mirror of
https://github.com/grocy/grocy.git
synced 2025-04-30 10:05:45 +00:00
Sanitize user input on all API routes (references #996)
This commit is contained in:
Bernd Bestel
parent
7b8438bfa2
commit
c11001467b
@ -10,7 +10,8 @@
|
|||||||
"gettext/gettext": "^4.8",
|
"gettext/gettext": "^4.8",
|
||||||
"eluceo/ical": "^0.16.0",
|
"eluceo/ical": "^0.16.0",
|
||||||
"erusev/parsedown": "^1.7",
|
"erusev/parsedown": "^1.7",
|
||||||
"gumlet/php-image-resize": "^1.9"
|
"gumlet/php-image-resize": "^1.9",
|
||||||
|
"ezyang/htmlpurifier": "^4.13"
|
||||||
},
|
},
|
||||||
"autoload": {
|
"autoload": {
|
||||||
"psr-4": {
|
"psr-4": {
|
||||||
|
|||||||
52
composer.lock
generated
52
composer.lock
generated
@ -4,7 +4,7 @@
|
|||||||
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
|
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
|
||||||
"This file is @generated automatically"
|
"This file is @generated automatically"
|
||||||
],
|
],
|
||||||
"content-hash": "70c5b65f78f4eb43dac8df8dc144e56c",
|
"content-hash": "651fcabf083befffe196b08c8f17506b",
|
||||||
"packages": [
|
"packages": [
|
||||||
{
|
{
|
||||||
"name": "doctrine/inflector",
|
"name": "doctrine/inflector",
|
||||||
@ -195,6 +195,56 @@
|
|||||||
],
|
],
|
||||||
"time": "2019-12-30T22:54:17+00:00"
|
"time": "2019-12-30T22:54:17+00:00"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"name": "ezyang/htmlpurifier",
|
||||||
|
"version": "v4.13.0",
|
||||||
|
"source": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://github.com/ezyang/htmlpurifier.git",
|
||||||
|
"reference": "08e27c97e4c6ed02f37c5b2b20488046c8d90d75"
|
||||||
|
},
|
||||||
|
"dist": {
|
||||||
|
"type": "zip",
|
||||||
|
"url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/08e27c97e4c6ed02f37c5b2b20488046c8d90d75",
|
||||||
|
"reference": "08e27c97e4c6ed02f37c5b2b20488046c8d90d75",
|
||||||
|
"shasum": ""
|
||||||
|
},
|
||||||
|
"require": {
|
||||||
|
"php": ">=5.2"
|
||||||
|
},
|
||||||
|
"require-dev": {
|
||||||
|
"simpletest/simpletest": "dev-master#72de02a7b80c6bb8864ef9bf66d41d2f58f826bd"
|
||||||
|
},
|
||||||
|
"type": "library",
|
||||||
|
"autoload": {
|
||||||
|
"psr-0": {
|
||||||
|
"HTMLPurifier": "library/"
|
||||||
|
},
|
||||||
|
"files": [
|
||||||
|
"library/HTMLPurifier.composer.php"
|
||||||
|
],
|
||||||
|
"exclude-from-classmap": [
|
||||||
|
"/library/HTMLPurifier/Language/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"notification-url": "https://packagist.org/downloads/",
|
||||||
|
"license": [
|
||||||
|
"LGPL-2.1-or-later"
|
||||||
|
],
|
||||||
|
"authors": [
|
||||||
|
{
|
||||||
|
"name": "Edward Z. Yang",
|
||||||
|
"email": "admin@htmlpurifier.org",
|
||||||
|
"homepage": "http://ezyang.com"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"description": "Standards compliant HTML filter written in PHP",
|
||||||
|
"homepage": "http://htmlpurifier.org/",
|
||||||
|
"keywords": [
|
||||||
|
"html"
|
||||||
|
],
|
||||||
|
"time": "2020-06-29T00:56:53+00:00"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"name": "fig/http-message-util",
|
"name": "fig/http-message-util",
|
||||||
"version": "1.1.4",
|
"version": "1.1.4",
|
||||||
|
|||||||
@ -115,4 +115,22 @@ class BaseApiController extends BaseController
|
|||||||
|
|
||||||
return $this->OpenApiSpec;
|
return $this->OpenApiSpec;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static $htmlPurifierInstance = null;
|
||||||
|
|
||||||
|
protected function GetParsedAndFilteredRequestBody($request)
|
||||||
|
{
|
||||||
|
if (self::$htmlPurifierInstance == null)
|
||||||
|
{
|
||||||
|
self::$htmlPurifierInstance = new \HTMLPurifier(\HTMLPurifier_Config::createDefault());
|
||||||
|
}
|
||||||
|
|
||||||
|
$requestBody = $request->getParsedBody();
|
||||||
|
foreach ($requestBody as $key => &$value)
|
||||||
|
{
|
||||||
|
$value = self::$htmlPurifierInstance->purify($value);
|
||||||
|
}
|
||||||
|
|
||||||
|
return $requestBody;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -27,7 +27,7 @@ class BatteriesApiController extends BaseApiController
|
|||||||
{
|
{
|
||||||
User::checkPermission($request, User::PERMISSION_BATTERIES_TRACK_CHARGE_CYCLE);
|
User::checkPermission($request, User::PERMISSION_BATTERIES_TRACK_CHARGE_CYCLE);
|
||||||
|
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
|
|||||||
@ -10,7 +10,7 @@ class ChoresApiController extends BaseApiController
|
|||||||
{
|
{
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
$choreId = null;
|
$choreId = null;
|
||||||
|
|
||||||
@ -60,7 +60,7 @@ class ChoresApiController extends BaseApiController
|
|||||||
|
|
||||||
public function TrackChoreExecution(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
|
public function TrackChoreExecution(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
|
||||||
{
|
{
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
|
|||||||
@ -18,7 +18,7 @@ class GenericEntityApiController extends BaseApiController
|
|||||||
User::checkPermission($request, User::PERMISSION_ADMIN);
|
User::checkPermission($request, User::PERMISSION_ADMIN);
|
||||||
}
|
}
|
||||||
|
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
@ -78,7 +78,8 @@ class GenericEntityApiController extends BaseApiController
|
|||||||
{
|
{
|
||||||
User::checkPermission($request, User::PERMISSION_ADMIN);
|
User::checkPermission($request, User::PERMISSION_ADMIN);
|
||||||
}
|
}
|
||||||
$requestBody = $request->getParsedBody();
|
|
||||||
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
@ -202,7 +203,7 @@ class GenericEntityApiController extends BaseApiController
|
|||||||
{
|
{
|
||||||
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
|
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
|
||||||
|
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
|
|||||||
@ -24,7 +24,7 @@ class LoginController extends BaseController
|
|||||||
|
|
||||||
public function ProcessLogin(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
|
public function ProcessLogin(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
|
||||||
{
|
{
|
||||||
$postParams = $request->getParsedBody();
|
$postParams = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
if (isset($postParams['username']) && isset($postParams['password']))
|
if (isset($postParams['username']) && isset($postParams['password']))
|
||||||
{
|
{
|
||||||
|
|||||||
@ -10,7 +10,7 @@ class RecipesApiController extends BaseApiController
|
|||||||
{
|
{
|
||||||
User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD);
|
User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD);
|
||||||
|
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
$excludedProductIds = null;
|
$excludedProductIds = null;
|
||||||
|
|
||||||
if ($requestBody !== null && array_key_exists('excludedProductIds', $requestBody))
|
if ($requestBody !== null && array_key_exists('excludedProductIds', $requestBody))
|
||||||
|
|||||||
@ -13,7 +13,7 @@ class StockApiController extends BaseApiController
|
|||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
$listId = 1;
|
$listId = 1;
|
||||||
|
|
||||||
@ -37,7 +37,7 @@ class StockApiController extends BaseApiController
|
|||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
$listId = 1;
|
$listId = 1;
|
||||||
|
|
||||||
@ -59,7 +59,7 @@ class StockApiController extends BaseApiController
|
|||||||
{
|
{
|
||||||
User::checkPermission($request, User::PERMISSION_STOCK_PURCHASE);
|
User::checkPermission($request, User::PERMISSION_STOCK_PURCHASE);
|
||||||
|
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
@ -143,7 +143,7 @@ class StockApiController extends BaseApiController
|
|||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
$listId = 1;
|
$listId = 1;
|
||||||
$amount = 1;
|
$amount = 1;
|
||||||
@ -190,7 +190,7 @@ class StockApiController extends BaseApiController
|
|||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
$listId = 1;
|
$listId = 1;
|
||||||
|
|
||||||
@ -212,7 +212,7 @@ class StockApiController extends BaseApiController
|
|||||||
{
|
{
|
||||||
User::checkPermission($request, User::PERMISSION_STOCK_CONSUME);
|
User::checkPermission($request, User::PERMISSION_STOCK_CONSUME);
|
||||||
|
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
$result = null;
|
$result = null;
|
||||||
|
|
||||||
@ -323,7 +323,7 @@ class StockApiController extends BaseApiController
|
|||||||
{
|
{
|
||||||
User::checkPermission($request, User::PERMISSION_STOCK_EDIT);
|
User::checkPermission($request, User::PERMISSION_STOCK_EDIT);
|
||||||
|
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
@ -399,7 +399,7 @@ class StockApiController extends BaseApiController
|
|||||||
{
|
{
|
||||||
User::checkPermission($request, User::PERMISSION_STOCK_INVENTORY);
|
User::checkPermission($request, User::PERMISSION_STOCK_INVENTORY);
|
||||||
|
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
@ -467,7 +467,7 @@ class StockApiController extends BaseApiController
|
|||||||
{
|
{
|
||||||
User::checkPermission($request, User::PERMISSION_STOCK_OPEN);
|
User::checkPermission($request, User::PERMISSION_STOCK_OPEN);
|
||||||
|
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
@ -582,7 +582,7 @@ class StockApiController extends BaseApiController
|
|||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
$listId = 1;
|
$listId = 1;
|
||||||
$amount = 1;
|
$amount = 1;
|
||||||
@ -664,7 +664,7 @@ class StockApiController extends BaseApiController
|
|||||||
{
|
{
|
||||||
User::checkPermission($request, User::PERMISSION_STOCK_TRANSFER);
|
User::checkPermission($request, User::PERMISSION_STOCK_TRANSFER);
|
||||||
|
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
|
|||||||
@ -49,7 +49,7 @@ class SystemApiController extends BaseApiController
|
|||||||
{
|
{
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
$this->getLocalizationService()->CheckAndAddMissingTranslationToPot($requestBody['text']);
|
$this->getLocalizationService()->CheckAndAddMissingTranslationToPot($requestBody['text']);
|
||||||
return $this->EmptyApiResponse($response);
|
return $this->EmptyApiResponse($response);
|
||||||
|
|||||||
@ -15,7 +15,7 @@ class TasksApiController extends BaseApiController
|
|||||||
{
|
{
|
||||||
User::checkPermission($request, User::PERMISSION_TASKS_MARK_COMPLETED);
|
User::checkPermission($request, User::PERMISSION_TASKS_MARK_COMPLETED);
|
||||||
|
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
|
|||||||
@ -11,7 +11,7 @@ class UsersApiController extends BaseApiController
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
User::checkPermission($request, User::PERMISSION_ADMIN);
|
User::checkPermission($request, User::PERMISSION_ADMIN);
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
$this->getDatabase()->user_permissions()->createRow([
|
$this->getDatabase()->user_permissions()->createRow([
|
||||||
'user_id' => $args['userId'],
|
'user_id' => $args['userId'],
|
||||||
@ -32,7 +32,7 @@ class UsersApiController extends BaseApiController
|
|||||||
public function CreateUser(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
|
public function CreateUser(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
|
||||||
{
|
{
|
||||||
User::checkPermission($request, User::PERMISSION_USERS_CREATE);
|
User::checkPermission($request, User::PERMISSION_USERS_CREATE);
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
@ -75,7 +75,7 @@ class UsersApiController extends BaseApiController
|
|||||||
User::checkPermission($request, User::PERMISSION_USERS_EDIT);
|
User::checkPermission($request, User::PERMISSION_USERS_EDIT);
|
||||||
}
|
}
|
||||||
|
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
@ -152,7 +152,7 @@ class UsersApiController extends BaseApiController
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
User::checkPermission($request, User::PERMISSION_ADMIN);
|
User::checkPermission($request, User::PERMISSION_ADMIN);
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
$db = $this->getDatabase();
|
$db = $this->getDatabase();
|
||||||
$db->user_permissions()
|
$db->user_permissions()
|
||||||
->where('user_id', $args['userId'])
|
->where('user_id', $args['userId'])
|
||||||
@ -186,7 +186,7 @@ class UsersApiController extends BaseApiController
|
|||||||
{
|
{
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
$requestBody = $request->getParsedBody();
|
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||||
|
|
||||||
$value = $this->getUsersService()->SetUserSetting(GROCY_USER_ID, $args['settingKey'], $requestBody['value']);
|
$value = $this->getUsersService()->SetUserSetting(GROCY_USER_ID, $args['settingKey'], $requestBody['value']);
|
||||||
return $this->EmptyApiResponse($response);
|
return $this->EmptyApiResponse($response);
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user