From 93c9343a26794bdddb5e1f940346c2556a1ab059 Mon Sep 17 00:00:00 2001 From: Sukhwinder Dhillon Date: Fri, 5 Jul 2024 11:22:54 +0200 Subject: [PATCH] Throw 400 if filter is not properly escaped --- application/controllers/ApiV1ChannelsController.php | 13 +++++++++---- .../controllers/ApiV1ContactgroupsController.php | 12 ++++++++---- application/controllers/ApiV1ContactsController.php | 12 ++++++++---- 3 files changed, 25 insertions(+), 12 deletions(-) diff --git a/application/controllers/ApiV1ChannelsController.php b/application/controllers/ApiV1ChannelsController.php index 7c5e974b..61fa267a 100644 --- a/application/controllers/ApiV1ChannelsController.php +++ b/application/controllers/ApiV1ChannelsController.php @@ -4,6 +4,7 @@ namespace Icinga\Module\Notifications\Controllers; +use Exception; use Icinga\Module\Notifications\Common\Database; use Icinga\Util\Environment; use Icinga\Util\Json; @@ -41,8 +42,8 @@ public function indexAction(): void $this->httpBadRequest('The given identifier is not a valid UUID'); } - $filter = FilterProcessor::assembleFilter( - QueryString::fromString(rawurldecode(Url::fromRequest()->getQueryString())) + try { + $filterRule = QueryString::fromString(rawurldecode(Url::fromRequest()->getQueryString())) ->on( QueryString::ON_CONDITION, function (Filter\Condition $condition) { @@ -62,8 +63,12 @@ function (Filter\Condition $condition) { $condition->setColumn('external_uuid'); } } - )->parse() - ); + )->parse(); + + $filter = FilterProcessor::assembleFilter($filterRule); + } catch (Exception $e) { + $this->httpBadRequest('filter is not escaped properly'); + } $stmt = (new Select()) ->distinct() diff --git a/application/controllers/ApiV1ContactgroupsController.php b/application/controllers/ApiV1ContactgroupsController.php index 8cfbeaf2..cff2578c 100644 --- a/application/controllers/ApiV1ContactgroupsController.php +++ b/application/controllers/ApiV1ContactgroupsController.php @@ -66,8 +66,8 @@ public function indexAction(): void $this->httpBadRequest('Filter is only allowed in GET request'); } - $filter = FilterProcessor::assembleFilter( - QueryString::fromString($filterStr) + try { + $filterRule = QueryString::fromString($filterStr) ->on( QueryString::ON_CONDITION, function (Filter\Condition $condition) { @@ -87,8 +87,12 @@ function (Filter\Condition $condition) { $condition->setColumn('external_uuid'); } } - )->parse() - ); + )->parse(); + + $filter = FilterProcessor::assembleFilter($filterRule); + } catch (Exception $e) { + $this->httpBadRequest('filter is not escaped properly'); + } switch ($method) { case 'GET': diff --git a/application/controllers/ApiV1ContactsController.php b/application/controllers/ApiV1ContactsController.php index 3ef0716f..28ec5e15 100644 --- a/application/controllers/ApiV1ContactsController.php +++ b/application/controllers/ApiV1ContactsController.php @@ -71,8 +71,8 @@ public function indexAction(): void $this->httpBadRequest('Filter is only allowed in GET request'); } - $filter = FilterProcessor::assembleFilter( - QueryString::fromString($filterStr) + try { + $filterRule = QueryString::fromString($filterStr) ->on( QueryString::ON_CONDITION, function (Filter\Condition $condition) { @@ -92,8 +92,12 @@ function (Filter\Condition $condition) { $condition->setColumn('external_uuid'); } } - )->parse() - ); + )->parse(); + + $filter = FilterProcessor::assembleFilter($filterRule); + } catch (Exception $e) { + $this->httpBadRequest('filter is not escaped properly'); + } switch ($method) { case 'GET':