fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merged in bugfix/PMCORE-2298 (pull request #7713)

Browse Source 
PMCORE-2298 Password is stored in plain text when is hashed via G::encrypt and it contains a pipe (|)

Approved-by: Julio Cesar Laura Avendaño <contact@julio-laura.com>
This commit is contained in:
Roly Rudy Gutierrez Pinto
2021-02-05 13:14:12 +00:00
committed by Julio Cesar Laura Avendaño
parent 2c812929d6 4711d6687d
commit 7c156aa2ca
10 changed files with 81 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
database/factories/DbSourceFactory.php
View File

@@ -22,7 +22,7 @@ $factory->define(\ProcessMaker\Model\DbSource::class, function(Faker $faker) {
/**
* @todo WHY figure out there's a magic value to the encryption here
*/
'DBS_PASSWORD' => \G::encrypt( $faker->password, $dbName) . "_2NnV3ujj3w",
'DBS_PASSWORD' => \G::encrypt( $faker->password, $dbName, false, false) . "_2NnV3ujj3w",
'DBS_PORT' => $faker->numberBetween(1000, 9000),
'DBS_ENCODE' => 'utf8', // @todo Perhaps grab this from our definitions in DbConnections
'DBS_CONNECTION_TYPE' => 'NORMAL', // @todo Determine what this value means

6
gulliver/system/class.g.php
View File

@@ -379,12 +379,12 @@ class G
* @param string $string
* @param string $key
* @param bool $urlSafe if it is used in url
*
* @param bool $verifyPipe
* @return string
*/
public static function encrypt($string, $key, $urlSafe = false)
public static function encrypt($string, $key, $urlSafe = false, $verifyPipe = true)
{
if (strpos($string, '|', 0) !== false) {
if ($verifyPipe === true && strpos($string, '|', 0) !== false) {
return $string;
}
$result = '';

2
gulliver/system/class.rbac.php
View File

@@ -1762,6 +1762,7 @@ class RBAC
$dataCase['AUTH_SOURCE_PASSWORD'] = G::encrypt(
$dataCase['AUTH_SOURCE_PASSWORD'],
$dataCase['AUTH_SOURCE_SERVER_NAME']
,false, false
) . "_2NnV3ujj3w";
$this->authSourcesObj->create($dataCase);
}
@@ -1780,6 +1781,7 @@ class RBAC
$dataCase['AUTH_SOURCE_PASSWORD'] = G::encrypt(
$dataCase['AUTH_SOURCE_PASSWORD'],
$dataCase['AUTH_SOURCE_SERVER_NAME']
, false, false
) . "_2NnV3ujj3w";
$this->authSourcesObj->update($dataCase);
}

4
tests/Feature/DBQueryTest.php
View File

@@ -63,7 +63,7 @@ class DBQueryTest extends TestCase
'DBS_PORT' => '3306',
'DBS_USERNAME' => config('database.connections.testexternal.username'),
// Remember, we have to do some encryption here @see DbSourceFactory.php
'DBS_PASSWORD' => \G::encrypt(env('DB_PASSWORD'), config('database.connections.testexternal.database')) . "_2NnV3ujj3w",
'DBS_PASSWORD' => \G::encrypt(env('DB_PASSWORD'), config('database.connections.testexternal.database'), false, false) . "_2NnV3ujj3w",
'DBS_DATABASE_NAME' => config('database.connections.testexternal.database'),
'PRO_UID' => $process->PRO_UID
]);
@@ -98,7 +98,7 @@ class DBQueryTest extends TestCase
'DBS_TYPE' => 'mssql',
'DBS_USERNAME' => env('MSSQL_USERNAME'),
// Remember, we have to do some encryption here @see DbSourceFactory.php
'DBS_PASSWORD' => \G::encrypt(env('MSSQL_PASSWORD'), env('MSSQL_DATABASE')) . "_2NnV3ujj3w",
'DBS_PASSWORD' => \G::encrypt(env('MSSQL_PASSWORD'), env('MSSQL_DATABASE'), false, false) . "_2NnV3ujj3w",
'DBS_DATABASE_NAME' => env('MSSQL_DATABASE'),
'PRO_UID' => $process->PRO_UID
]);

6
tests/unit/workflow/engine/classes/DbConnectionsTest.php
View File

@@ -38,7 +38,7 @@ class DbConnectionsTest extends TestCase
'DBS_SERVER' => env('DB_HOST'),
'DBS_DATABASE_NAME' => $dbName,
'DBS_USERNAME' => env('DB_USERNAME'),
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName, false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
]);
@@ -69,7 +69,7 @@ class DbConnectionsTest extends TestCase
'DBS_SERVER' => env('DB_HOST'),
'DBS_DATABASE_NAME' => $dbName,
'DBS_USERNAME' => env('DB_USERNAME'),
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName, false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
]);
@@ -97,7 +97,7 @@ class DbConnectionsTest extends TestCase
'DBS_SERVER' => env('DB_HOST'),
'DBS_DATABASE_NAME' => $dbName,
'DBS_USERNAME' => env('DB_USERNAME'),
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName, false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
]);

4
tests/unit/workflow/engine/classes/PmFunctions/ExecuteQueryTest.php
View File

@@ -230,7 +230,7 @@ class ExecuteQueryTest extends TestCase
'DBS_SERVER' => env('DB_HOST'),
'DBS_DATABASE_NAME' => $dbName,
'DBS_USERNAME' => env('DB_USERNAME'),
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName, false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
]);
@@ -259,7 +259,7 @@ class ExecuteQueryTest extends TestCase
'DBS_SERVER' => 'localhost',
'DBS_DATABASE_NAME' => $dbName,
'DBS_USERNAME' => env('DB_USERNAME'),
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName, false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '1521',
]);

8
tests/unit/workflow/engine/classes/model/AdditionalTablesTest.php
View File

@@ -141,7 +141,7 @@ class AdditionalTablesTest extends TestCase
'DBS_SERVER' => env('DB_HOST'),
'DBS_DATABASE_NAME' => env('DB_DATABASE'),
'DBS_USERNAME' => env('DB_USERNAME'),
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), env('DB_DATABASE')) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), env('DB_DATABASE'), false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
'DBS_CONNECTION_TYPE' => 'NORMAL'
]);
@@ -159,7 +159,7 @@ class AdditionalTablesTest extends TestCase
'DBS_SERVER' => config('database.connections.testexternal.host'),
'DBS_DATABASE_NAME' => config('database.connections.testexternal.database'),
'DBS_USERNAME' => config('database.connections.testexternal.username'),
'DBS_PASSWORD' => G::encrypt(config('database.connections.testexternal.password'), config('database.connections.testexternal.database')) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(config('database.connections.testexternal.password'), config('database.connections.testexternal.database'), false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
'DBS_CONNECTION_TYPE' => 'NORMAL'
]);
@@ -232,7 +232,7 @@ class AdditionalTablesTest extends TestCase
'DBS_SERVER' => env('DB_HOST'),
'DBS_DATABASE_NAME' => env('DB_DATABASE'),
'DBS_USERNAME' => env('DB_USERNAME'),
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), env('DB_DATABASE')) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), env('DB_DATABASE'), false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
'DBS_CONNECTION_TYPE' => 'NORMAL'
]);
@@ -250,7 +250,7 @@ class AdditionalTablesTest extends TestCase
'DBS_SERVER' => config('database.connections.testexternal.host'),
'DBS_DATABASE_NAME' => config('database.connections.testexternal.database'),
'DBS_USERNAME' => config('database.connections.testexternal.username'),
'DBS_PASSWORD' => G::encrypt(config('database.connections.testexternal.password'), config('database.connections.testexternal.database')) . "_2NnV3ujj3w",
'DBS_PASSWORD' => G::encrypt(config('database.connections.testexternal.password'), config('database.connections.testexternal.database'), false, false) . "_2NnV3ujj3w",
'DBS_PORT' => '3306',
'DBS_CONNECTION_TYPE' => 'NORMAL'
]);

2
workflow/engine/classes/DbConnections.php
View File

@@ -480,7 +480,7 @@ class DbConnections
if ($row[2] != '') {
$aPass = explode('_', $row[2]);
if (count($aPass) == 1) {
$passEncrypt = G::encrypt($row[2], $row[1]);
$passEncrypt = G::encrypt($row[2], $row[1], false, false);
$passEncrypt .= "_2NnV3ujj3w";
$c2 = new Criteria('workflow');
$c2->add(DbSourcePeer::DBS_PASSWORD, $passEncrypt);

100
workflow/engine/methods/dbConnections/dbConnectionsAjax.php
View File

@@ -1,36 +1,5 @@
<?php
/**
* upgrade.php
*
* ProcessMaker Open Source Edition
* Copyright (C) 2004 - 2008 Colosa Inc.23
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
/*
* Data base connections routines for ajax request
* @Author Erik Amaru Ortiz <erik@colosa.com>
* @Last update May 20th, 2009
* @Param var action from POST request
*/
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
@@ -139,8 +108,8 @@ switch ($action) {
G::RenderPage( 'publish', 'raw' );
break;
case 'saveEditConnection':
$oDBSource = new DbSource();
$oContent = new Content();
$dBSource = new DbSource();
$content = new Content();
if (strpos($_POST['server'], "\\")) {
$_POST['port'] = 'none';
}
@@ -150,17 +119,40 @@ switch ($action) {
if ($flagTns == 0) {
$_POST["connectionType"] = "NORMAL";
$aData = array("DBS_UID" => $_POST["dbs_uid"], "PRO_UID" => $_SESSION["PROCESS"], "DBS_TYPE" => $_POST["type"], "DBS_SERVER" => $_POST["server"], "DBS_DATABASE_NAME" => $_POST["db_name"], "DBS_USERNAME" => $_POST["user"], "DBS_PASSWORD" => (($_POST["passwd"] == "none")? "" : G::encrypt($_POST["passwd"], $_POST["db_name"])) . "_2NnV3ujj3w", "DBS_PORT" => (($_POST["port"] == "none")? "" : $_POST["port"]), "DBS_ENCODE" => $_POST["enc"], "DBS_CONNECTION_TYPE" => $_POST["connectionType"], "DBS_TNS" => "");
$data = [
"DBS_UID" => $_POST["dbs_uid"],
"PRO_UID" => $_SESSION["PROCESS"], "DBS_TYPE" => $_POST["type"],
"DBS_SERVER" => $_POST["server"],
"DBS_DATABASE_NAME" => $_POST["db_name"],
"DBS_USERNAME" => $_POST["user"],
"DBS_PASSWORD" => (($_POST["passwd"] == "none") ? "" : G::encrypt($_POST["passwd"], $_POST["db_name"], false, false)) . "_2NnV3ujj3w",
"DBS_PORT" => (($_POST["port"] == "none") ? "" : $_POST["port"]),
"DBS_ENCODE" => $_POST["enc"],
"DBS_CONNECTION_TYPE" => $_POST["connectionType"],
"DBS_TNS" => ""
];
} else {
$aData = array("DBS_UID" => $_POST["dbs_uid"], "PRO_UID" => $_SESSION["PROCESS"], "DBS_TYPE" => $_POST["type"], "DBS_SERVER" => "", "DBS_DATABASE_NAME" => "", "DBS_USERNAME" => $_POST["user"], "DBS_PASSWORD" => (($_POST["passwd"] == "none")? "" : G::encrypt($_POST["passwd"], $_POST["tns"])) . "_2NnV3ujj3w", "DBS_PORT" => "", "DBS_ENCODE" => "", "DBS_CONNECTION_TYPE" => $_POST["connectionType"], "DBS_TNS" => $_POST["tns"]);
$data = [
"DBS_UID" => $_POST["dbs_uid"],
"PRO_UID" => $_SESSION["PROCESS"],
"DBS_TYPE" => $_POST["type"],
"DBS_SERVER" => "",
"DBS_DATABASE_NAME" => "",
"DBS_USERNAME" => $_POST["user"],
"DBS_PASSWORD" => (($_POST["passwd"] == "none") ? "" : G::encrypt($_POST["passwd"], $_POST["tns"], false, false)) . "_2NnV3ujj3w",
"DBS_PORT" => "",
"DBS_ENCODE" => "",
"DBS_CONNECTION_TYPE" => $_POST["connectionType"],
"DBS_TNS" => $_POST["tns"]
];
}
$oDBSource->update( $aData );
$oContent->addContent( 'DBS_DESCRIPTION', '', $_POST['dbs_uid'], SYS_LANG, $_POST['desc'] );
$dBSource->update($data);
$content->addContent('DBS_DESCRIPTION', '', $_POST['dbs_uid'], SYS_LANG, $_POST['desc']);
break;
case 'saveConnection':
$oDBSource = new DbSource();
$oContent = new Content();
$dBSource = new DbSource();
$content = new Content();
if (strpos($_POST['server'], "\\")) {
$_POST['port'] = 'none';
}
@@ -170,14 +162,36 @@ switch ($action) {
if ($flagTns == 0) {
$_POST["connectionType"] = "NORMAL";
$aData = array("PRO_UID" => $_SESSION["PROCESS"], "DBS_TYPE" => $_POST["type"], "DBS_SERVER" => $_POST["server"], "DBS_DATABASE_NAME" => $_POST["db_name"], "DBS_USERNAME" => $_POST["user"], "DBS_PASSWORD" => (($_POST["passwd"] == "none")? "" : G::encrypt($_POST["passwd"], $_POST["db_name"])) . "_2NnV3ujj3w", "DBS_PORT" => (($_POST["port"] == "none") ? "" : $_POST["port"]), "DBS_ENCODE" => $_POST["enc"], "DBS_CONNECTION_TYPE" => $_POST["connectionType"], "DBS_TNS" => "");
$data = [
"PRO_UID" => $_SESSION["PROCESS"],
"DBS_TYPE" => $_POST["type"],
"DBS_SERVER" => $_POST["server"],
"DBS_DATABASE_NAME" => $_POST["db_name"],
"DBS_USERNAME" => $_POST["user"],
"DBS_PASSWORD" => (($_POST["passwd"] == "none") ? "" : G::encrypt($_POST["passwd"], $_POST["db_name"], false, false)) . "_2NnV3ujj3w",
"DBS_PORT" => (($_POST["port"] == "none") ? "" : $_POST["port"]),
"DBS_ENCODE" => $_POST["enc"],
"DBS_CONNECTION_TYPE" => $_POST["connectionType"],
"DBS_TNS" => ""
];
} else {
$aData = array("PRO_UID" => $_SESSION["PROCESS"], "DBS_TYPE" => $_POST["type"], "DBS_SERVER" => "", "DBS_DATABASE_NAME" => "", "DBS_USERNAME" => $_POST["user"], "DBS_PASSWORD" => (($_POST["passwd"] == "none")? "" : G::encrypt($_POST["passwd"], $_POST["tns"])) . "_2NnV3ujj3w", "DBS_PORT" => "", "DBS_ENCODE" => "", "DBS_CONNECTION_TYPE" => $_POST["connectionType"], "DBS_TNS" => $_POST["tns"]);
$data = [
"PRO_UID" => $_SESSION["PROCESS"],
"DBS_TYPE" => $_POST["type"],
"DBS_SERVER" => "",
"DBS_DATABASE_NAME" => "",
"DBS_USERNAME" => $_POST["user"],
"DBS_PASSWORD" => (($_POST["passwd"] == "none") ? "" : G::encrypt($_POST["passwd"], $_POST["tns"], false, false)) . "_2NnV3ujj3w",
"DBS_PORT" => "",
"DBS_ENCODE" => "",
"DBS_CONNECTION_TYPE" => $_POST["connectionType"],
"DBS_TNS" => $_POST["tns"]
];
}
$newid = $oDBSource->create( $aData );
$newId = $dBSource->create($data);
$sDelimiter = DBAdapter::getStringDelimiter();
$oContent->addContent( 'DBS_DESCRIPTION', '', $newid, SYS_LANG, $_POST['desc'] );
$content->addContent('DBS_DESCRIPTION', '', $newId, SYS_LANG, $_POST['desc']);
break;
case 'deleteDbConnection':
$result = new stdclass();

4
workflow/engine/src/ProcessMaker/BusinessModel/DataBaseConnection.php
View File

@@ -198,9 +198,9 @@ class DataBaseConnection
$dataDBConnection['DBS_PASSWORD'] = '';
} else {
if ($flagTns == 0) {
$pass = G::encrypt( $dataDBConnection["DBS_PASSWORD"], $dataDBConnection["DBS_DATABASE_NAME"]) . "_2NnV3ujj3w";
$pass = G::encrypt( $dataDBConnection["DBS_PASSWORD"], $dataDBConnection["DBS_DATABASE_NAME"], false, false) . "_2NnV3ujj3w";
} else {
$pass = G::encrypt($dataDBConnection["DBS_PASSWORD"], $dataDBConnection["DBS_TNS"]) . "_2NnV3ujj3w";
$pass = G::encrypt($dataDBConnection["DBS_PASSWORD"], $dataDBConnection["DBS_TNS"], false, false) . "_2NnV3ujj3w";
}
$dataDBConnection['DBS_PASSWORD'] = $pass;