Secure storage by default (#1443)

Disable the OpenHandler for storage by default, need to explicitly enable to browse previous requests.
barryvdh · Aug 24, 2023 · cde481e · cde481e
1 parent 9aeb524
commit cde481e
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 4 deletions.
diff --git a/config/debugbar.php b/config/debugbar.php
@@ -31,9 +31,13 @@
      | By default, file storage (in the storage folder) is used. Redis and PDO
      | can also be used. For PDO, run the package migrations first.
      |
+     | Warning: Enabling storage.open will allow everyone to access previous request, 
+     | do not enable open storage in publicly available environments!  
+     | Specify a callback if you want to limit based on IP or authentication.
      */
     'storage' => [
         'enabled'    => true,
+        'open'       => env('DEBUGBAR_OPEN_STORAGE', false), // Can be bool or callback. 
         'driver'     => 'file', // redis, file, pdo, socket, custom
         'path'       => storage_path('debugbar'), // For file driver
         'connection' => null,   // Leave null for default connection (Redis/PDO)

diff --git a/readme.md b/readme.md
@@ -14,7 +14,7 @@ Read [the documentation](http://phpdebugbar.com/docs/) for more configuration op
 ![Debugbar 3.3 Screenshot](https://user-images.githubusercontent.com/973269/79428890-196cc680-7fc7-11ea-8229-189f5eac9009.png)
 
 
-> Note: Use the DebugBar only in development. Do not use Debugbar on public websites, as it will leak information from stored requests (by design). It can also slow the application down (because it has to gather data). So when experiencing slowness, try disabling some of the collectors.
+### Note: Use the DebugBar only in development. Do not use Debugbar on publicly accessible websites, as it will leak information from stored requests (by design). It can also slow the application down (because it has to gather data). So when experiencing slowness, try disabling some of the collectors.
 
 This package includes some custom collectors:
  - QueryCollector: Show all queries, including binding + timing
@@ -183,6 +183,12 @@ You can enable or disable the debugbar during run time.
 
 NB. Once enabled, the collectors are added (and could produce extra overhead), so if you want to use the debugbar in production, disable in the config and only enable when needed.
 
+## Storage
+
+Debugbar remembers previous requests, which you can view using the Browse button on the right. This will only work if you enable `debugbar.storage.open` in the config. 
+Make sure you only do this on local development, because otherwise other people will be able to view previous requests.
+In general, Debugbar should only be used locally or at least restricted by IP.
+It's possible to pass a callback, which will receive the Request object, so you can determine access to the OpenHandler storage.
 
 ## Twig Integration
 

diff --git a/src/Controllers/OpenHandlerController.php b/src/Controllers/OpenHandlerController.php
@@ -3,16 +3,47 @@
 namespace Barryvdh\Debugbar\Controllers;
 
 use Barryvdh\Debugbar\Support\Clockwork\Converter;
+use DebugBar\DebugBarException;
 use DebugBar\OpenHandler;
 use Illuminate\Http\Request;
 use Illuminate\Http\Response;
 
 class OpenHandlerController extends BaseController
 {
+    /**
+     * Check if the storage is open for inspecting.
+     *
+     * @param Request $request
+     * @return bool
+     */
+    protected function isStorageOpen(Request $request)
+    {
+        $open = config('debugbar.storage.open');
+
+        if (is_callable($open)) {
+            return call_user_func($open, [$request]);
+        }
+
+        return $open;
+    }
+
     public function handle(Request $request)
     {
-        $openHandler = new OpenHandler($this->debugbar);
-        $data = $openHandler->handle($request->input(), false, false);
+        if ($this->isStorageOpen($request)) {
+            $openHandler = new OpenHandler($this->debugbar);
+            $data = $openHandler->handle($request->input(), false, false);
+        } else {
+            $data = [
+                [
+                    'datetime' => date("Y-m-d H:i:s"),
+                    'id' => null,
+                    'ip' => $request->getClientIp(),
+                    'method' => 'ERROR',
+                    'uri' => '!! To enable public access to previous requests, set debugbar.storage.open, or DEBUGBAR_OPEN_STORAGE to true in you config !!',
+                    'utime' => microtime(true),
+                ]
+            ];
+        }
 
         return new Response(
             $data,
@@ -30,8 +61,12 @@ public function handle(Request $request)
      * @return mixed
      * @throws \DebugBar\DebugBarException
      */
-    public function clockwork($id)
+    public function clockwork(Request $request, $id)
     {
+        if (!$this->isStorageOpen($request)) {
+            throw new DebugBarException(" o enable public access to previous requests, set debugbar.storage.open, or DEBUGBAR_OPEN_STORAGE to true in you config");
+        }
+
         $request = [
             'op' => 'get',
             'id' => $id,