Throw 400 if filter is not properly escaped

Icinga · Jul 5, 2024 · 93c9343 · 93c9343
1 parent dcd7411
commit 93c9343
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 12 deletions.
diff --git a/application/controllers/ApiV1ChannelsController.php b/application/controllers/ApiV1ChannelsController.php
@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Notifications\Controllers;
 
+use Exception;
 use Icinga\Module\Notifications\Common\Database;
 use Icinga\Util\Environment;
 use Icinga\Util\Json;
@@ -41,8 +42,8 @@ public function indexAction(): void
             $this->httpBadRequest('The given identifier is not a valid UUID');
         }
 
-        $filter = FilterProcessor::assembleFilter(
-            QueryString::fromString(rawurldecode(Url::fromRequest()->getQueryString()))
+        try {
+            $filterRule = QueryString::fromString(rawurldecode(Url::fromRequest()->getQueryString()))
                 ->on(
                     QueryString::ON_CONDITION,
                     function (Filter\Condition $condition) {
@@ -62,8 +63,12 @@ function (Filter\Condition $condition) {
                             $condition->setColumn('external_uuid');
                         }
                     }
-                )->parse()
-        );
+                )->parse();
+
+            $filter = FilterProcessor::assembleFilter($filterRule);
+        } catch (Exception $e) {
+            $this->httpBadRequest('filter is not escaped properly');
+        }
 
         $stmt = (new Select())
             ->distinct()

diff --git a/application/controllers/ApiV1ContactgroupsController.php b/application/controllers/ApiV1ContactgroupsController.php
@@ -66,8 +66,8 @@ public function indexAction(): void
             $this->httpBadRequest('Filter is only allowed in GET request');
         }
 
-        $filter = FilterProcessor::assembleFilter(
-            QueryString::fromString($filterStr)
+        try {
+            $filterRule = QueryString::fromString($filterStr)
                 ->on(
                     QueryString::ON_CONDITION,
                     function (Filter\Condition $condition) {
@@ -87,8 +87,12 @@ function (Filter\Condition $condition) {
                             $condition->setColumn('external_uuid');
                         }
                     }
-                )->parse()
-        );
+                )->parse();
+
+            $filter = FilterProcessor::assembleFilter($filterRule);
+        } catch (Exception $e) {
+            $this->httpBadRequest('filter is not escaped properly');
+        }
 
         switch ($method) {
             case 'GET':

diff --git a/application/controllers/ApiV1ContactsController.php b/application/controllers/ApiV1ContactsController.php
@@ -71,8 +71,8 @@ public function indexAction(): void
             $this->httpBadRequest('Filter is only allowed in GET request');
         }
 
-        $filter = FilterProcessor::assembleFilter(
-            QueryString::fromString($filterStr)
+        try {
+            $filterRule = QueryString::fromString($filterStr)
                 ->on(
                     QueryString::ON_CONDITION,
                     function (Filter\Condition $condition) {
@@ -92,8 +92,12 @@ function (Filter\Condition $condition) {
                             $condition->setColumn('external_uuid');
                         }
                     }
-                )->parse()
-        );
+                )->parse();
+
+            $filter = FilterProcessor::assembleFilter($filterRule);
+        } catch (Exception $e) {
+            $this->httpBadRequest('filter is not escaped properly');
+        }
 
         switch ($method) {
             case 'GET':