File: /var/www/html/wptuneprotect/wp-content/plugins/defender-security/src/traits/ip.php
<?php
/**
 * Helper functions for IP related tasks.
 *
 * @package WP_Defender\Traits
 */
namespace WP_Defender\Traits;
use WP_Defender\Component\Http\Remote_Address;
use WP_Defender\Component\Smart_Ip_Detection;
use WP_Defender\Model\Setting\Firewall;
trait IP {
	/**
	 * Check if the IP is IPv4 address.
	 *
	 * @param  mixed $ip  IP address.
	 *
	 * @return mixed
	 */
	private function is_v4( $ip ) {
		return filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 );
	}
	/**
	 * Check if the given IP address is an IPv6 address.
	 *
	 * @param  string $ip  The IP address to check.
	 *
	 * @return bool Returns true if the IP address is an IPv6 address, false otherwise.
	 */
	private function is_v6( $ip ) {
		return filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 );
	}
	/**
	 * Check if IPv6 is supported.
	 *
	 * @return bool
	 */
	private function is_v6_support(): bool {
		return defined( 'AF_INET6' );
	}
	/**
	 * Convert IPv4 address to IPv6 address.
	 *
	 * @param  string $ip  IPv4 address.
	 *
	 * @return bool|string
	 */
	private function expand_ip_v6( $ip ) {
		$hex = unpack( 'H*hex', inet_pton( $ip ) );
		return substr( preg_replace( '/([A-f0-9]{4})/', '$1:', $hex['hex'] ), 0, - 1 );
	}
	/**
	 * Convert IPv6 address to binary.
	 *
	 * @param  string $inet  The packed data.
	 * @src https://stackoverflow.com/a/7951507
	 *
	 * @return string
	 */
	private function ine_to_bits( $inet ): string {
		$unpacked = unpack( 'a16', $inet );
		$unpacked = str_split( $unpacked[1] );
		$binaryip = '';
		foreach ( $unpacked as $char ) {
			$binaryip .= str_pad( decbin( ord( $char ) ), 8, '0', STR_PAD_LEFT );
		}
		return $binaryip;
	}
	/**
	 * Compare if an IPv4 address is within a specified range.
	 *
	 * @param  string $ip  The IPv4 address to compare.
	 * @param  string $first_in_range  The lower bound of the range.
	 * @param  string $last_in_range  The upper bound of the range.
	 *
	 * @return bool Returns true if the IP address is within the range, false otherwise.
	 */
	private function compare_v4_in_range( $ip, $first_in_range, $last_in_range ): bool {
		$low  = sprintf( '%u', ip2long( $first_in_range ) );
		$high = sprintf( '%u', ip2long( $last_in_range ) );
		$cip = sprintf( '%u', ip2long( $ip ) );
		if ( $high >= $cip && $cip >= $low ) {
			return true;
		}
		return false;
	}
	/**
	 * Compare if an IPv6 address is within a specified range.
	 *
	 * @param  string $ip  The IPv6 address to compare.
	 * @param  string $first_in_range  The lower bound of the range.
	 * @param  string $last_in_range  The upper bound of the range.
	 *
	 * @return bool Returns true if the IP address is within the range, false otherwise.
	 */
	private function compare_v6_in_range( $ip, $first_in_range, $last_in_range ): bool {
		$first_in_range = inet_pton( $this->expand_ip_v6( $first_in_range ) );
		$last_in_range  = inet_pton( $this->expand_ip_v6( $last_in_range ) );
		$ip             = inet_pton( $this->expand_ip_v6( $ip ) );
		if ( ( strlen( $ip ) === strlen( $first_in_range ) )
			&& ( $ip >= $first_in_range && $ip <= $last_in_range ) ) {
			return true;
		} else {
			return false;
		}
	}
	/**
	 * Compares an IPv4 address with a CIDR block.
	 *
	 * @param  string $ip  The IPv4 address to compare.
	 * @param  string $block  The CIDR block to compare against.
	 *
	 * @return bool Returns true if the IP address is within the CIDR block, false otherwise.
	 */
	private function compare_cidrv4( $ip, $block ): bool {
		[ $subnet, $bits ] = explode( '/', $block );
		if ( is_null( $bits ) ) {
			$bits = 32;
		}
		$ip      = ip2long( $ip );
		$subnet  = ip2long( $subnet );
		$mask    = - 1 << ( 32 - $bits );
		$subnet &= $mask;// nb: in case the supplied subnet wasn't correctly aligned.
		return ( $ip & $mask ) === $subnet;
	}
	/**
	 * Compares an IPv6 address with a CIDR block.
	 *
	 * @param  string $ip  The IPv6 address to compare.
	 * @param  string $block  The CIDR block to compare against.
	 *
	 * @return bool Returns true if the IP address is within the CIDR block, false otherwise.
	 */
	private function compare_cidrv6( $ip, $block ): bool {
		$ip                = $this->expand_ip_v6( $ip );
		$ip                = inet_pton( $ip );
		$b_ip              = $this->ine_to_bits( $ip );
		[ $subnet, $bits ] = explode( '/', $block );
		$subnet            = $this->expand_ip_v6( $subnet );
		$subnet            = inet_pton( $subnet );
		$b_subnet          = $this->ine_to_bits( $subnet );
		$ip_net_bits = substr( $b_ip, 0, $bits );
		$subnet_bits = substr( $b_subnet, 0, $bits );
		return $ip_net_bits === $subnet_bits;
	}
	/**
	 * Compare ip2 to ip1, true if ip2>ip1, false if not.
	 *
	 * @param  string $ip1  The first IP address to compare.
	 * @param  string $ip2  The second IP address to compare.
	 *
	 * @return bool Returns true if ip2 is greater than ip1, false otherwise.
	 */
	public function compare_ip( $ip1, $ip2 ): bool {
		if ( $this->is_v4( $ip1 ) && $this->is_v4( $ip2 ) ) {
			if ( sprintf( '%u', ip2long( $ip2 ) ) - sprintf( '%u', ip2long( $ip1 ) ) > 0 ) {
				return true;
			}
		} elseif ( $this->is_v6( $ip1 ) && $this->is_v6( $ip2 ) && $this->is_v6_support() ) {
			$ip1 = inet_pton( $this->expand_ip_v6( $ip1 ) );
			$ip2 = inet_pton( $this->expand_ip_v6( $ip2 ) );
			return $ip2 > $ip1;
		}
		return false;
	}
	/**
	 * Compare if an IP address is within a specified range.
	 *
	 * @param  string $ip  The IP address to compare.
	 * @param  string $first_in_range  The lower bound of the range.
	 * @param  string $last_in_range  The upper bound of the range.
	 *
	 * @return bool Returns true if the IP address is within the range, false otherwise.
	 */
	public function compare_in_range( $ip, $first_in_range, $last_in_range ): bool {
		if ( $this->is_v4( $first_in_range ) && $this->is_v4( $last_in_range ) ) {
			return $this->compare_v4_in_range( $ip, $first_in_range, $last_in_range );
		} elseif ( $this->is_v6( $first_in_range ) && $this->is_v6( $last_in_range ) && $this->is_v6_support() ) {
			return $this->compare_v6_in_range( $ip, $first_in_range, $last_in_range );
		}
		return false;
	}
	/**
	 * Compares an IP address with a CIDR block.
	 *
	 * @param  string $ip  The IP address to compare.
	 * @param  string $block  The CIDR block to compare against.
	 *
	 * @return bool Returns true if the IP address is within the CIDR block, false otherwise.
	 */
	public function compare_cidr( $ip, $block ): bool {
		[ $subnet, $bits ] = explode( '/', $block );
		if ( $this->is_v4( $ip ) && $this->is_v4( $subnet ) ) {
			return $this->compare_cidrv4( $ip, $block );
		} elseif ( $this->is_v6( $ip ) && $this->is_v6( $subnet ) && $this->is_v6_support() ) {
			return $this->compare_cidrv6( $ip, $block );
		}
		return false;
	}
	/**
	 * $ip an be single ip, or a range like xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx or CIDR.
	 *
	 * @param  string $ip  The IP address to validate.
	 *
	 * @return bool
	 */
	public function validate_ip( $ip ): bool {
		if (
			! stristr( $ip, '-' )
			&& ! stristr( $ip, '/' )
			&& filter_var( $ip, FILTER_VALIDATE_IP ) ) {
			// Only ip, no '-', '/' symbols.
			return true;
		} elseif ( stristr( $ip, '-' ) ) {
			$ips = explode( '-', $ip );
			foreach ( $ips as $ip_key ) {
				if ( ! filter_var( $ip_key, FILTER_VALIDATE_IP ) ) {
					return false;
				}
			}
			if ( $this->compare_ip( $ips[0], $ips[1] ) ) {
				return true;
			}
		} elseif ( stristr( $ip, '/' ) ) {
			[ $ip, $bits ] = explode( '/', $ip );
			if ( filter_var( $ip, FILTER_VALIDATE_IP ) && filter_var( $bits, FILTER_VALIDATE_INT ) ) {
				if ( $this->is_v4( $ip ) && 0 <= $bits && $bits <= 32 ) {
					return true;
				} elseif ( $this->is_v6( $ip ) && 0 <= $bits && $bits <= 128 && $this->is_v6_support() ) {
					return true;
				}
			}
		}
		return false;
	}
	/**
	 * Display a message if IP is non-valid. The cases:
	 * 1) single IP (no '-', '/' symbols),
	 * 2) IP range,
	 * 3) CIDR.
	 * Ignore cases with private, reserved ranges.
	 *
	 * @src https://en.wikipedia.org/wiki/IPv4#Special-use_addresses
	 * @src https://en.wikipedia.org/wiki/IPv6#Special-use_addresses
	 *
	 * @param  mixed $ip  IP address.
	 *
	 * @return array
	 */
	public function display_validation_message( $ip ): array {
		$errors = array();
		// Case 1: single IP.
		if (
			! stristr( $ip, '-' )
			&& ! stristr( $ip, '/' )
			&& ! filter_var( $ip, FILTER_VALIDATE_IP ) ) {
			$errors[] = sprintf(
			/* translators: %s: IP value. */
				esc_html__( '%s – invalid format', 'defender-security' ),
				'<b>' . $ip . '</b>'
			);
			// Case 2: IP range.
		} elseif ( stristr( $ip, '-' ) ) {
			$ips = explode( '-', $ip );
			foreach ( $ips as $ip_key ) {
				if ( ! filter_var( $ip_key, FILTER_VALIDATE_IP ) ) {
					$errors[] = sprintf(
					/* translators: %s: IP value. */
						esc_html__( '%s – invalid format', 'defender-security' ),
						'<b>' . $ip_key . '</b>'
					);
				}
			}
			if ( ! $this->compare_ip( $ips[0], $ips[1] ) ) {
				$errors[] = sprintf(
				/* translators: 1. IP value. 2. IP value. */
					esc_html__( 'Can\'t compare %1$s with %2$s.', 'defender-security' ),
					'<b>' . $ips[1] . '</b>',
					'<b>' . $ips[0] . '</b>'
				);
			}
			// Case 3: CIDR.
		} elseif ( stristr( $ip, '/' ) ) {
			[ $ip, $bits ] = explode( '/', $ip );
			if ( filter_var( $ip, FILTER_VALIDATE_IP ) && filter_var( $bits, FILTER_VALIDATE_INT ) ) {
				if ( ! $this->is_v4( $ip ) || 0 > $bits || $bits > 32 ) {
					if ( ! $this->is_v6( $ip ) || 0 > $bits || $bits > 128 || ! $this->is_v6_support() ) {
						$errors[] = sprintf(
						/* translators: %s: IP value. */
							esc_html__( '%s – address out of range', 'defender-security' ),
							'<b>' . $ip . '</b>'
						);
					}
				}
			} else {
				$errors[] = sprintf(
				/* translators: %s: IP value. */
					esc_html__( '%s – invalid format', 'defender-security' ),
					'<b>' . $ip . '</b>'
				);
			}
		}
		// @since 2.6.3
		return (array) apply_filters( 'wd_display_ip_validations', $errors );
	}
	/**
	 * Validate IP.
	 *
	 * @param  mixed $ip  IP address.
	 *
	 * @return bool
	 */
	public function check_validate_ip( $ip ): bool {
		// Validate the localhost IP address.
		if ( in_array( $ip, $this->get_localhost_ips(), true ) ) {
			return true;
		}
		$filter_flags = FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6;
		// @since 2.4.7
		if ( apply_filters( 'wp_defender_filtered_internal_ip', false ) ) {
			// Todo: improve display of IP log when filtering reserved or private IPv4/IPv6 ranges.
			$filter_flags = $filter_flags | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE;
		}
		if ( false === filter_var( $ip, FILTER_VALIDATE_IP, $filter_flags ) ) {
			return false;
		}
		return true;
	}
	/**
	 * Get user IP.
	 *
	 * @return array
	 */
	public function get_user_ip(): array {
		$service = wd_di()->get( Smart_Ip_Detection::class );
		if ( $service->is_smart_ip_detection_enabled() ) {
			$ip_detail = $service->get_smart_ip_detection_details();
			$ips       = isset( $ip_detail[0] ) ? array( $ip_detail[0] ) : array();
		} else {
			$remote_addr = wd_di()->get( Remote_Address::class );
			$ips         = (array) $remote_addr->get_ip_address();
		}
		return $this->filter_user_ips( $ips );
	}
	/**
	 * Get user IP header.
	 *
	 * @return string
	 */
	public function get_user_ip_header(): string {
		$ip_header = '';
		$service = wd_di()->get( Smart_Ip_Detection::class );
		if ( $service->is_smart_ip_detection_enabled() ) {
			$ip_detail = $service->get_smart_ip_detection_details();
			$ip_header = isset( $ip_detail[1] ) ? $ip_detail[1] : '';
		} else {
			$model       = wd_di()->get( Firewall::class );
			$remote_addr = wd_di()->get( Remote_Address::class );
			$ip_header   = $remote_addr->get_http_ip_header_value( esc_html( $model->http_ip_header ) );
		}
		return $ip_header;
	}
	/**
	 * Checks if an IP address is in the correct format within a given array of IP addresses.
	 *
	 * @param  string $ip  The IP address to check.
	 * @param  array  $arr_ips  An array of IP addresses to check against.
	 *
	 * @return bool Returns true if the IP address is in the correct format within the array, false otherwise.
	 */
	public function is_ip_in_format( $ip, $arr_ips ): bool {
		foreach ( $arr_ips as $wip ) {
			if ( false === strpos( $wip, '-' ) && false === strpos( $wip, '/' ) && trim( $wip ) === $ip ) {
				return true;
			} elseif ( false !== strpos( $wip, '-' ) ) {
				$ips = explode( '-', $wip );
				if ( $this->compare_in_range( $ip, $ips[0], $ips[1] ) ) {
					return true;
				}
			} elseif ( false !== strpos( $wip, '/' ) && $this->compare_cidr( $ip, $wip ) ) {
				return true;
			}
		}
		return false;
	}
	/**
	 * Filter user IPs.
	 * This function takes an array of user IPs, applies the 'defender_user_ip'
	 * filter to each IP, and returns a unique array of filtered values.
	 *
	 * @param  array $ips  An array of user IPs.
	 *
	 * @return array An array of unique, filtered user IPs.
	 * @since 4.4.2
	 */
	public function filter_user_ips( array $ips ): array {
		$ips_filtered = array();
		foreach ( $ips as $ip ) {
			/**
			 * Filters the user IP.
			 *
			 * @param  string  $ip  The user IP.
			 */
			$ips_filtered[] = apply_filters( 'defender_user_ip', $ip );
		}
		return array_unique( $ips_filtered );
	}
	/**
	 * Use $_SERVER['REMOTE_ADDR'] as the first protection layer to avoid spoofed headers.
	 *
	 * @param  string $blocked_ip  The IP address to check.
	 *
	 * @return string
	 */
	public function check_ip_by_remote_addr( $blocked_ip ): string {
		$ip_addr = defender_get_data_from_request( 'REMOTE_ADDR', 's' );
		return ! empty( $ip_addr ) ? $ip_addr : $blocked_ip;
	}
	/**
	 * Check if the given IP is a private IP.
	 *
	 * @param  string $ip  The IP address to check.
	 *
	 * @return bool True if the IP is a private IP, false otherwise.
	 */
	public function is_private_ip( string $ip ): bool {
		return filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE ) === false;
	}
	/**
	 * Maybe Loopback?
	 * Don't check '127.0.0.0/8' and '::1/128'.
	 *
	 * @return array
	 */
	public function get_localhost_ips(): array {
		return array( '127.0.0.1', '::1' );
	}
	/**
	 * Determines if the current request originates from this server.
	 *
	 * Validates that the request is a loopback from the server by:
	 * 1. Matching the IP against localhost, hostname IP, or a whitelisted server public IP.
	 * 2. Matching the User-Agent against the WordPress core loopback format.
	 *
	 * @return bool True if it's a valid server-originated loopback request; false otherwise.
	 */
	public function request_is_from_server(): bool {
		$user_ips = $this->get_user_ip();
		if ( empty( $user_ips ) ) {
			return false;
		}
		// Start building list of trusted server IPs.
		$trusted_ips = $this->get_localhost_ips();
		$server_ip   = defender_get_data_from_request( 'SERVER_ADDR', 's' );
		if ( $this->check_validate_ip( $server_ip ) ) {
			$trusted_ips[] = $server_ip;
		}
		$stored_ip = get_site_option( \WP_Defender\Component\Firewall::WHITELIST_SERVER_PUBLIC_IP_OPTION, '' );
		if ( $this->check_validate_ip( $stored_ip ) ) {
			$trusted_ips[] = $stored_ip;
		}
		/**
		 * Filters the list of trusted server IP addresses used to validate server-originated loopback requests.
		 *
		 * This filter allows developers to customize the list of IP addresses considered as trusted sources
		 * for internal server requests. These IPs are checked against the request's origin IP to determine
		 * whether it's a valid server-initiated loopback (e.g., WordPress cron or REST loopback check).
		 *
		 * Common use cases:
		 * - Add public-facing server IPs behind proxies/load balancers.
		 * - Adjust loopback behavior in containerized or cloud environments.
		 * - Remove/override default server hostname resolution or localhost IPs.
		 *
		 * @since 5.3.0
		 *
		 * @param array $trusted_ips An array of trusted server IP addresses.
		 */
		$trusted_ips = (array) apply_filters( 'wp_defender_server_ips', array_unique( $trusted_ips ) );
		// Only return true if the request IP is in the trusted list.
		if ( ! empty( array_intersect( $user_ips, $trusted_ips ) ) ) {
			return true;
		}
		// User-Agent missing? Not a valid loopback.
		$server_agent = defender_get_data_from_request( 'HTTP_USER_AGENT', 's' );
		if ( empty( $server_agent ) ) {
			return false;
		}
		// User-Agent must match WordPress loopback format.
		$expected_ua = 'WordPress/' . wp_get_wp_version() . '; ' . home_url( '/' );
		return $server_agent === $expected_ua;
	}
}