BingBot is allowed without any X-Signature #11196

Author: PowerKiKi

src/Middleware/SignedQueryMiddleware.php

@@ -55,7 +55,7 @@ private function verify(ServerRequestInterface $request): ServerRequestInterface
     {
         $signature = $request->getHeader('X-Signature')[0] ?? '';
         if (!$signature) {
-            if ($this->isAllowedIp($request)) {
+            if ($this->isAllowedIp($request) || $this->isBingBot($request)) {
                 return $request;
             }
 
@@ -412,4 +412,52 @@ private function isGoogleBot(ServerRequestInterface $request): bool
 
         return IPRange::matches($remoteAddress, $googleBotIps);
     }
+
+    private function isBingBot(ServerRequestInterface $request): bool
+    {
+        $remoteAddress = $request->getServerParams()['REMOTE_ADDR'] ?? '';
+
+        if (!$remoteAddress || !is_string($remoteAddress)) {
+            return false;
+        }
+
+        // Source is https://www.bing.com/toolbox/bingbot.json
+        // Use this one-line command to fetch new list:
+        //
+        // ```bash
+        // php -r 'echo PHP_EOL . implode(PHP_EOL, array_map(fn (array $r) => chr(39) . ($r["ipv6Prefix"] ?? $r["ipv4Prefix"]) . chr(39) . ",", json_decode(file_get_contents("https://www.bing.com/toolbox/bingbot.json"), true)["prefixes"])) . PHP_EOL;'
+        // ```
+        $bingBotIps = [
+            '157.55.39.0/24',
+            '207.46.13.0/24',
+            '40.77.167.0/24',
+            '13.66.139.0/24',
+            '13.66.144.0/24',
+            '52.167.144.0/24',
+            '13.67.10.16/28',
+            '13.69.66.240/28',
+            '13.71.172.224/28',
+            '139.217.52.0/28',
+            '191.233.204.224/28',
+            '20.36.108.32/28',
+            '20.43.120.16/28',
+            '40.79.131.208/28',
+            '40.79.186.176/28',
+            '52.231.148.0/28',
+            '20.79.107.240/28',
+            '51.105.67.0/28',
+            '20.125.163.80/28',
+            '40.77.188.0/22',
+            '65.55.210.0/24',
+            '199.30.24.0/23',
+            '40.77.202.0/24',
+            '40.77.139.0/25',
+            '20.74.197.0/28',
+            '20.15.133.160/27',
+            '40.77.177.0/24',
+            '40.77.178.0/23',
+        ];
+
+        return IPRange::matches($remoteAddress, $bingBotIps);
+    }
 }

tests/Middleware/SignedQueryMiddlewareTest.php

@@ -238,5 +238,32 @@ public static function dataProviderQuery(): iterable
             'Invalid `X-Signature` HTTP header in signed query',
             '66.249.70.134',
         ];
+
+        yield 'no header, BingBot is allowed, because BingBot does not seem to include our custom header in his request' => [
+            [$key1],
+            '{"operationName":"CurrentUser","variables":{},"query":"query CurrentUser { viewer { id }}',
+            null,
+            '',
+            '',
+            '40.77.188.165',
+        ];
+
+        yield 'too much in the past, even BingBot is rejected, because BingBot should not have any header at all' => [
+            [$key1],
+            '{"operationName":"CurrentUser","variables":{},"query":"query CurrentUser { viewer { id }}',
+            null,
+            'v1.1577951099.20177a7face4e05a75c4b2e41bc97a8225f420f5b7bb1709dd5499821dba0807',
+            'Signed query is expired',
+            '40.77.188.165',
+        ];
+
+        yield 'too much in the past and invalid signature, even BingBot is rejected, because BingBot should not have any header at all' => [
+            [$key1],
+            '{"operationName":"CurrentUser","variables":{},"query":"query CurrentUser { viewer { id }}',
+            null,
+            'v1.1577951099' . str_repeat('a', 64),
+            'Invalid `X-Signature` HTTP header in signed query',
+            '40.77.188.165',
+        ];
     }
 }