From 3d9380dbd64e48a176bbc0ebba49877c8284bd6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julio=20Cesar=20Laura=20Avenda=C3=B1o?= Date: Fri, 20 Jul 2018 00:28:45 +0000 Subject: [PATCH 1/2] HOR-4751 --- gulliver/system/class.inputfilter.php | 14 ++++++++++++++ workflow/engine/classes/Applications.php | 17 +++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/gulliver/system/class.inputfilter.php b/gulliver/system/class.inputfilter.php index 60cbfe689..ac99b71e6 100644 --- a/gulliver/system/class.inputfilter.php +++ b/gulliver/system/class.inputfilter.php @@ -352,6 +352,7 @@ class InputFilter * @param String $source * @param Resource $connection - An open MySQL connection * @return String $source + * @todo We need to review this method, because the sended string is unescaped */ public function escapeString($string, &$connection) { @@ -364,6 +365,19 @@ class InputFilter } return $string; } + + /* + * Escapes a string using a Propel connection + * + * @param string $string The string to escapes + * @param object $connection The connection object + * + * @return string + */ + public function escapeUsingConnection($string, $connection) + { + return mysql_real_escape_string($string, $connection->getResource()); + } /** * Internal method removes tags/special characters diff --git a/workflow/engine/classes/Applications.php b/workflow/engine/classes/Applications.php index 67857bb30..f58cccf6b 100644 --- a/workflow/engine/classes/Applications.php +++ b/workflow/engine/classes/Applications.php @@ -44,6 +44,23 @@ class Applications //Start the connection to database $con = Propel::getConnection(AppDelegationPeer::DATABASE_NAME); + + //Sanitize input variables + $inputFilter = new InputFilter(); + $userUid = $inputFilter->validateInput($userUid, 'int'); + $start = $inputFilter->validateInput($start, 'int'); + $limit = $inputFilter->validateInput($limit, 'int'); + $search = $inputFilter->escapeUsingConnection($search, $con); + $process = $inputFilter->validateInput($process, 'int'); + //$status doesn't require sanitization + $dir = in_array($dir, ['ASC', 'DESC']) ? $dir :'DESC'; + $sort = $inputFilter->escapeUsingConnection($sort, $con); + $category = $inputFilter->escapeUsingConnection($category, $con); + $dateFrom = $inputFilter->escapeUsingConnection($dateFrom, $con); + $dateTo = $inputFilter->escapeUsingConnection($dateTo, $con); + $columnSearch = $inputFilter->escapeUsingConnection($columnSearch, $con); + + //Start the transaction $con->begin(); $stmt = $con->createStatement(); From 5d83768c3ba23dc6e7fd03f0ff9bcfd9a100ebfa Mon Sep 17 00:00:00 2001 From: Paula Quispe Date: Wed, 25 Jul 2018 09:25:25 -0400 Subject: [PATCH 2/2] HOR-4754 --- gulliver/system/class.rbac.php | 27 ++++++++++++ workflow/engine/classes/WsBase.php | 70 ++++++++++++------------------ 2 files changed, 55 insertions(+), 42 deletions(-) diff --git a/gulliver/system/class.rbac.php b/gulliver/system/class.rbac.php index bfd54aa5a..77cd9b867 100644 --- a/gulliver/system/class.rbac.php +++ b/gulliver/system/class.rbac.php @@ -1323,6 +1323,33 @@ class RBAC return $this->rolesObj->loadById($rolUid); } + /** + * Get Role code + * + * @access public + * + * @param string $role + * + * @return string + */ + public function getRoleCodeValid($role) + { + $roleCode = ''; + + if (!empty($role)) { + if ($this->verifyByCode($role)) { + //If is a valid ROL_CODE + $roleCode = $role; + } else { + //We will to check by ROL_UID + $roleInfo = $this->loadById($role); + $roleCode = !empty($roleInfo['ROL_CODE']) ? $roleInfo['ROL_CODE'] : ''; + } + } + + return $roleCode; + } + /** * this function gets the user's roles * diff --git a/workflow/engine/classes/WsBase.php b/workflow/engine/classes/WsBase.php index 30122fd1c..3b2a8b6b4 100644 --- a/workflow/engine/classes/WsBase.php +++ b/workflow/engine/classes/WsBase.php @@ -1062,7 +1062,8 @@ class WsBase * with an MD5 hash). * @param string dueDate : Optional parameter. The expiration date must be a string in the format "yyyy-mm-dd". * @param string status : Optional parameter. The user's status, such as "ACTIVE", "INACTIVE" or "VACATION". - * @return $result will return an object + * + * @return object|array */ public function createUser($userName, $firstName, $lastName, $email, $role, $password, $dueDate = null, $status = null) { @@ -1090,7 +1091,6 @@ class WsBase } $mktimeDueDate = 0; - if (!empty($dueDate) && $dueDate != 'null' && $dueDate) { if (!preg_match("/^(\d{4})-(\d{2})-(\d{2})$/", $dueDate, $arrayMatch)) { $result = new WsCreateUserResponse(- 1, G::loadTranslation("ID_INVALID_DATA") . " $dueDate", null); @@ -1113,22 +1113,13 @@ class WsBase $status = "ACTIVE"; } - $arrayRole = $RBAC->loadById($role); - $strRole = null; + $strRole = $RBAC->getRoleCodeValid($role); + if (empty($strRole)) { + $data = []; + $data["ROLE"] = $role; + $result = new WsCreateUserResponse(6, G::loadTranslation("ID_INVALID_ROLE", SYS_LANG, $data), null); - if (is_array($arrayRole)) { - $strRole = $arrayRole["ROL_CODE"]; - } else { - $strRole = $role; - - if ($RBAC->verifyByCode($role) == 0) { - $data = []; - $data["ROLE"] = $role; - - $result = new WsCreateUserResponse(6, G::loadTranslation("ID_INVALID_ROLE", SYS_LANG, $data), null); - - return $result; - } + return $result; } if (strlen($password) > 20) { @@ -1190,8 +1181,12 @@ class WsBase $res = new WsResponse(0, G::loadTranslation("ID_USER_CREATED_SUCCESSFULLY", SYS_LANG, $data)); - $result = array("status_code" => $res->status_code, "message" => $res->message, "userUID" => $userUid, "timestamp" => $res->timestamp - ); + $result = [ + "status_code" => $res->status_code, + "message" => $res->message, + "userUID" => $userUid, + "timestamp" => $res->timestamp + ]; return $result; } catch (Exception $e) { @@ -1211,11 +1206,11 @@ class WsBase * @param string email : Optional parameter. The user's email address. * @param string dueDate : Optional parameter. The expiration date must be a string in the format "yyyy-mm-dd". * @param string status : Optional parameter. The user's status, such as "ACTIVE", "INACTIVE" or "VACATION". - * @param string role : Optional parameter. The user's role, such - * as "PROCESSMAKER_ADMIN" or "PROCESSMAKER_OPERATOR". + * @param string role : Optional parameter. The user's role, such as "PROCESSMAKER_ADMIN" or "PROCESSMAKER_OPERATOR". * @param string password : Optional parameter. The user's password such as "Be@gle2" (It will be automatically * encrypted with an MD5 hash). - * @return $result will return an object + * + * @return object|array */ public function updateUser($userUid, $userName, $firstName = null, $lastName = null, $email = null, $dueDate = null, $status = null, $role = null, $password = null) { @@ -1262,25 +1257,13 @@ class WsBase } } - $strRole = null; + $strRole = $RBAC->getRoleCodeValid($role); + if (empty($strRole)) { + $data = []; + $data["ROLE"] = $role; + $result = new WsCreateUserResponse(6, G::loadTranslation("ID_INVALID_ROLE", SYS_LANG, $data), null); - if (!empty($role)) { - $arrayRole = $RBAC->loadById($role); - - if (is_array($arrayRole)) { - $strRole = $arrayRole["ROL_CODE"]; - } else { - $strRole = $role; - - if ($RBAC->verifyByCode($role) == 0) { - $data = []; - $data["ROLE"] = $role; - - $result = new WsResponse(6, G::LoadTranslation("ID_INVALID_ROLE", SYS_LANG, $data)); - - return $result; - } - } + return $result; } if (!empty($password) && strlen($password) > 20) { @@ -1353,8 +1336,11 @@ class WsBase //Response $res = new WsResponse(0, G::LoadTranslation("ID_UPDATED_SUCCESSFULLY")); - $result = array("status_code" => $res->status_code, "message" => $res->message, "timestamp" => $res->timestamp - ); + $result = [ + "status_code" => $res->status_code, + "message" => $res->message, + "timestamp" => $res->timestamp + ]; return $result; } catch (Exception $e) {