Download the PHP package hassan-lateef/guardian without Composer

On this page you can find all versions of the php package hassan-lateef/guardian. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package guardian

Guardian

Guardian is a Laravel package for validating uploaded files before you store them.

It is designed to catch common upload abuse cases such as:

What Guardian Currently Does

The active scan pipeline in the package is:

  1. ExtensionScanner
  2. MimeScanner
  3. ContentScanner
  4. SvgScanner
  5. StructuralScanner

Guardian fails fast. The first scanner that rejects the file stops the pipeline.

Installation

Publish the config:

Usage

Middleware

Guardian registers the guardian middleware alias automatically through the package service provider.

The middleware scans every uploaded file in the request, including nested file arrays.

Validation Rule

You can also use the facade helper:

Manual Inspection

If you want a result object instead of an exception:

Multiple Files

Scanner Details

1. Extension Scanner

Checks the original filename and:

Example rejected names:

2. MIME Scanner

Uses PHP fileinfo to detect the file's real MIME type from the file bytes, then verifies:

This catches renamed files whose contents do not match their extension.

3. Content Scanner

Reads up to the first 1 MB of the file and scans based on extension group:

Current default groups:

Examples of patterns checked include:

4. SVG Scanner

Runs only for .svg files when guardian.svg_deep_scan is enabled.

It parses the SVG as XML and rejects configured dangerous elements and attributes.

Default forbidden elements include:

Default forbidden attributes include a long list of event handlers such as:

It also blocks:

Important: the current config intentionally allows some SVG features that older docs often block, such as legitimate <use> references and harmless visual elements, while still blocking dangerous URI and style payloads.

5. Structural Scanner

Performs format-specific validation when guardian.structural_validation is enabled.

Current behavior:

If guardian.re_encode_images is true, supported images are re-encoded through GD to strip embedded payloads and metadata from the temporary uploaded file before you store it.

Structural validation currently applies to:

Other allowed file types still pass through the earlier scanners, but do not currently receive extra structural validation.

Configuration

After publishing the config, you can tune Guardian through config/guardian.php.

Allowed MIME Map

Guardian only accepts MIME types defined in allowed_mimes.

The shipped config includes support for:

Blocked Extensions

The default blocked list includes executable and server-side formats such as:

Useful Config Flags

Content Scan Map

Optional Size Limit

The core Guardian class also checks guardian.max_file_size if you define it in your config. The published config does not currently include this key by default, but the runtime supports it.

Example:

Rejections and Responses

Guardian::inspect() throws Hassan\Guardian\Exceptions\MaliciousFileException when a file is rejected.

The exception renders a 422 JSON response automatically:

You can also catch it manually:

Logging

When log_rejections is enabled, Guardian logs rejected uploads with:

ClamAV Status

The repository contains a ClamAvScanner class and related config keys under guardian.clamav.

Current package state:

That means enabling guardian.clamav.enabled in config alone does not currently add ClamAV scanning to normal Guardian::inspect() or Guardian::check() calls.

If you want to experiment with a custom pipeline, you can override the scanner list:

Requirements

From composer.json, the package currently requires:

Notes


All versions of guardian with dependencies

PHP Build Version
Package Version
Requires php Version ^8.1
ext-gd Version *
ext-libxml Version *
ext-dom Version *
ext-fileinfo Version *
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package hassan-lateef/guardian contains the following files

Loading the files please wait ...