From 45f30ec05fb61e6c2b614354bbd9f5e0f3b8facc Mon Sep 17 00:00:00 2001
From: Ahmet Bora <byybora@gmail.com>
Date: Wed, 28 Feb 2024 11:55:13 +0300
Subject: [PATCH 1/3] New `security` command

---
 README.md             |  1 +
 commands/security.php | 55 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 commands/security.php

diff --git a/README.md b/README.md
index 84483b9..e2bb39d 100644
--- a/README.md
+++ b/README.md
@@ -66,6 +66,7 @@ This should print the Kirby CLI version and a list of available commands
 - kirby register
 - kirby remove:command
 - kirby roots
+- kirby security
 - kirby unzip
 - kirby upgrade
 - kirby uuid:generate
diff --git a/commands/security.php b/commands/security.php
new file mode 100644
index 0000000..59a4e76
--- /dev/null
+++ b/commands/security.php
@@ -0,0 +1,55 @@
+<?php
+
+declare(strict_types = 1);
+
+use Kirby\CLI\CLI;
+use Kirby\Http\Remote;
+use Kirby\Http\Url;
+use Kirby\Toolkit\I18n;
+
+return [
+	'description' => 'Performs security checks of the site',
+	'command' => static function (CLI $cli): void {
+		$kirby        = $cli->kirby();
+		$system       = $kirby->system();
+		$updateStatus = $system->updateStatus();
+		$messages     = [
+			...array_column($updateStatus?->messages() ?? [], 'text'),
+			...$updateStatus->exceptionMessages()
+		];
+
+		if ($kirby->option('debug', false) === true) {
+			$messages[] = I18n::translate('system.issues.debug');
+		}
+
+		if ($kirby->environment()->https() !== true) {
+			$messages[] = I18n::translate('system.issues.https');
+		}
+
+		// checks exposable urls of the site
+		// works only site url is absolute since can't get it in CLI mode
+		// and CURL won't work for relative urls
+		if (Url::isAbsolute($kirby->url())) {
+			$urls = [
+				'content' => $system->exposedFileUrl('content'),
+				'git'     => $system->exposedFileUrl('git'),
+				'kirby'   => $system->exposedFileUrl('kirby'),
+				'site'    => $system->exposedFileUrl('site')
+			];
+
+			foreach ($urls as $key => $url) {
+				if (empty($url) === false && Remote::get($url)->code() < 400) {
+					$messages[] = I18n::translate('system.issues.' . $key);
+				}
+			}
+		}
+
+		if (empty($messages) === false) {
+			foreach ($messages as $message) {
+				$cli->error('> ' . $message);
+			}
+		} else {
+			$cli->success('No security warnings were detected');
+		}
+	}
+];

From 8afcf48d20e94cd66e5727eb5e1c312ac609e422 Mon Sep 17 00:00:00 2001
From: Ahmet Bora <byybora@gmail.com>
Date: Tue, 28 May 2024 14:58:16 +0300
Subject: [PATCH 2/3] Apply code reviews

---
 commands/security.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/commands/security.php b/commands/security.php
index 59a4e76..5155e52 100644
--- a/commands/security.php
+++ b/commands/security.php
@@ -42,6 +42,8 @@
 					$messages[] = I18n::translate('system.issues.' . $key);
 				}
 			}
+		} else {
+			$messages[] = 'Could not check for exposed folders as the site URL is not absolute';
 		}
 
 		if (empty($messages) === false) {
@@ -49,7 +51,7 @@
 				$cli->error('> ' . $message);
 			}
 		} else {
-			$cli->success('No security warnings were detected');
+			$cli->success('Basic security checks were successful, please review https://getkirby.com/docs/guide/security for additional best practices.');
 		}
 	}
 ];

From 91e069328731b966ce692d471fbf5eb8c8245a23 Mon Sep 17 00:00:00 2001
From: Ahmet Bora <byybora@gmail.com>
Date: Tue, 28 May 2024 15:04:02 +0300
Subject: [PATCH 3/3] Update composer.lock

---
 composer.lock | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/composer.lock b/composer.lock
index 8dedd95..b6201f7 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "361a47582c9946f984b0dd2654e9cb87",
+    "content-hash": "07ff4611ac0ceeb139ff7dc64aa24a3c",
     "packages": [
         {
             "name": "guzzlehttp/guzzle",
@@ -450,20 +450,20 @@
         },
         {
             "name": "psr/http-factory",
-            "version": "1.0.2",
+            "version": "1.1.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/php-fig/http-factory.git",
-                "reference": "e616d01114759c4c489f93b099585439f795fe35"
+                "reference": "2b4765fddfe3b508ac62f829e852b1501d3f6e8a"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/php-fig/http-factory/zipball/e616d01114759c4c489f93b099585439f795fe35",
-                "reference": "e616d01114759c4c489f93b099585439f795fe35",
+                "url": "https://api.github.com/repos/php-fig/http-factory/zipball/2b4765fddfe3b508ac62f829e852b1501d3f6e8a",
+                "reference": "2b4765fddfe3b508ac62f829e852b1501d3f6e8a",
                 "shasum": ""
             },
             "require": {
-                "php": ">=7.0.0",
+                "php": ">=7.1",
                 "psr/http-message": "^1.0 || ^2.0"
             },
             "type": "library",
@@ -487,7 +487,7 @@
                     "homepage": "https://www.php-fig.org/"
                 }
             ],
-            "description": "Common interfaces for PSR-7 HTTP message factories",
+            "description": "PSR-17: Common interfaces for PSR-7 HTTP message factories",
             "keywords": [
                 "factory",
                 "http",
@@ -499,9 +499,9 @@
                 "response"
             ],
             "support": {
-                "source": "https://github.com/php-fig/http-factory/tree/1.0.2"
+                "source": "https://github.com/php-fig/http-factory"
             },
-            "time": "2023-04-10T20:10:41+00:00"
+            "time": "2024-04-15T12:06:14+00:00"
         },
         {
             "name": "psr/http-message",
@@ -707,16 +707,16 @@
         },
         {
             "name": "symfony/deprecation-contracts",
-            "version": "v3.4.0",
+            "version": "v3.5.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/deprecation-contracts.git",
-                "reference": "7c3aff79d10325257a001fcf92d991f24fc967cf"
+                "reference": "0e0d29ce1f20deffb4ab1b016a7257c4f1e789a1"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/7c3aff79d10325257a001fcf92d991f24fc967cf",
-                "reference": "7c3aff79d10325257a001fcf92d991f24fc967cf",
+                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/0e0d29ce1f20deffb4ab1b016a7257c4f1e789a1",
+                "reference": "0e0d29ce1f20deffb4ab1b016a7257c4f1e789a1",
                 "shasum": ""
             },
             "require": {
@@ -725,7 +725,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "3.4-dev"
+                    "dev-main": "3.5-dev"
                 },
                 "thanks": {
                     "name": "symfony/contracts",
@@ -754,7 +754,7 @@
             "description": "A generic function and convention to trigger deprecation notices",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.4.0"
+                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.5.0"
             },
             "funding": [
                 {
@@ -770,7 +770,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2023-05-23T14:45:45+00:00"
+            "time": "2024-04-18T09:32:20+00:00"
         }
     ],
     "packages-dev": [],