luos/workflow/engine/methods/setup/pluginsChange.php

<?php
/**
 * pluginsChange.php
 * If the feature is enable and the code_scanner_scope was enable with the argument enable_plugin, will check the code
 * Review when a plugin was enable
 *
 * @link https://wiki.processmaker.com/3.0/Plugins#Enable_and_Disable_a_Plugin
 */

use ProcessMaker\Plugins\PluginRegistry;

function handlePluginChange() {
    try {
        // Validar parámetros de entrada
        if (!isset($_GET['id']) || !isset($_GET['status'])) {
            throw new InvalidArgumentException('Missing required parameters');
        }

        $pluginFile = $_GET['id'];
        $pluginStatus = $_GET['status'];

        // Validar formato del archivo de plugin
        if (!preg_match('/^[a-zA-Z0-9_-]+\.php$/', $pluginFile)) {
            throw new InvalidArgumentException('Invalid plugin file format');
        }

        // Validar status
        if (!in_array($pluginStatus, ['0', '1'], true)) {
            throw new InvalidArgumentException('Invalid plugin status');
        }

        // Sanitizar nombre del plugin
        $pluginName = basename(str_replace(".php", "", $pluginFile));

        if (!preg_match('/^[a-zA-Z0-9_-]+$/', $pluginName)) {
            throw new InvalidArgumentException('Invalid plugin name format');
        }

        // Validar rutas de forma segura
        $pluginFilePath = realpath(PATH_PLUGINS . $pluginFile);
        $pluginDirPath = realpath(PATH_PLUGINS . $pluginName);
        $pluginsDir = realpath(PATH_PLUGINS);

        if (!$pluginFilePath || strpos($pluginFilePath, $pluginsDir) !== 0) {
            throw new SecurityException('Plugin file outside allowed directory');
        }

        if (!is_file($pluginFilePath)) {
            throw new FileNotFoundException('Plugin file not found');
        }

        $oPluginRegistry = PluginRegistry::loadSingleton();

        if ($pluginStatus === '1') {
            // Deshabilitar plugin
            $details = $oPluginRegistry->getPluginDetails($pluginFile);
            if ($details) {
                $oPluginRegistry->disablePlugin($details->getNamespace());
                $oPluginRegistry->savePlugin($details->getNamespace());
                G::auditLog("DisablePlugin", "Plugin Name: " . $details->getNamespace());
                return ['success' => true, 'action' => 'disabled', 'plugin' => $details->getNamespace()];
            }
        } else {
            // Habilitar plugin
            if ($pluginDirPath && is_dir($pluginDirPath)) {
                require_once($pluginFilePath);
                $details = $oPluginRegistry->getPluginDetails($pluginFile);
                if ($details) {
                    $oPluginRegistry->enablePlugin($details->getNamespace());
                    $oPluginRegistry->setupPlugins();
                    $oPluginRegistry->savePlugin($details->getNamespace());
                    G::auditLog("EnablePlugin", "Plugin Name: " . $details->getNamespace());
                    return ['success' => true, 'action' => 'enabled', 'plugin' => $details->getNamespace()];
                }
            } else {
                throw new FileNotFoundException('Plugin directory not found');
            }
        }

        return ['success' => false, 'error' => 'Plugin operation failed'];

    } catch (Exception $e) {
        G::auditLog('PluginChange', 'Error: ' . $e->getMessage());
        return ['success' => false, 'error' => $e->getMessage()];
    }
}

// Ejecutar y devolver respuesta JSON
try {
    $result = handlePluginChange();
    header('Content-Type: application/json');
    echo json_encode($result);
} catch (Exception $e) {
    header('Content-Type: application/json');
    http_response_code(400);
    echo json_encode(['success' => false, 'error' => 'Invalid request']);
}
initial commit from rev. 632 2010-12-02 23:34:41 +00:00			`<?php`
			`/**`
			`* pluginsChange.php`
PMC-1173 2019-09-06 15:49:07 -04:00			`* If the feature is enable and the code_scanner_scope was enable with the argument enable_plugin, will check the code`
			`* Review when a plugin was enable`
initial commit from rev. 632 2010-12-02 23:34:41 +00:00			`*`
PMC-1173 2019-09-06 15:49:07 -04:00			`* @link https://wiki.processmaker.com/3.0/Plugins#Enable_and_Disable_a_Plugin`
initial commit from rev. 632 2010-12-02 23:34:41 +00:00			`*/`

up observations 2017-08-04 09:32:25 -04:00			`use ProcessMaker\Plugins\PluginRegistry;`

Update and fix the issues in pluginsChange.php 2025-09-05 16:38:12 +00:00			`function handlePluginChange() {`
			`try {`
			`// Validar parámetros de entrada`
			`if (!isset($_GET['id']) \|\| !isset($_GET['status'])) {`
			`throw new InvalidArgumentException('Missing required parameters');`
			`}`
CODE STYLE, workflow/engine/methods/setup/ PART 2 FILES: holiday.php holidayNew.php index.php jasper.php language.php language_Ajax.php languages.php languages_Delete.php languages_Export.php languages_Import.php languages_ImportForm.php location.php loginSettings.php loginSettingsAjax.php logo_Delete.php main.php mainAjax.php main_init.php pluginsChange.php pluginsImport.php pluginsImportFile.php pluginsList.php pluginsMain.php pluginsRemove.php pluginsSetup.php pluginsSetupSave.php processHeartBeatAjax.php processHeartBeatConfig.php processHeartBeatSave.php replacementLogo.php 2012-10-17 16:23:22 -04:00
Update and fix the issues in pluginsChange.php 2025-09-05 16:38:12 +00:00			`$pluginFile = $_GET['id'];`
			`$pluginStatus = $_GET['status'];`
CODE STYLE, workflow/engine/methods/setup/ PART 2 FILES: holiday.php holidayNew.php index.php jasper.php language.php language_Ajax.php languages.php languages_Delete.php languages_Export.php languages_Import.php languages_ImportForm.php location.php loginSettings.php loginSettingsAjax.php logo_Delete.php main.php mainAjax.php main_init.php pluginsChange.php pluginsImport.php pluginsImportFile.php pluginsList.php pluginsMain.php pluginsRemove.php pluginsSetup.php pluginsSetupSave.php processHeartBeatAjax.php processHeartBeatConfig.php processHeartBeatSave.php replacementLogo.php 2012-10-17 16:23:22 -04:00
Update and fix the issues in pluginsChange.php 2025-09-05 16:38:12 +00:00			`// Validar formato del archivo de plugin`
			`if (!preg_match('/^[a-zA-Z0-9_-]+\.php$/', $pluginFile)) {`
			`throw new InvalidArgumentException('Invalid plugin file format');`
			`}`
CODE STYLE, workflow/engine/methods/setup/ PART 2 FILES: holiday.php holidayNew.php index.php jasper.php language.php language_Ajax.php languages.php languages_Delete.php languages_Export.php languages_Import.php languages_ImportForm.php location.php loginSettings.php loginSettingsAjax.php logo_Delete.php main.php mainAjax.php main_init.php pluginsChange.php pluginsImport.php pluginsImportFile.php pluginsList.php pluginsMain.php pluginsRemove.php pluginsSetup.php pluginsSetupSave.php processHeartBeatAjax.php processHeartBeatConfig.php processHeartBeatSave.php replacementLogo.php 2012-10-17 16:23:22 -04:00
Update and fix the issues in pluginsChange.php 2025-09-05 16:38:12 +00:00			`// Validar status`
			`if (!in_array($pluginStatus, ['0', '1'], true)) {`
			`throw new InvalidArgumentException('Invalid plugin status');`
			`}`

			`// Sanitizar nombre del plugin`
			`$pluginName = basename(str_replace(".php", "", $pluginFile));`

			`if (!preg_match('/^[a-zA-Z0-9_-]+$/', $pluginName)) {`
			`throw new InvalidArgumentException('Invalid plugin name format');`
			`}`

			`// Validar rutas de forma segura`
			`$pluginFilePath = realpath(PATH_PLUGINS . $pluginFile);`
			`$pluginDirPath = realpath(PATH_PLUGINS . $pluginName);`
			`$pluginsDir = realpath(PATH_PLUGINS);`

			`if (!$pluginFilePath \|\| strpos($pluginFilePath, $pluginsDir) !== 0) {`
			`throw new SecurityException('Plugin file outside allowed directory');`
			`}`

			`if (!is_file($pluginFilePath)) {`
			`throw new FileNotFoundException('Plugin file not found');`
			`}`

			`$oPluginRegistry = PluginRegistry::loadSingleton();`

			`if ($pluginStatus === '1') {`
			`// Deshabilitar plugin`
			`$details = $oPluginRegistry->getPluginDetails($pluginFile);`
			`if ($details) {`
change 2017-08-01 12:16:06 -04:00			`$oPluginRegistry->disablePlugin($details->getNamespace());`
disable custom plugin 2017-08-10 21:55:18 -04:00			`$oPluginRegistry->savePlugin($details->getNamespace());`
change 2017-08-01 12:16:06 -04:00			`G::auditLog("DisablePlugin", "Plugin Name: " . $details->getNamespace());`
Update and fix the issues in pluginsChange.php 2025-09-05 16:38:12 +00:00			`return ['success' => true, 'action' => 'disabled', 'plugin' => $details->getNamespace()];`
			`}`
			`} else {`
			`// Habilitar plugin`
			`if ($pluginDirPath && is_dir($pluginDirPath)) {`
			`require_once($pluginFilePath);`
			`$details = $oPluginRegistry->getPluginDetails($pluginFile);`
			`if ($details) {`
change 2017-08-01 12:16:06 -04:00			`$oPluginRegistry->enablePlugin($details->getNamespace());`
Update and fix the issues in pluginsChange.php 2025-09-05 16:38:12 +00:00			`$oPluginRegistry->setupPlugins();`
change 2017-08-01 12:16:06 -04:00			`$oPluginRegistry->savePlugin($details->getNamespace());`
			`G::auditLog("EnablePlugin", "Plugin Name: " . $details->getNamespace());`
Update and fix the issues in pluginsChange.php 2025-09-05 16:38:12 +00:00			`return ['success' => true, 'action' => 'enabled', 'plugin' => $details->getNamespace()];`
PM-473 "Analisis de los resultados de escaneo de las..." SOLVED Issue: Analisis de los resultados de escaneo de las funciones en ProcessMaker. Plugin/trigger code scanner. Cause: Nueva solicitud de funciones Solution: Se ha implementado esta nueva funcionalidad, que consta de lo siguiente: - Escaneo de codigo al importar un plugin (no se aplica a plugins enterprise) - Escaneo de codigo al habilitar un plugin (si el plugin ya se encuentra fisicamente en el directorio de los plugins) - Escaneo de codigo al importar un proceso - Escaneo de codigo al crear/modificar codigo de un trigger - Escaneo de codigo al ejecutar un caso que tenga seteados triggers en sus steps (si el trigger tiene codigo no deseado, no se ejecuta el trigger) - Se ha agregado la opcion "check-plugin-disabled-code" al comando "./gulliver", el mismo muestra informacion sobre los plugins con codigo no deseado. Ej: $ ./gulliver check-plugin-disabled-code [enterprise-plugin\|custom-plugin\|all\|<plugin-name>] - Se ha agregado la opcion "check-workspace-disabled-code" al comando "./processmaker", el mismo muestra informacion sobre los workspaces con codigo no deseado en sus triggers. Ej: $ ./processmaker check-workspace-disabled-code <myWorkspace> - Por defecto ProcessMaker no realiza el escaneo de codigo, si se desea escanear codigo no deseado, se debera definir el atributo "enable_blacklist = 1" en el archivo "env.ini", este atributo no se aplica a las nuevas opciones creadas para los comandos "./gulliver" y "./processmaker" - Para una configuracion personalizada de codigo no deseado (lista negra), se pueden definir las mismas en el archivo "path/to/processmaker/workflow/engine/config/blacklist.ini" (si no existe el archivo se puede crear), o tambien en el atributo "disable_functions" esto en el archivo "php.ini" Ejemplo de "blacklist.ini": ;Classes ;======= DashletInterface ;Functions ;========= eval exec ;date ;echo strlen 2014-11-19 16:47:22 -04:00			`}`
Update and fix the issues in pluginsChange.php 2025-09-05 16:38:12 +00:00			`} else {`
			`throw new FileNotFoundException('Plugin directory not found');`
CODE STYLE, workflow/engine/methods/setup/ PART 2 FILES: holiday.php holidayNew.php index.php jasper.php language.php language_Ajax.php languages.php languages_Delete.php languages_Export.php languages_Import.php languages_ImportForm.php location.php loginSettings.php loginSettingsAjax.php logo_Delete.php main.php mainAjax.php main_init.php pluginsChange.php pluginsImport.php pluginsImportFile.php pluginsList.php pluginsMain.php pluginsRemove.php pluginsSetup.php pluginsSetupSave.php processHeartBeatAjax.php processHeartBeatConfig.php processHeartBeatSave.php replacementLogo.php 2012-10-17 16:23:22 -04:00			`}`
initial commit from rev. 632 2010-12-02 23:34:41 +00:00			`}`
Update and fix the issues in pluginsChange.php 2025-09-05 16:38:12 +00:00
			`return ['success' => false, 'error' => 'Plugin operation failed'];`

			`} catch (Exception $e) {`
			`G::auditLog('PluginChange', 'Error: ' . $e->getMessage());`
			`return ['success' => false, 'error' => $e->getMessage()];`
initial commit from rev. 632 2010-12-02 23:34:41 +00:00			`}`
CODE STYLE, workflow/engine/methods/setup/ PART 2 FILES: holiday.php holidayNew.php index.php jasper.php language.php language_Ajax.php languages.php languages_Delete.php languages_Export.php languages_Import.php languages_ImportForm.php location.php loginSettings.php loginSettingsAjax.php logo_Delete.php main.php mainAjax.php main_init.php pluginsChange.php pluginsImport.php pluginsImportFile.php pluginsList.php pluginsMain.php pluginsRemove.php pluginsSetup.php pluginsSetupSave.php processHeartBeatAjax.php processHeartBeatConfig.php processHeartBeatSave.php replacementLogo.php 2012-10-17 16:23:22 -04:00			`}`
Update and fix the issues in pluginsChange.php 2025-09-05 16:38:12 +00:00
			`// Ejecutar y devolver respuesta JSON`
			`try {`
			`$result = handlePluginChange();`
			`header('Content-Type: application/json');`
			`echo json_encode($result);`
			`} catch (Exception $e) {`
			`header('Content-Type: application/json');`
			`http_response_code(400);`
			`echo json_encode(['success' => false, 'error' => 'Invalid request']);`
			`}`