in a subdirectory of another WordPress site with the WAF already optimized.
	 * 
	 * @return bool
	 */
	public function isSubDirectoryInstallation() {
		if (defined('WFWAF_SUBDIRECTORY_INSTALL') && WFWAF_SUBDIRECTORY_INSTALL) {
			return true;
		}
		return false;
	}
	
	/**
	 * Returns the percentage calculation of the firewall rule status, which is displayed under "Firewall Rules" on the
	 * Firewall page.
	 * 
	 * The calculation is the number of rules enabled divided by the total number of rules. If the WAF is in learning 
	 * mode, no rules are enforced, so it's clamped to 0%.
	 * 
	 * @param bool $round Round the percentage (in the range [0, 1]) to be only whole percentages.
	 * @return float
	 */
	public function ruleStatus($round = false) {
		try {
			$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
			if (!$wafEnabled) {
				return 0.0;
			}
			
			/*$learningMode = !!wfWAF::getInstance()->isInLearningMode();
			if ($learningMode) {
				return 0.0;
			}*/
			
			$rules = wfWAF::getInstance()->getRules();
			$disabledRules = (array) wfWAF::getInstance()->getStorageEngine()->getConfig('disabledRules');
			/** @var wfWAFRule $rule */
			$enabledCount = 0;
			foreach ($rules as $ruleID => $rule) {
				if (isset($disabledRules[$ruleID]) && $disabledRules[$ruleID]) {
					continue;
				}
				
				$enabledCount++;
			}
			
			$percentEnabled = (count($rules) == 0 ? 0 : $enabledCount / count($rules));
			if ($round) {
				return round($percentEnabled, 2);
			}
			
			return $this->_normalizedPercentageToDisplay($percentEnabled);
		}
		catch (Exception $e) {
			//Ignore, return 0%
		}
		
		return 0.0;
	}

	/**
	 * @param bool $round
	 * @return array
	 */
	public function ruleStatusDescription($round = false) {
		try {
			$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
			if (!$wafEnabled) {
				return array(
					'percentage' => 1.0,
					'title'      => __('Enable firewall.', 'wordfence'),
				);
			}
			
			/*$learningMode = !!wfWAF::getInstance()->isInLearningMode();
			if ($learningMode) {
				return 0.0;
			}*/

			$rules = wfWAF::getInstance()->getRules();
			$disabledRules = (array) wfWAF::getInstance()->getStorageEngine()->getConfig('disabledRules');
			/** @var wfWAFRule $rule */
			$enabledCount = 0;
			foreach ($rules as $ruleID => $rule) {
				if (isset($disabledRules[$ruleID]) && $disabledRules[$ruleID]) {
					continue;
				}

				$enabledCount++;
			}
			
			$percentEnabled = 1.0 - ((float) (count($rules) == 0 ? 0 : $enabledCount / count($rules)));
			if ($percentEnabled === 0.0) {
				return array();
			}
			$reenbleCount = count($rules) - $enabledCount;
			return array(
				'percentage' => ($round ? round($percentEnabled, 2) : $percentEnabled),
				'title'      => sprintf(_n('Re-enable %d firewall rule.', 'Re-enable %d firewall rules.', $reenbleCount, 'wordfence'), number_format_i18n($reenbleCount)),
			);
		}
		catch (Exception $e) {
			//Ignore, return 0%
		}

		return array(
			'percentage' => 1.0,
			'title'      => __('Enable firewall.', 'wordfence'),
		);
	}
	
	/**
	 * Returns the rule feed that is in use.
	 * 
	 * @return string
	 */
	public function ruleMode() {
		if (wfConfig::get('isPaid')) {
			return self::RULE_MODE_PREMIUM;
		}
		return self::RULE_MODE_COMMUNITY;
	}
	
	/**
	 * Returns 100% if the blacklist is enabled, 0% if not.
	 * 
	 * @return float
	 */
	public function blacklistStatus() {
		try {
			$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
			if (!$wafEnabled) {
				return 0.0;
			}
			
			return $this->blacklistMode() == self::BLACKLIST_MODE_ENABLED ? 1.0 : 0.0;
		}
		catch (Exception $e) {
			//Ignore, return 0%
		}
		
		return 0.0;
	}
	
	/**
	 * Returns 100% if the blacklist is enabled, 0% if not.
	 *
	 * @return array
	 */
	public function blacklistStatusDescription() {
		try {
			$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
			if (!$wafEnabled) {
				return array(
					'percentage' => 1.0,
					'title'      => __('Enable Firewall.', 'wordfence'),
				);
			}
			
			if ($this->blacklistMode() == self::BLACKLIST_MODE_ENABLED) {
				return array();
			}
			return array(
				'percentage' => 1.0,
				'title'      => __('Enable Real-Time IP Blocklist.', 'wordfence'),
			);
		}
		catch (Exception $e) {
			//Ignore, return 0%
		}
			
		return array(
			'percentage' => 1.0,
			'title'      => __('Enable Real-Time IP Blocklist.', 'wordfence'),
		);
	}

	/**
	 * Returns the blacklist mode.
	 *
	 * @return string
	 */
	public function blacklistMode() {
		$blacklistEnabled = false;
		try {
			$wafEnabled = !(!WFWAF_ENABLED || wfWAF::getInstance()->getStorageEngine()->isDisabled());
			$blacklistEnabled = $wafEnabled && !wfWAF::getInstance()->getStorageEngine()->getConfig('disableWAFBlacklistBlocking');
		}
		catch (Exception $e) {
			//Do nothing
		}
		
		if (wfConfig::get('isPaid') && $blacklistEnabled) {
			return self::BLACKLIST_MODE_ENABLED;
		}
		return self::BLACKLIST_MODE_DISABLED;
	}
	
	/**
	 * Returns a percentage rating for the brute force protection status. This includes both the WFSN enabled status
	 * and the status of individual login security options. These options are available to all, so they are always
	 * in the range [0,1].
	 * 
	 * @return float
	 */
	public function bruteForceStatus() {
		$networkBruteForceEnabled = !!wfConfig::get('other_WFNet');
		$localBruteForceEnabled = !!wfConfig::get('loginSecurityEnabled');
		
		$percentage = 0.0;

		if ($localBruteForceEnabled) {
			$percentage += 0.1;

			if ($networkBruteForceEnabled) {
				$percentage += 0.5;
			}
			if (wfConfig::get('loginSec_strongPasswds_enabled') && (wfConfig::get('loginSec_strongPasswds') == 'pubs' || wfConfig::get('loginSec_strongPasswds') == 'all')) {
				$percentage += 0.1;
			}
			if (wfConfig::get('loginSec_maskLoginErrors')) {
				$percentage += 0.1;
			}
			if (wfConfig::get('loginSec_blockAdminReg')) {
				$percentage += 0.1;
			}
			if (wfConfig::get('loginSec_disableAuthorScan')) {
				$percentage += 0.1;
			}
		}
		
		return round($percentage, 2);
	}
	
	/**
	 * Returns the status of the WAF's learning mode.
	 * 
	 * @return bool|int Returns true if enabled without an automatic switchover, a timestamp if enabled with one, and false if not in learning mode.
	 */
	public function learningModeStatus() {
		if ($this->firewallMode() != self::FIREWALL_MODE_LEARNING) {
			return false;
		}
		
		try {
			$config = wfWAF::getInstance()->getStorageEngine();
			if ($config->getConfig('learningModeGracePeriodEnabled')) {
				return (int) $config->getConfig('learningModeGracePeriod');
			}
			
			return true;
		}
		catch (Exception $e) {
			//Ignore, return false
		}
		
		return false;
	}

	/**
	 * @return array
	 */
	public function bruteForceStatusList() {
		$networkBruteForceEnabled = !!wfConfig::get('other_WFNet');
		$localBruteForceEnabled = !!wfConfig::get('loginSecurityEnabled');

		$status = array();

		if ($localBruteForceEnabled) {
			if (!$networkBruteForceEnabled) {
				$status[] = array(
					'percentage' => 0.5,
					'title' => __('Enable Real-Time Wordfence Security Network.', 'wordfence'),
				);
			}
			if (!wfConfig::get('loginSec_strongPasswds_enabled')) {
				$status[] = array(
					'percentage' => 0.1,
					'title' => __('Enforce Strong Passwords.', 'wordfence'),
				);
			}
			if (!wfConfig::get('loginSec_maskLoginErrors')) {
				$status[] = array(
					'percentage' => 0.1,
					'title' => __('Enable Mask Login Errors.', 'wordfence'),
				);
			}
			if (!wfConfig::get('loginSec_blockAdminReg')) {
				$status[] = array(
					'percentage' => 0.1,
					'title' => __('Enable Block Admin Registration.', 'wordfence'),
				);
			}
			if (!wfConfig::get('loginSec_disableAuthorScan')) {
				$status[] = array(
					'percentage' => 0.1,
					'title' => __('Disable Author Scanning.', 'wordfence'),
				);
			}
		} else {
			$status[] = array(
				'percentage' => 1.0,
				'title' => __('Enable Brute Force Protection.', 'wordfence'),
			);
		}

		return array_filter($status);
	}
}