PrestashopModules/botlimiter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add admin cookie check

Browse Source
This commit is contained in:
O K
2026-03-22 09:23:41 +02:00
parent a2b7a68af0
commit 8fd0c00941
9 changed files with 570 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

249
classes/BotLogger.php
View File

@@ -3,10 +3,20 @@
class BotLogger
{
const LOG_FILE = _PS_ROOT_DIR_ . '/var/logs/botlimiter_ban.log';
const WHITELIST_FILE = _PS_CACHE_DIR_ . DIRECTORY_SEPARATOR . 'botlimiter_whitelist.php';
const MAX_SIZE = 10485760; // 10 MB
const UPDATE_INTERVAL = 86400; // 24 hours (in seconds)
// Store in memory during execution so we don't read the file multiple times per request
private static $cachedWhitelist = null;
public static function logBan($ip, $reason)
{
// 0. Check if IP is a known good bot (Google, Bing, etc.)
if (self::isWhitelisted($ip)) {
return; // Exit silently, do not log or ban
}
// 1. Check file size before writing (The Safety Valve)
if (file_exists(self::LOG_FILE) && filesize(self::LOG_FILE) > self::MAX_SIZE) {
self::rotateLog();
@@ -19,6 +29,173 @@ class BotLogger
file_put_contents(self::LOG_FILE, $message, FILE_APPEND | LOCK_EX);
}
/**
* Checks if the given IP belongs to the whitelisted networks.
*/
public static function isWhitelisted($ip)
{
// 1. FASTEST CHECK: Is it the server itself? (Localhost or Server IP)
$serverIps = ['127.0.0.1', '::1'];
if (!empty($_SERVER['SERVER_ADDR'])) {
$serverIps[] = $_SERVER['SERVER_ADDR'];
}
if (in_array($ip, $serverIps, true)) {
return true;
}
// 2. FAST CHECK: PrestaShop Maintenance IPs
$maintenance_ips = Configuration::get('PS_MAINTENANCE_IP');
if ($maintenance_ips) {
$admin_ips = array_filter(array_map('trim', explode(',', $maintenance_ips)));
if (in_array($ip, $admin_ips, true)) {
return true;
}
}
self::updateWhitelistIfNeeded();
// Load whitelist into memory if not already done
if (self::$cachedWhitelist === null) {
if (file_exists(self::WHITELIST_FILE)) {
// FASTEST: OPcache will serve this directly from RAM
self::$cachedWhitelist = include(self::WHITELIST_FILE);
} else {
self::$cachedWhitelist = [];
}
}
// Check against CIDR blocks
foreach (self::$cachedWhitelist as $cidr) {
if (self::ipMatch($ip, $cidr)) {
return true;
}
}
return false;
}
/**
* Updates the whitelist once a day by fetching JSON lists from Google and Bing.
*/
private static function updateWhitelistIfNeeded()
{
$needsUpdate = true;
if (file_exists(self::WHITELIST_FILE)) {
$lastModified = filemtime(self::WHITELIST_FILE);
if ((time() - $lastModified) < self::UPDATE_INTERVAL) {
$needsUpdate = false;
}
}
if (!$needsUpdate) {
return;
}
$cidrs = [];
$urls = [
'https://developers.google.com/search/apis/ipranges/googlebot.json',
'https://www.bing.com/toolbox/bingbot.json',
'https://openai.com/chatgpt-user.json',
'https://openai.com/searchbot.json',
'https://openai.com/gptbot.json'
];
foreach ($urls as $url) {
$cidrs = array_merge($cidrs, self::extractIpPrefix($url));
}
// If we successfully fetched networks, update the file
if (!empty($cidrs)) {
$cidrs = array_values(array_unique($cidrs));
// Generate valid PHP code
$phpCode = "<?php\n\n// Auto-generated whitelist\nreturn " . var_export($cidrs, true) . ";\n";
// Write to file
file_put_contents(self::WHITELIST_FILE, $phpCode, LOCK_EX);
// IMPORTANT: Clear the old file from OPcache so PHP knows it changed!
if (function_exists('opcache_invalidate')) {
opcache_invalidate(self::WHITELIST_FILE, true);
}
self::$cachedWhitelist = $cidrs;
} else {
// If fetching failed (network issue), touch the file to delay the next retry to prevent spamming
if (file_exists(self::WHITELIST_FILE)) {
touch(self::WHITELIST_FILE);
}
}
}
public static function extractIpPrefix(string $url): array
{
$cidrs = [];
$json = @Tools::file_get_contents($url);
if ($json) {
$data = json_decode($json, true);
if (isset($data['prefixes'])) {
foreach ($data['prefixes'] as $prefix) {
if (isset($prefix['ipv4Prefix'])) $cidrs[] = $prefix['ipv4Prefix'];
if (isset($prefix['ipv6Prefix'])) $cidrs[] = $prefix['ipv6Prefix'];
}
}
}
return $cidrs;
}
/**
* Matches an IPv4 or IPv6 address against a CIDR block.
*/
private static function ipMatch($ip, $cidr)
{
if (strpos($cidr, '/') === false) {
return $ip === $cidr;
}
list($subnet, $mask) = explode('/', $cidr);
// Match IPv4
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) && filter_var($subnet, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
$ip_long = ip2long($ip);
$subnet_long = ip2long($subnet);
$mask_long = ~((1 << (32 - $mask)) - 1);
return ($ip_long & $mask_long) === ($subnet_long & $mask_long);
}
// Match IPv6
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) && filter_var($subnet, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
$ip_bin = inet_pton($ip);
$subnet_bin = inet_pton($subnet);
if (!$ip_bin || !$subnet_bin) return false;
$bytes = floor($mask / 8);
$bits = $mask % 8;
if ($bytes > 0 && substr($ip_bin, 0, $bytes) !== substr($subnet_bin, 0, $bytes)) {
return false;
}
if ($bits > 0) {
$ip_byte = ord($ip_bin[$bytes]);
$subnet_byte = ord($subnet_bin[$bytes]);
$bitmask = ~((1 << (8 - $bits)) - 1) & 0xFF;
if (($ip_byte & $bitmask) !== ($subnet_byte & $bitmask)) {
return false;
}
}
return true;
}
return false;
}
/**
* Rotates the log:
* 1. Deletes the .old file
@@ -37,4 +214,76 @@ class BotLogger
// Rename current to backup
@rename(self::LOG_FILE, $backup_file);
}
/**
* Safely gets the real client IP, completely immune to Header Spoofing.
*/
public static function getRealIp()
{
// 1. Get the actual, un-spoofable TCP connection IP
$remoteAddr = $_SERVER['REMOTE_ADDR'] ?? '';
// 2. Is the connection physically coming from Cloudflare?
if (self::isCloudflareIp($remoteAddr)) {
// ONLY trust these headers because Cloudflare guaranteed them
if (!empty($_SERVER['HTTP_CF_CONNECTING_IP']) && filter_var($_SERVER['HTTP_CF_CONNECTING_IP'], FILTER_VALIDATE_IP)) {
return $_SERVER['HTTP_CF_CONNECTING_IP'];
}
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
$ip = trim($ips[0]);
if (filter_var($ip, FILTER_VALIDATE_IP)) {
return $ip;
}
}
}
// 3. Fallback: If it's NOT Cloudflare, it's either a direct user or a hacker.
// We MUST ignore their headers and use the raw TCP connection IP.
return $remoteAddr;
}
/**
* Checks if the IP belongs to official Cloudflare Networks.
* (These ranges rarely change, standard practice is to hardcode them)
*/
private static function isCloudflareIp($ip)
{
static $cf_ips = [
// IPv4
'173.245.48.0/20',
'103.21.244.0/22',
'103.22.200.0/22',
'103.31.4.0/22',
'141.101.64.0/18',
'108.162.192.0/18',
'190.93.240.0/20',
'188.114.96.0/20',
'197.234.240.0/22',
'198.41.128.0/17',
'162.158.0.0/15',
'104.16.0.0/13',
'104.24.0.0/14',
'172.64.0.0/13',
'131.0.72.0/22',
// IPv6
'2400:cb00::/32',
'2606:4700::/32',
'2803:f800::/32',
'2405:b500::/32',
'2405:8100::/32',
'2a06:98c0::/29',
'2c0f:f248::/32'
];
foreach ($cf_ips as $cidr) {
if (self::ipMatch($ip, $cidr)) {
return true;
}
}
return false;
}
}