mirror of
https://github.com/grocy/grocy.git
synced 2025-04-29 09:39:57 +00:00
Sanitize user input on all API routes (references #996)
This commit is contained in:
Bernd Bestel
parent
7b8438bfa2
commit
c11001467b
@ -10,7 +10,8 @@
|
||||
"gettext/gettext": "^4.8",
|
||||
"eluceo/ical": "^0.16.0",
|
||||
"erusev/parsedown": "^1.7",
|
||||
"gumlet/php-image-resize": "^1.9"
|
||||
"gumlet/php-image-resize": "^1.9",
|
||||
"ezyang/htmlpurifier": "^4.13"
|
||||
},
|
||||
"autoload": {
|
||||
"psr-4": {
|
||||
|
||||
52
composer.lock
generated
52
composer.lock
generated
@ -4,7 +4,7 @@
|
||||
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
|
||||
"This file is @generated automatically"
|
||||
],
|
||||
"content-hash": "70c5b65f78f4eb43dac8df8dc144e56c",
|
||||
"content-hash": "651fcabf083befffe196b08c8f17506b",
|
||||
"packages": [
|
||||
{
|
||||
"name": "doctrine/inflector",
|
||||
@ -195,6 +195,56 @@
|
||||
],
|
||||
"time": "2019-12-30T22:54:17+00:00"
|
||||
},
|
||||
{
|
||||
"name": "ezyang/htmlpurifier",
|
||||
"version": "v4.13.0",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/ezyang/htmlpurifier.git",
|
||||
"reference": "08e27c97e4c6ed02f37c5b2b20488046c8d90d75"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/08e27c97e4c6ed02f37c5b2b20488046c8d90d75",
|
||||
"reference": "08e27c97e4c6ed02f37c5b2b20488046c8d90d75",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"php": ">=5.2"
|
||||
},
|
||||
"require-dev": {
|
||||
"simpletest/simpletest": "dev-master#72de02a7b80c6bb8864ef9bf66d41d2f58f826bd"
|
||||
},
|
||||
"type": "library",
|
||||
"autoload": {
|
||||
"psr-0": {
|
||||
"HTMLPurifier": "library/"
|
||||
},
|
||||
"files": [
|
||||
"library/HTMLPurifier.composer.php"
|
||||
],
|
||||
"exclude-from-classmap": [
|
||||
"/library/HTMLPurifier/Language/"
|
||||
]
|
||||
},
|
||||
"notification-url": "https://packagist.org/downloads/",
|
||||
"license": [
|
||||
"LGPL-2.1-or-later"
|
||||
],
|
||||
"authors": [
|
||||
{
|
||||
"name": "Edward Z. Yang",
|
||||
"email": "admin@htmlpurifier.org",
|
||||
"homepage": "http://ezyang.com"
|
||||
}
|
||||
],
|
||||
"description": "Standards compliant HTML filter written in PHP",
|
||||
"homepage": "http://htmlpurifier.org/",
|
||||
"keywords": [
|
||||
"html"
|
||||
],
|
||||
"time": "2020-06-29T00:56:53+00:00"
|
||||
},
|
||||
{
|
||||
"name": "fig/http-message-util",
|
||||
"version": "1.1.4",
|
||||
|
||||
@ -115,4 +115,22 @@ class BaseApiController extends BaseController
|
||||
|
||||
return $this->OpenApiSpec;
|
||||
}
|
||||
|
||||
private static $htmlPurifierInstance = null;
|
||||
|
||||
protected function GetParsedAndFilteredRequestBody($request)
|
||||
{
|
||||
if (self::$htmlPurifierInstance == null)
|
||||
{
|
||||
self::$htmlPurifierInstance = new \HTMLPurifier(\HTMLPurifier_Config::createDefault());
|
||||
}
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
foreach ($requestBody as $key => &$value)
|
||||
{
|
||||
$value = self::$htmlPurifierInstance->purify($value);
|
||||
}
|
||||
|
||||
return $requestBody;
|
||||
}
|
||||
}
|
||||
|
||||
@ -27,7 +27,7 @@ class BatteriesApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_BATTERIES_TRACK_CHARGE_CYCLE);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
|
||||
@ -10,7 +10,7 @@ class ChoresApiController extends BaseApiController
|
||||
{
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$choreId = null;
|
||||
|
||||
@ -60,7 +60,7 @@ class ChoresApiController extends BaseApiController
|
||||
|
||||
public function TrackChoreExecution(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
|
||||
@ -18,7 +18,7 @@ class GenericEntityApiController extends BaseApiController
|
||||
User::checkPermission($request, User::PERMISSION_ADMIN);
|
||||
}
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@ -78,7 +78,8 @@ class GenericEntityApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_ADMIN);
|
||||
}
|
||||
$requestBody = $request->getParsedBody();
|
||||
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@ -202,7 +203,7 @@ class GenericEntityApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
|
||||
@ -24,7 +24,7 @@ class LoginController extends BaseController
|
||||
|
||||
public function ProcessLogin(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
|
||||
{
|
||||
$postParams = $request->getParsedBody();
|
||||
$postParams = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
if (isset($postParams['username']) && isset($postParams['password']))
|
||||
{
|
||||
|
||||
@ -10,7 +10,7 @@ class RecipesApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
$excludedProductIds = null;
|
||||
|
||||
if ($requestBody !== null && array_key_exists('excludedProductIds', $requestBody))
|
||||
|
||||
@ -13,7 +13,7 @@ class StockApiController extends BaseApiController
|
||||
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$listId = 1;
|
||||
|
||||
@ -37,7 +37,7 @@ class StockApiController extends BaseApiController
|
||||
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$listId = 1;
|
||||
|
||||
@ -59,7 +59,7 @@ class StockApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_STOCK_PURCHASE);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@ -143,7 +143,7 @@ class StockApiController extends BaseApiController
|
||||
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$listId = 1;
|
||||
$amount = 1;
|
||||
@ -190,7 +190,7 @@ class StockApiController extends BaseApiController
|
||||
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$listId = 1;
|
||||
|
||||
@ -212,7 +212,7 @@ class StockApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_STOCK_CONSUME);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$result = null;
|
||||
|
||||
@ -323,7 +323,7 @@ class StockApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_STOCK_EDIT);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@ -399,7 +399,7 @@ class StockApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_STOCK_INVENTORY);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@ -467,7 +467,7 @@ class StockApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_STOCK_OPEN);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@ -582,7 +582,7 @@ class StockApiController extends BaseApiController
|
||||
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$listId = 1;
|
||||
$amount = 1;
|
||||
@ -664,7 +664,7 @@ class StockApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_STOCK_TRANSFER);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
|
||||
@ -49,7 +49,7 @@ class SystemApiController extends BaseApiController
|
||||
{
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$this->getLocalizationService()->CheckAndAddMissingTranslationToPot($requestBody['text']);
|
||||
return $this->EmptyApiResponse($response);
|
||||
|
||||
@ -15,7 +15,7 @@ class TasksApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_TASKS_MARK_COMPLETED);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
|
||||
@ -11,7 +11,7 @@ class UsersApiController extends BaseApiController
|
||||
try
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_ADMIN);
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$this->getDatabase()->user_permissions()->createRow([
|
||||
'user_id' => $args['userId'],
|
||||
@ -32,7 +32,7 @@ class UsersApiController extends BaseApiController
|
||||
public function CreateUser(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_USERS_CREATE);
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@ -75,7 +75,7 @@ class UsersApiController extends BaseApiController
|
||||
User::checkPermission($request, User::PERMISSION_USERS_EDIT);
|
||||
}
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@ -152,7 +152,7 @@ class UsersApiController extends BaseApiController
|
||||
try
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_ADMIN);
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
$db = $this->getDatabase();
|
||||
$db->user_permissions()
|
||||
->where('user_id', $args['userId'])
|
||||
@ -186,7 +186,7 @@ class UsersApiController extends BaseApiController
|
||||
{
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$value = $this->getUsersService()->SetUserSetting(GROCY_USER_ID, $args['settingKey'], $requestBody['value']);
|
||||
return $this->EmptyApiResponse($response);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user