Merged in paulis/processmaker/PM-VERACODE-8 (pull request #1702)

I completed the SQL Injection Hight and I reviewed the XSS - MEDIUM in files

workflow/engine/bin/tasks/cliMafe.php

@@ -40,6 +40,10 @@ CLI::taskRun('run_create_translation');
 
 function run_create_translation($args, $opts)
 {
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $opts = $filter->xssFilterHard($opts);
+    $args = $filter->xssFilterHard($args);
     $rootDir = realpath(__DIR__."/../../../../");
     $app = new Maveriks\WebApplication();
     $app->setRootDir($rootDir);
@@ -53,7 +57,6 @@ function run_create_translation($args, $opts)
     foreach ($workspaces as $workspace) {
         try {
             echo "Updating labels for workspace " . pakeColor::colorize($workspace->name, "INFO") . "\n";
-            $app->loadEnvironment($workspace->name, $loadConstants);
             $translation->generateTransaltionMafe($lang);
         } catch (Exception $e) {
             echo "Errors upgrading labels for workspace " . CLI::info($workspace->name) . ": " . CLI::error($e->getMessage()) . "\n";

workflow/engine/bin/tasks/cliWorkspaces.php

@@ -228,6 +228,10 @@ function run_info($args, $opts) {
 }
 
 function run_workspace_upgrade($args, $opts) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $opts = $filter->xssFilterHard($opts);
+  $args = $filter->xssFilterHard($args);
   $workspaces = get_workspaces_from_args($args);
   $first = true;
   $lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en';
@@ -242,6 +246,10 @@ function run_workspace_upgrade($args, $opts) {
 }
 
 function run_translation_upgrade($args, $opts) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $opts = $filter->xssFilterHard($opts);
+  $args = $filter->xssFilterHard($args);
   $workspaces = get_workspaces_from_args($args);
   $first = true;
   foreach ($workspaces as $workspace) {
@@ -256,6 +264,10 @@ function run_translation_upgrade($args, $opts) {
 }
 
 function run_cacheview_upgrade($args, $opts) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $opts = $filter->xssFilterHard($opts);
+  $args = $filter->xssFilterHard($args);
   $workspaces = get_workspaces_from_args($args);
   $lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en';
   foreach ($workspaces as $workspace) {
@@ -304,6 +316,10 @@ function run_migrate_new_cases_lists($args, $opts) {
 }
 
 function database_upgrade($command, $args) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $command = $filter->xssFilterHard($command);
+  $args = $filter->xssFilterHard($args);
   $workspaces = get_workspaces_from_args($args);
   $checkOnly = (strcmp($command, "check") == 0);
   foreach ($workspaces as $workspace) {
@@ -587,6 +603,10 @@ function runStructureDirectories($command, $args) {
 
 function run_database_generate_self_service_by_value($args, $opts)
 {
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $opts = $filter->xssFilterHard($opts);
+    $args = $filter->xssFilterHard($args);
     try {
         $arrayWorkspace = get_workspaces_from_args($args);
 

workflow/engine/classes/class.webdav.php

@@ -398,13 +398,18 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
      */
     public function GET(&$options)
     {
-        $paths = $this->paths;
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $options = $filter->xssFilterHard($options);
+        $paths = $filter->xssFilterHard($this->paths);
 
         $pathClasses = PATH_DB . SYS_SYS . PATH_SEP . 'classes' . PATH_SEP;
         if (count($paths) > 0 && $paths[0] == 'classes' && is_dir($pathClasses)) {
             $fsFile = $pathClasses . $paths[1];
+            $fsFile = $filter->xssFilterHard($fsFile);
             if (count($paths) == 2 && file_exists($fsFile)) {
                 $content = file_get_contents($fsFile);
+                $content = $filter->xssFilterHard($content);
                 print $content;
                 header("Content-Type: " . mime_content_type($fsFile));
                 header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -418,8 +423,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
             if (count($paths) == 4 && $paths[2] == 'xmlforms') {
                 $pathXmlform = $pathProcesses . 'xmlForms' . PATH_SEP . $paths[1] . PATH_SEP;
                 $fsFile = $pathXmlform . $paths[3];
+                $fsFile = $filter->xssFilterHard($fsFile);
                 if (count($paths) == 4 && file_exists($fsFile)) {
                     $content = file_get_contents($fsFile);
+                    $content = $filter->xssFilterHard($content);
                     print $content;
                     header("Content-Type: " . mime_content_type($fsFile));
                     header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -431,8 +438,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
             if (count($paths) == 4 && $paths[2] == 'mailTemplates') {
                 $pathTemplates = $pathProcesses . 'mailTemplates' . PATH_SEP . $paths[1] . PATH_SEP;
                 $fsFile = $pathTemplates . $paths[3];
+                $fsFile = $filter->xssFilterHard($fsFile);
                 if (count($paths) == 4 && file_exists($fsFile)) {
                     $content = file_get_contents($fsFile);
+                    $content = $filter->xssFilterHard($content);
                     print $content;
                     header("Content-Type: " . mime_content_type($fsFile));
                     header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -444,8 +453,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
             if (count($paths) == 4 && $paths[2] == 'public_html') {
                 $pathPublic = $pathProcesses . 'public' . PATH_SEP . $paths[1] . PATH_SEP;
                 $fsFile = $pathPublic . $paths[3];
+                $fsFile = $filter->xssFilterHard($fsFile);
                 if (count($paths) == 4 && file_exists($fsFile)) {
                     $content = file_get_contents($fsFile);
+                    $content = $filter->xssFilterHard($content);
                     print $content;
                     header("Content-Type: " . mime_content_type($fsFile));
                     header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");

workflow/engine/classes/triggers/api/class.zimbraApi.php

@@ -803,6 +803,9 @@ class Zimbra
     protected function message($message)
     {
         if ($this->debug) {
+            G::LoadSystem('inputfilter');
+            $filter = new InputFilter();
+            $message = $filter->xssFilterHard($message);
             echo $message;
         }
     }
@@ -823,6 +826,9 @@ class Zimbra
      */
     protected function soapRequest($body, $header = false, $connecting = false)
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        
         if (!$connecting && !$this->_connected) {
             throw new Exception('zimbra.class: soapRequest called without a connection to Zimbra server');
         }
@@ -842,7 +848,9 @@ class Zimbra
 
         curl_setopt($this->_curl, CURLOPT_POSTFIELDS, $soap_message);
 
-        if (!($response = curl_exec($this->_curl))) {
+        $this->_curl = $filter->xssFilterHard($this->_curl,"url");
+        $response = curl_exec($this->_curl);
+        if (!$response) {
             $this->error = 'ERROR: curl_exec - (' . curl_errno($this->_curl) . ') ' . curl_error($this->_curl);
             return false;
         } elseif (strpos($response, '<soap:Body><soap:Fault>') !== false) {

workflow/engine/methods/cases/casesStartPage_Ajax.php

@@ -1,4 +1,9 @@
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+$_SESSION = $filter->xssFilterHard($_SESSION);
 if (!isset($_SESSION['USER_LOGGED'])) {
     $res = new stdclass();
     $res->message = G::LoadTranslation('ID_LOGIN_AGAIN');
@@ -215,6 +220,11 @@ function lookinginforContentProcess ($sproUid)
 function startCase ()
 {
     G::LoadClass( 'case' );
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $_POST = $filter->xssFilterHard($_POST);
+    $_REQUEST = $filter->xssFilterHard($_REQUEST);
+    $_SESSION = $filter->xssFilterHard($_SESSION);
 
     /* GET , POST & $_SESSION Vars */
     /* unset any variable, because we are starting a new case */
@@ -241,6 +251,7 @@ function startCase ()
         lookinginforContentProcess( $_POST['processId'] );
 
         $aData = $oCase->startCase( $_REQUEST['taskId'], $_SESSION['USER_LOGGED'] );
+        $aData = $filter->xssFilterHard($aData);
 
         $_SESSION['APPLICATION'] = $aData['APPLICATION'];
         $_SESSION['INDEX'] = $aData['INDEX'];

workflow/engine/methods/dbConnections/dbConnectionsAjax.php

@@ -30,6 +30,11 @@
  * @Param  var action from POST request
  */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_SESSION = $filter->xssFilterHard($_SESSION);
+
 if (isset( $_POST['action'] ) || isset( $_POST['function'] )) {
     $action = (isset( $_POST['action'] )) ? $_POST['action'] : $_POST['function'];
 } else {

workflow/engine/methods/roles/data_rolesList.php

@@ -24,6 +24,9 @@
 
 require_once (PATH_RBAC . "model/RolesPeer.php");
 G::LoadClass( 'ArrayPeer' );
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
 
 isset( $_POST['textFilter'] ) ? $filter = $_POST['textFilter'] : $filter = '';
 

workflow/engine/methods/roles/data_rolesPermissions.php

@@ -22,6 +22,10 @@
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
 $ROL_UID = $_GET['rUID'];
 $TYPE_DATA = $_GET["type"];
 

workflow/engine/methods/services/Rest/CURLMessage.php

@@ -122,7 +122,10 @@ abstract class CURLMessage
      */
     public function displayResponse ()
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
         $error = curl_error( $this->ch );
+        $error = $filter->xssFilterHard($error);
         $result = array ('header' => '','body' => '','curl_error' => '','http_code' => '','last_url' => ''
         );
         if ($error != "") {
@@ -130,12 +133,15 @@ abstract class CURLMessage
             return $result;
         }
         $response = $this->output;
+        $response = $filter->xssFilterHard($response);
         $header_size = curl_getinfo( $this->ch, CURLINFO_HEADER_SIZE );
         $result['header'] = substr( $response, 0, $header_size );
         $result['body'] = substr( $response, $header_size );
         $result['http_code'] = curl_getinfo( $this->ch, CURLINFO_HTTP_CODE );
         $result['last_url'] = curl_getinfo( $this->ch, CURLINFO_EFFECTIVE_URL );
+        $result = $filter->xssFilterHard($result);
 
+        $this->type = $filter->xssFilterHard($this->type);
         echo $this->type . " Response: " . $response . "<BR>";
         foreach ($result as $index => $data) {
             if ($data != "") {

workflow/engine/methods/services/demoSoap.php

@@ -61,12 +61,17 @@ a.krumo-name {
 </style>
 <?php
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_SESSION = $filter->xssFilterHard($_SESSION);
 if (isset( $_POST["epr"] )) {
     $_SESSION['END_POINT'] = $_POST["epr"];
 }
 $endpoint = isset( $_SESSION['END_POINT'] ) ? $_SESSION['END_POINT'] : 'http://sugar.opensource.colosa.net/soap.php';
-
+$endpoint = $filter->xssFilterHard($endpoint);
 $sessionId = isset( $_SESSION['SESSION_ID'] ) ? $_SESSION['SESSION_ID'] : '';
+$sessionId = $filter->xssFilterHard($sessionId);
 ?>
 <form method="post" action="">