fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PMCORE-2298 Password is stored in plain text when is hashed via G::encrypt and it contains a pipe (|)

Browse Source
This commit is contained in:
Roly Rudy Gutierrez Pinto
2021-02-04 18:07:47 -04:00
parent f5d434ffdf
commit 4711d6687d
10 changed files with 81 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
database/factories/DbSourceFactory.php
View File

@@ -22,7 +22,7 @@ $factory->define(\ProcessMaker\Model\DbSource::class, function(Faker $faker) {
/**
* @todo WHY figure out there's a magic value to the encryption here
*/
'DBS_PASSWORD' => \G::encrypt( $faker->password, $dbName) . "_2NnV3ujj3w",
'DBS_PASSWORD' => \G::encrypt( $faker->password, $dbName, false, false) . "_2NnV3ujj3w",
'DBS_PORT' => $faker->numberBetween(1000, 9000),
'DBS_ENCODE' => 'utf8', // @todo Perhaps grab this from our definitions in DbConnections
'DBS_CONNECTION_TYPE' => 'NORMAL', // @todo Determine what this value means

6
gulliver/system/class.g.php
View File

@@ -379,12 +379,12 @@ class G
* @param string $string
* @param string $key
* @param bool $urlSafe if it is used in url
*
* @param bool $verifyPipe
* @return string
*/
public static function encrypt($string, $key, $urlSafe = false)
public static function encrypt($string, $key, $urlSafe = false, $verifyPipe = true)
{
if (strpos($string, '|', 0) !== false) {
if ($verifyPipe === true && strpos($string, '|', 0) !== false) {
return $string;
}
$result = '';

2
gulliver/system/class.rbac.php
View File

@@ -1762,6 +1762,7 @@ class RBAC
$dataCase['AUTH_SOURCE_PASSWORD'] = G::encrypt(
$dataCase['AUTH_SOURCE_PASSWORD'],
$dataCase['AUTH_SOURCE_SERVER_NAME']
,false, false
) . "_2NnV3ujj3w";
$this->authSourcesObj->create($dataCase);
}
@@ -1780,6 +1781,7 @@ class RBAC
$dataCase['AUTH_SOURCE_PASSWORD'] = G::encrypt(
$dataCase['AUTH_SOURCE_PASSWORD'],
$dataCase['AUTH_SOURCE_SERVER_NAME']
, false, false
) . "_2NnV3ujj3w";
$this->authSourcesObj->update($dataCase);
}

4
tests/Feature/DBQueryTest.php
View File

@@ -63,7 +63,7 @@ class DBQueryTest extends TestCase
'DBS_PORT' => '3306',
'DBS_USERNAME' => config('database.connections.testexternal.username'),
// Remember, we have to do some encryption here @see DbSourceFactory.php
'DBS_PASSWORD' => \G::encrypt(env('DB_PASSWORD'), config('database.connections.testexternal.database')) . "_2NnV3ujj3w",
'DBS_PASSWORD' => \G::encrypt(env('DB_PASSWORD'), config('database.connections.testexternal.database'), false, false) . "_2NnV3ujj3w",
'DBS_DATABASE_NAME' => config('database.connections.testexternal.database'),
'PRO_UID' => $process->PRO_UID
]);
@@ -98,7 +98,7 @@ class DBQueryTest extends TestCase
'DBS_TYPE' => 'mssql',
'DBS_USERNAME' => env('MSSQL_USERNAME'),
// Remember, we have to do some encryption here @see DbSourceFactory.php
'DBS_PASSWORD' => \G::encrypt(env('MSSQL_PASSWORD'), env('MSSQL_DATABASE')) . "_2NnV3ujj3w",
'DBS_PASSWORD' => \G::encrypt(env('MSSQL_PASSWORD'), env('MSSQL_DATABASE'), false, false) . "_2NnV3ujj3w",
'DBS_DATABASE_NAME' => env('MSSQL_DATABASE'),
'PRO_UID' => $process->PRO_UID
]);

6
tests/unit/workflow/engine/classes/DbConnectionsTest.php
View File

@@ -38,7 +38,7 @@ class DbConnectionsTest extends TestCase
'DBS_SERVER' => env('DB_HOST'),
'DBS_DATABASE_NAME' => $dbName,
'DBS_USERNAME' => env('DB_USERNAME'),
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName, false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
]);
@@ -69,7 +69,7 @@ class DbConnectionsTest extends TestCase
'DBS_SERVER' => env('DB_HOST'),
'DBS_DATABASE_NAME' => $dbName,
'DBS_USERNAME' => env('DB_USERNAME'),
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName, false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
]);
@@ -97,7 +97,7 @@ class DbConnectionsTest extends TestCase
'DBS_SERVER' => env('DB_HOST'),
'DBS_DATABASE_NAME' => $dbName,
'DBS_USERNAME' => env('DB_USERNAME'),
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName, false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
]);

4
tests/unit/workflow/engine/classes/PmFunctions/ExecuteQueryTest.php
View File

@@ -230,7 +230,7 @@ class ExecuteQueryTest extends TestCase
'DBS_SERVER' => env('DB_HOST'),
'DBS_DATABASE_NAME' => $dbName,
'DBS_USERNAME' => env('DB_USERNAME'),
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName, false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
]);
@@ -259,7 +259,7 @@ class ExecuteQueryTest extends TestCase
'DBS_SERVER' => 'localhost',
'DBS_DATABASE_NAME' => $dbName,
'DBS_USERNAME' => env('DB_USERNAME'),
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName, false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '1521',
]);

8
tests/unit/workflow/engine/classes/model/AdditionalTablesTest.php
View File

@@ -141,7 +141,7 @@ class AdditionalTablesTest extends TestCase
'DBS_SERVER' => env('DB_HOST'),
'DBS_DATABASE_NAME' => env('DB_DATABASE'),
'DBS_USERNAME' => env('DB_USERNAME'),
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), env('DB_DATABASE')) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), env('DB_DATABASE'), false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
'DBS_CONNECTION_TYPE' => 'NORMAL'
]);
@@ -159,7 +159,7 @@ class AdditionalTablesTest extends TestCase
'DBS_SERVER' => config('database.connections.testexternal.host'),
'DBS_DATABASE_NAME' => config('database.connections.testexternal.database'),
'DBS_USERNAME' => config('database.connections.testexternal.username'),
'DBS_PASSWORD' => G::encrypt(config('database.connections.testexternal.password'), config('database.connections.testexternal.database')) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(config('database.connections.testexternal.password'), config('database.connections.testexternal.database'), false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
'DBS_CONNECTION_TYPE' => 'NORMAL'
]);
@@ -232,7 +232,7 @@ class AdditionalTablesTest extends TestCase
'DBS_SERVER' => env('DB_HOST'),
'DBS_DATABASE_NAME' => env('DB_DATABASE'),
'DBS_USERNAME' => env('DB_USERNAME'),
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), env('DB_DATABASE')) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), env('DB_DATABASE'), false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
'DBS_CONNECTION_TYPE' => 'NORMAL'
]);
@@ -250,7 +250,7 @@ class AdditionalTablesTest extends TestCase
'DBS_SERVER' => config('database.connections.testexternal.host'),
'DBS_DATABASE_NAME' => config('database.connections.testexternal.database'),
'DBS_USERNAME' => config('database.connections.testexternal.username'),
'DBS_PASSWORD' => G::encrypt(config('database.connections.testexternal.password'), config('database.connections.testexternal.database')) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(config('database.connections.testexternal.password'), config('database.connections.testexternal.database'), false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
'DBS_CONNECTION_TYPE' => 'NORMAL'
]);

2
workflow/engine/classes/DbConnections.php
View File

@@ -480,7 +480,7 @@ class DbConnections
if ($row[2] != '') {
$aPass = explode('_', $row[2]);
if (count($aPass) == 1) {
$passEncrypt = G::encrypt($row[2], $row[1]);
$passEncrypt = G::encrypt($row[2], $row[1], false, false);
$passEncrypt .= "_2NnV3ujj3w";
$c2 = new Criteria('workflow');
$c2->add(DbSourcePeer::DBS_PASSWORD, $passEncrypt);

100
workflow/engine/methods/dbConnections/dbConnectionsAjax.php
View File

@@ -1,36 +1,5 @@
<?php
/**
* upgrade.php
*
* ProcessMaker Open Source Edition
* Copyright (C) 2004 - 2008 Colosa Inc.23
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
/*
* Data base connections routines for ajax request
* @Author Erik Amaru Ortiz <erik@colosa.com>
* @Last update May 20th, 2009
* @Param var action from POST request
*/
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
@@ -139,8 +108,8 @@ switch ($action) {
G::RenderPage( 'publish', 'raw' );
break;
case 'saveEditConnection':
$oDBSource = new DbSource();
$oContent = new Content();
$dBSource = new DbSource();
$content = new Content();
if (strpos($_POST['server'], "\\")) {
$_POST['port'] = 'none';
}
@@ -150,17 +119,40 @@ switch ($action) {
if ($flagTns == 0) {
$_POST["connectionType"] = "NORMAL";
$aData = array("DBS_UID" => $_POST["dbs_uid"], "PRO_UID" => $_SESSION["PROCESS"], "DBS_TYPE" => $_POST["type"], "DBS_SERVER" => $_POST["server"], "DBS_DATABASE_NAME" => $_POST["db_name"], "DBS_USERNAME" => $_POST["user"], "DBS_PASSWORD" => (($_POST["passwd"] == "none")? "" : G::encrypt($_POST["passwd"], $_POST["db_name"])) . "_2NnV3ujj3w", "DBS_PORT" => (($_POST["port"] == "none")? "" : $_POST["port"]), "DBS_ENCODE" => $_POST["enc"], "DBS_CONNECTION_TYPE" => $_POST["connectionType"], "DBS_TNS" => "");
$data = [
"DBS_UID" => $_POST["dbs_uid"],
"PRO_UID" => $_SESSION["PROCESS"], "DBS_TYPE" => $_POST["type"],
"DBS_SERVER" => $_POST["server"],
"DBS_DATABASE_NAME" => $_POST["db_name"],
"DBS_USERNAME" => $_POST["user"],
"DBS_PASSWORD" => (($_POST["passwd"] == "none") ? "" : G::encrypt($_POST["passwd"], $_POST["db_name"], false, false)) . "_2NnV3ujj3w",
"DBS_PORT" => (($_POST["port"] == "none") ? "" : $_POST["port"]),
"DBS_ENCODE" => $_POST["enc"],
"DBS_CONNECTION_TYPE" => $_POST["connectionType"],
"DBS_TNS" => ""
];
} else {
$aData = array("DBS_UID" => $_POST["dbs_uid"], "PRO_UID" => $_SESSION["PROCESS"], "DBS_TYPE" => $_POST["type"], "DBS_SERVER" => "", "DBS_DATABASE_NAME" => "", "DBS_USERNAME" => $_POST["user"], "DBS_PASSWORD" => (($_POST["passwd"] == "none")? "" : G::encrypt($_POST["passwd"], $_POST["tns"])) . "_2NnV3ujj3w", "DBS_PORT" => "", "DBS_ENCODE" => "", "DBS_CONNECTION_TYPE" => $_POST["connectionType"], "DBS_TNS" => $_POST["tns"]);
$data = [
"DBS_UID" => $_POST["dbs_uid"],
"PRO_UID" => $_SESSION["PROCESS"],
"DBS_TYPE" => $_POST["type"],
"DBS_SERVER" => "",
"DBS_DATABASE_NAME" => "",
"DBS_USERNAME" => $_POST["user"],
"DBS_PASSWORD" => (($_POST["passwd"] == "none") ? "" : G::encrypt($_POST["passwd"], $_POST["tns"], false, false)) . "_2NnV3ujj3w",
"DBS_PORT" => "",
"DBS_ENCODE" => "",
"DBS_CONNECTION_TYPE" => $_POST["connectionType"],
"DBS_TNS" => $_POST["tns"]
];
}
$oDBSource->update( $aData );
$oContent->addContent( 'DBS_DESCRIPTION', '', $_POST['dbs_uid'], SYS_LANG, $_POST['desc'] );
$dBSource->update($data);
$content->addContent('DBS_DESCRIPTION', '', $_POST['dbs_uid'], SYS_LANG, $_POST['desc']);
break;
case 'saveConnection':
$oDBSource = new DbSource();
$oContent = new Content();
$dBSource = new DbSource();
$content = new Content();
if (strpos($_POST['server'], "\\")) {
$_POST['port'] = 'none';
}
@@ -170,14 +162,36 @@ switch ($action) {
if ($flagTns == 0) {
$_POST["connectionType"] = "NORMAL";
$aData = array("PRO_UID" => $_SESSION["PROCESS"], "DBS_TYPE" => $_POST["type"], "DBS_SERVER" => $_POST["server"], "DBS_DATABASE_NAME" => $_POST["db_name"], "DBS_USERNAME" => $_POST["user"], "DBS_PASSWORD" => (($_POST["passwd"] == "none")? "" : G::encrypt($_POST["passwd"], $_POST["db_name"])) . "_2NnV3ujj3w", "DBS_PORT" => (($_POST["port"] == "none") ? "" : $_POST["port"]), "DBS_ENCODE" => $_POST["enc"], "DBS_CONNECTION_TYPE" => $_POST["connectionType"], "DBS_TNS" => "");
$data = [
"PRO_UID" => $_SESSION["PROCESS"],
"DBS_TYPE" => $_POST["type"],
"DBS_SERVER" => $_POST["server"],
"DBS_DATABASE_NAME" => $_POST["db_name"],
"DBS_USERNAME" => $_POST["user"],
"DBS_PASSWORD" => (($_POST["passwd"] == "none") ? "" : G::encrypt($_POST["passwd"], $_POST["db_name"], false, false)) . "_2NnV3ujj3w",
"DBS_PORT" => (($_POST["port"] == "none") ? "" : $_POST["port"]),
"DBS_ENCODE" => $_POST["enc"],
"DBS_CONNECTION_TYPE" => $_POST["connectionType"],
"DBS_TNS" => ""
];
} else {
$aData = array("PRO_UID" => $_SESSION["PROCESS"], "DBS_TYPE" => $_POST["type"], "DBS_SERVER" => "", "DBS_DATABASE_NAME" => "", "DBS_USERNAME" => $_POST["user"], "DBS_PASSWORD" => (($_POST["passwd"] == "none")? "" : G::encrypt($_POST["passwd"], $_POST["tns"])) . "_2NnV3ujj3w", "DBS_PORT" => "", "DBS_ENCODE" => "", "DBS_CONNECTION_TYPE" => $_POST["connectionType"], "DBS_TNS" => $_POST["tns"]);
$data = [
"PRO_UID" => $_SESSION["PROCESS"],
"DBS_TYPE" => $_POST["type"],
"DBS_SERVER" => "",
"DBS_DATABASE_NAME" => "",
"DBS_USERNAME" => $_POST["user"],
"DBS_PASSWORD" => (($_POST["passwd"] == "none") ? "" : G::encrypt($_POST["passwd"], $_POST["tns"], false, false)) . "_2NnV3ujj3w",
"DBS_PORT" => "",
"DBS_ENCODE" => "",
"DBS_CONNECTION_TYPE" => $_POST["connectionType"],
"DBS_TNS" => $_POST["tns"]
];
}
$newid = $oDBSource->create( $aData );
$newId = $dBSource->create($data);
$sDelimiter = DBAdapter::getStringDelimiter();
$oContent->addContent( 'DBS_DESCRIPTION', '', $newid, SYS_LANG, $_POST['desc'] );
$content->addContent('DBS_DESCRIPTION', '', $newId, SYS_LANG, $_POST['desc']);
break;
case 'deleteDbConnection':
$result = new stdclass();

4
workflow/engine/src/ProcessMaker/BusinessModel/DataBaseConnection.php
View File

@@ -198,9 +198,9 @@ class DataBaseConnection
$dataDBConnection['DBS_PASSWORD'] = '';
} else {
if ($flagTns == 0) {
$pass = G::encrypt( $dataDBConnection["DBS_PASSWORD"], $dataDBConnection["DBS_DATABASE_NAME"]) . "_2NnV3ujj3w";
$pass = G::encrypt( $dataDBConnection["DBS_PASSWORD"], $dataDBConnection["DBS_DATABASE_NAME"], false, false) . "_2NnV3ujj3w";
} else {
$pass = G::encrypt($dataDBConnection["DBS_PASSWORD"], $dataDBConnection["DBS_TNS"]) . "_2NnV3ujj3w";
$pass = G::encrypt($dataDBConnection["DBS_PASSWORD"], $dataDBConnection["DBS_TNS"], false, false) . "_2NnV3ujj3w";
}
$dataDBConnection['DBS_PASSWORD'] = $pass;