Relative file hashes, and hash salt (#19)

* Relative file hashes, and hash salt

* Correct test hash

* Test for relative hash

* Do not use components from outside of the root directory

Author: bajb

composer.json

@@ -28,6 +28,7 @@
   },
   "autoload-dev": {
     "psr-4": {
+      "Packaged\\Dispatch\\Tests\\TestComponents\\": "tests/_root/src/TestComponents",
       "Packaged\\Dispatch\\Tests\\": "tests"
     }
   }

src/Dispatch.php

@@ -24,6 +24,7 @@ class Dispatch
   protected $_resourceStore;
 
   protected $_baseUri;
+  protected $_requireFileHash = false;
 
   const RESOURCES_DIR = 'resources';
   const VENDOR_DIR = 'vendor';
@@ -52,6 +53,7 @@ public static function destroy()
    * @var ClassLoader
    */
   protected $_classLoader;
+  protected $_hashSalt = 'dispatch';
 
   public function __construct($projectRoot, $baseUri = null, ClassLoader $loader = null)
   {
@@ -61,6 +63,37 @@ public function __construct($projectRoot, $baseUri = null, ClassLoader $loader =
     $this->_classLoader = $loader;
   }
 
+  /**
+   * Add salt to dispatch hashes, for additional resource security
+   *
+   * @param string $hashSalt
+   *
+   * @return $this
+   */
+  public function setHashSalt(string $hashSalt)
+  {
+    $this->_hashSalt = $hashSalt;
+    return $this;
+  }
+
+  /**
+   * Generate a hash against specific content, for a desired length
+   *
+   * @param      $content
+   * @param null $length
+   *
+   * @return string
+   */
+  public function generateHash($content, $length = null)
+  {
+    $hash = md5($content . $this->_hashSalt);
+    if($length !== null)
+    {
+      return substr($hash, 0, $length);
+    }
+    return $hash;
+  }
+
   public function getResourcesPath()
   {
     return Path::system($this->_projectRoot, self::RESOURCES_DIR);
@@ -171,7 +204,21 @@ public function handleRequest(Request $request): Response
 
     $requestPath = Path::custom('/', $pathParts);
     $fullPath = $manager->getFilePath($requestPath);
-    if($compareHash !== $manager->getFileHash($fullPath))
+
+    [$fileHash, $relativeHash] = str_split($compareHash . ' ', 8);
+    $relativeHash = trim($relativeHash);
+    $failedHash = true;
+    if(!$this->_requireFileHash && $relativeHash && $relativeHash === $manager->getRelativeHash($fullPath))
+    {
+      $failedHash = false;
+    }
+
+    if((!$relativeHash || $failedHash) && $fileHash === $manager->getFileHash($fullPath))
+    {
+      $failedHash = false;
+    }
+
+    if($failedHash)
     {
       return Response::create("File Not Found", 404);
     }
@@ -229,4 +276,9 @@ public function store()
     return $this->_resourceStore;
   }
 
+  public function calculateRelativePath($filePath)
+  {
+    return ltrim(str_replace($this->_projectRoot, '', $filePath), '/\\');
+  }
+
 }

src/ResourceManager.php

@@ -55,48 +55,48 @@ public function getMapOptions()
     return $this->_mapOptions;
   }
 
-  public static function vendor($vendor, $package)
+  public static function vendor($vendor, $package, $options = [])
   {
-    return new static(self::MAP_VENDOR, [$vendor, $package]);
+    return new static(self::MAP_VENDOR, [$vendor, $package], $options);
   }
 
-  public static function alias($alias)
+  public static function alias($alias, $options = [])
   {
-    return new static(self::MAP_ALIAS, [$alias]);
+    return new static(self::MAP_ALIAS, [$alias], $options);
   }
 
-  public static function resources()
+  public static function resources($options = [])
   {
-    return new static(self::MAP_RESOURCES, []);
+    return new static(self::MAP_RESOURCES, [], $options);
   }
 
-  public static function public()
+  public static function public($options = [])
   {
-    return new static(self::MAP_PUBLIC, []);
+    return new static(self::MAP_PUBLIC, [], $options);
   }
 
-  public static function inline()
+  public static function inline($options = [])
   {
-    return new static(self::MAP_INLINE, []);
+    return new static(self::MAP_INLINE, [], $options);
   }
 
-  public static function external()
+  public static function external($options = [])
   {
-    return new static(self::MAP_EXTERNAL, []);
+    return new static(self::MAP_EXTERNAL, [], $options);
   }
 
-  public static function component(DispatchableComponent $component)
+  public static function component(DispatchableComponent $component, $options = [])
   {
     $fullClass = $component instanceof FixedClassComponent ? $component->getComponentClass() : get_class($component);
-    return static::_componentManager($fullClass, Dispatch::instance());
+    return static::_componentManager($fullClass, Dispatch::instance(), $options);
   }
 
-  public static function componentClass(string $componentClassName)
+  public static function componentClass(string $componentClassName, $options = [])
   {
-    return static::_componentManager($componentClassName, Dispatch::instance());
+    return static::_componentManager($componentClassName, Dispatch::instance(), $options);
   }
 
-  protected static function _componentManager($fullClass, Dispatch $dispatch = null): ResourceManager
+  protected static function _componentManager($fullClass, Dispatch $dispatch = null, $options = []): ResourceManager
   {
     $class = ltrim($fullClass, '\\');
     if($dispatch)
@@ -119,7 +119,7 @@ protected static function _componentManager($fullClass, Dispatch $dispatch = nul
     $parts = explode('\\', $class);
     array_unshift($parts, count($parts));
 
-    $manager = new static(self::MAP_COMPONENT, $parts);
+    $manager = new static(self::MAP_COMPONENT, $parts, $options);
     $manager->_componentPath = $dispatch->componentClassResourcePath($fullClass);
     return $manager;
   }
@@ -136,17 +136,25 @@ public function getResourceUri($relativeFullPath): ?string
     {
       return $relativeFullPath;
     }
-    $hash = $this->getFileHash($this->getFilePath($relativeFullPath));
+
+    $filePath = $this->getFilePath($relativeFullPath);
+    $relHash = $this->getRelativeHash($filePath);
+    $hash = $this->getFileHash($filePath);
     if(!$hash)
     {
       return null;
     }
     return Path::custom(
       '/',
-      array_merge([Dispatch::instance()->getBaseUri()], $this->_baseUri, [$hash, $relativeFullPath])
+      array_merge([Dispatch::instance()->getBaseUri()], $this->_baseUri, [$hash . $relHash, $relativeFullPath])
     );
   }
 
+  public function getRelativeHash($filePath)
+  {
+    return Dispatch::instance()->generateHash(Dispatch::instance()->calculateRelativePath($filePath), 4);
+}
+
   /**
    * @param $relativePath
    *
@@ -201,8 +209,7 @@ public function getFileHash($fullPath)
       }
     }
 
-    $hash = substr(md5_file($fullPath), 0, 8);
-
+    $hash = Dispatch::instance()->generateHash(md5_file($fullPath), 8);
     if($hash && function_exists('apcu_store'))
     {
       apcu_store($key, $hash, 86400);
@@ -310,7 +317,7 @@ public function includeCss($toRequire, $options = null)
   {
     try
     {
-      return $this->requireCss($toRequire, $options = null);
+      return $this->requireCss($toRequire, $options);
     }
     catch(Exception $e)
     {

tests/DispatchTest.php

@@ -48,21 +48,27 @@ public function testHandle()
     $response = $dispatch->handleRequest($request);
     $this->assertEquals(404, $response->getStatusCode());
 
-    $request = Request::create('/r/f643eb32/css/test.css');
+    $request = Request::create('/r/e69b7aabcde/css/test.css');
+    $response = $dispatch->handleRequest($request);
+    $this->assertEquals(404, $response->getStatusCode());
+
+    $request = Request::create('/r/bd04a611ed6d/css/test.css');
     $response = $dispatch->handleRequest($request);
     $this->assertEquals(200, $response->getStatusCode());
-    $this->assertContains('url(r/d68e763c/img/x.jpg)', $response->getContent());
+    $this->assertContains('url(r/395d1a0e8999/img/x.jpg)', $response->getContent());
 
-    $request = Request::create('/p/d5dd9dc7/css/placeholder.css');
+    $uri = ResourceManager::public()->getResourceUri('css/placeholder.css');
+    $request = Request::create($uri);
     $response = $dispatch->handleRequest($request);
     $this->assertContains('font-size:14px', $response->getContent());
 
     $dispatch->addAlias('abc', 'resources/css');
-    $request = Request::create('/a/abc/f643eb32/test.css');
+    $request = Request::create('/a/abc/bd04a611ed6d/test.css');
     $response = $dispatch->handleRequest($request);
-    $this->assertContains('url("a/abc/d41d8cd9/sub/subimg.jpg")', $response->getContent());
+    $this->assertContains('url("a/abc/942e325be95f/sub/subimg.jpg")', $response->getContent());
 
-    $request = Request::create('/v/packaged/dispatch/6673b7e0/css/vendor.css');
+    $uri = ResourceManager::vendor('packaged', 'dispatch')->getResourceUri('css/vendor.css');
+    $request = Request::create($uri);
     $response = $dispatch->handleRequest($request);
     $this->assertContains('body{background:orange}', $response->getContent());
 
@@ -73,9 +79,9 @@ public function testBaseUri()
   {
     $dispatch = new Dispatch(Path::system(__DIR__, '_root'), 'http://assets.packaged.in');
     Dispatch::bind($dispatch);
-    $request = Request::create('/r/f643eb32/css/test.css');
+    $request = Request::create('/r/bd04a611ed6d/css/test.css');
     $response = $dispatch->handleRequest($request);
-    $this->assertContains('url(http://assets.packaged.in/r/d68e763c/img/x.jpg)', $response->getContent());
+    $this->assertContains('url(http://assets.packaged.in/r/395d1a0e8999/img/x.jpg)', $response->getContent());
     Dispatch::destroy();
   }
 
@@ -85,10 +91,10 @@ public function testStore()
     ResourceManager::resources()->requireCss('css/test.css');
     ResourceManager::resources()->requireCss('css/do-not-modify.css');
     $response = Dispatch::instance()->store()->generateHtmlIncludes(ResourceStore::TYPE_CSS);
-    $this->assertContains('href="http://assets.packaged.in/r/f643eb32/css/test.css"', $response);
+    $this->assertContains('href="http://assets.packaged.in/r/bd04a6113c11/css/test.css"', $response);
     ResourceManager::resources()->requireJs('js/alert.js');
     $response = Dispatch::instance()->store()->generateHtmlIncludes(ResourceStore::TYPE_JS);
-    $this->assertContains('src="http://assets.packaged.in/r/ef6402a7/js/alert.js"', $response);
+    $this->assertContains('src="http://assets.packaged.in/r/f417133ec50f/js/alert.js"', $response);
     Dispatch::destroy();
   }
 
@@ -104,7 +110,7 @@ public function testComponent()
     Dispatch::instance()->addComponentAlias('\Packaged\Dispatch\Tests\TestComponents', '');
     $manager = ResourceManager::component($component);
     $uri = $manager->getResourceUri('style.css');
-    $this->assertEquals('c/3/_/DemoComponent/DemoComponent/a4197ed8/style.css', $uri);
+    $this->assertEquals('c/3/_/DemoComponent/DemoComponent/1a9ffb748d31/style.css', $uri);
 
     $request = Request::create('/' . $uri);
     $response = $dispatch->handleRequest($request);
@@ -126,7 +132,7 @@ public function testComponent()
     Dispatch::instance()->addComponentAlias('\Packaged\Dispatch\Tests\TestComponents\DemoComponents', 'DCRC');
     $manager = ResourceManager::component(new DemoComponent());
     $uri = $manager->getResourceUri('style.css');
-    $this->assertEquals('c/2/_DC/DemoComponent/a4197ed8/style.css', $uri);
+    $this->assertEquals('c/2/_DC/DemoComponent/1a9ffb748d31/style.css', $uri);
 
     $request = Request::create('/c/3/_/MissingComponent/DemoComponent/a4197ed8/style.css');
     $response = $dispatch->handleRequest($request);
@@ -135,13 +141,13 @@ public function testComponent()
 
     $manager = ResourceManager::component(new ChildComponent());
     $uri = $manager->getResourceUri('style.css');
-    $this->assertEquals('c/2/_/AbstractComponent/d456522a/style.css', $uri);
+    $this->assertEquals('c/2/_/AbstractComponent/162fe246c68b/style.css', $uri);
 
     $request = Request::create('/' . $uri);
     $response = $dispatch->handleRequest($request);
     $this->assertEquals(200, $response->getStatusCode());
     $this->assertEquals(
-      '@import "c/2/_/AbstractComponent/d41d8cd9/dependency.css";body{color:blue;background:url("c/2/_/AbstractComponent/d68e763c/img/x.jpg")}',
+      '@import "c/2/_/AbstractComponent/942e325b3dcc/dependency.css";body{color:blue;background:url("c/2/_/AbstractComponent/395d1a0e845f/img/x.jpg")}',
       $response->getContent()
     );
   }
@@ -154,14 +160,25 @@ public function testImport()
     Dispatch::instance()->addComponentAlias('\Packaged\Dispatch\Tests\TestComponents\AbstractComponent', '');
     $manager = ResourceManager::component(new ChildComponent());
     $uri = $manager->getResourceUri('import.js');
-    $this->assertEquals('c/1/_/e60f9588/import.js', $uri);
+    $this->assertEquals('c/1/_/831aff315092/import.js', $uri);
 
     $request = Request::create($uri);
     $response = $dispatch->handleRequest($request);
     $this->assertEquals(200, $response->getStatusCode());
     $this->assertEquals(
-      'import"c/1/_/d41d8cd9/dependency.css";import"c/1/_/d41d8cd9/dependency.js";import"c/1/_/d41d8cd9/dependency.js";',
+      'import"c/1/_/942e325b3dcc/dependency.css";import"c/1/_/942e325b4521/dependency.js";import"c/1/_/942e325b4521/dependency.js";',
       $response->getContent()
     );
   }
+
+  public function testHashing()
+  {
+    $dispatch = new Dispatch(Path::system(__DIR__, '_root'));
+    Dispatch::bind($dispatch);
+    $uri = ResourceManager::public()->getResourceUri('css/placeholder.css');
+    $this->assertEquals($uri, ResourceManager::public()->getResourceUri('css/placeholder.css'));
+    $dispatch->setHashSalt('abc');
+    $this->assertNotEquals($uri, ResourceManager::public()->getResourceUri('css/placeholder.css'));
+    $this->assertEquals(substr($dispatch->generateHash('abc'), 0, 8), $dispatch->generateHash('abc', 8));
+  }
 }

tests/ResourceManagerTest.php

@@ -52,13 +52,13 @@ public function testComponent()
       $manager->getMapOptions()
     );
     $this->assertEquals(
-      'c/6/Packaged/Dispatch/Tests/TestComponents/DemoComponent/DemoComponent/a4197ed8/style.css',
+      'c/6/Packaged/Dispatch/Tests/TestComponents/DemoComponent/DemoComponent/1a9ffb748d31/style.css',
       $manager->getResourceUri('style.css')
     );
     Dispatch::instance()->addComponentAlias('\Packaged\Dispatch\Tests\TestComponents', '');
     $manager = ResourceManager::component($component);
     $this->assertEquals(
-      'c/3/_/DemoComponent/DemoComponent/a4197ed8/style.css',
+      'c/3/_/DemoComponent/DemoComponent/1a9ffb748d31/style.css',
       $manager->getResourceUri('style.css')
     );
   }
@@ -68,7 +68,7 @@ public function testRequireJs()
     Dispatch::bind(new Dispatch(Path::system(__DIR__, '_root')));
     ResourceManager::resources()->requireJs('js/alert.js');
     $this->assertContains(
-      'src="r/ef6402a7/js/alert.js"',
+      'src="r/f417133ec50f/js/alert.js"',
       Dispatch::instance()->store()->generateHtmlIncludes(ResourceStore::TYPE_JS)
     );
   }
@@ -91,7 +91,7 @@ public function testRequireCss()
     ResourceManager::resources()->includeCss('css/test.css');
     ResourceManager::resources()->requireCss('css/test.css');
     $this->assertContains(
-      'href="r/f643eb32/css/test.css"',
+      'href="r/bd04a6113c11/css/test.css"',
       Dispatch::instance()->store()->generateHtmlIncludes(ResourceStore::TYPE_CSS)
     );
   }
@@ -149,7 +149,7 @@ public function testGetFileHash()
     for($i = 0; $i < 3; $i++)
     {
       $this->assertEquals(
-        "7c20a3fa",
+        "d91424cc",
         ResourceManager::resources()->getFileHash(Path::system(__DIR__, '_root', 'public', 'placeholder.html'))
       );
     }
@@ -164,4 +164,18 @@ public function testRequireInlineCss()
       Dispatch::instance()->store()->generateHtmlIncludes(ResourceStore::TYPE_CSS)
     );
   }
+
+  public function testRelativeHash()
+  {
+    Dispatch::bind(new Dispatch(Path::system(__DIR__, '_root')));
+    $pathHash = Dispatch::instance()->generateHash('resources/css/test.css', 4);
+    $manager = ResourceManager::resources();
+    $resourceHash = $manager->getRelativeHash($manager->getFilePath('css/test.css'));
+    $this->assertEquals($pathHash, $resourceHash);
+
+    $pathHash = Dispatch::instance()->generateHash('public/favicon.ico', 4);
+    $manager = ResourceManager::public();
+    $resourceHash = $manager->getRelativeHash($manager->getFilePath('favicon.ico'));
+    $this->assertEquals($pathHash, $resourceHash);
+  }
 }