From a9b6f8f99bb9a25cdd0c220657b4282b5de4b196 Mon Sep 17 00:00:00 2001
From: Roly Rudy Gutierrez Pinto <gproly@gmail.com>
Date: Fri, 30 Apr 2021 17:02:47 -0400
Subject: [PATCH] PMCORE-1225 execute-query-blacklist.ini not working according
 to the documentation

---
 .../ProcessMaker/Validation/SqlBlacklist.php  | 30 ++++++++++++++-----
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php b/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php
index a8777ee67..6ebd17a96 100644
--- a/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php
+++ b/workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php
@@ -95,30 +95,44 @@ class SqlBlacklist extends Parser
         $config = $this->getConfigValues();
 
         //verify statements
+        $notExecuteQuery = false;
         foreach ($this->statements as $statement) {
             $signed = get_class($statement);
             foreach (Parser::$STATEMENT_PARSERS as $key => $value) {
                 if ($signed === $value && in_array(strtoupper($key), $config['statements'])) {
-                    throw new Exception(G::loadTranslation('ID_INVALID_QUERY'));
+                    $notExecuteQuery = true;
+                    break;
                 }
             }
         }
 
         //verify tables
         //tokens are formed multidimensionally, it is necessary to recursively traverse the multidimensional object.
-        $listTables = array_merge($config['tables'], $config['pmtables']);
-        $fn = function ($object) use (&$fn, $listTables) {
+        $fn = function ($object, $callback) use (&$fn) {
             foreach ($object as $key => $value) {
                 if (is_array($value) || is_object($value)) {
-                    $fn($value);
+                    $fn($value, $callback);
                 }
                 if ($key === 'table' && is_string($value)) {
-                    if (in_array($value, $listTables)) {
-                        throw new Exception(G::loadTranslation('ID_NOT_EXECUTE_QUERY', [$value]));
-                    }
+                    $callback($value);
                 }
             }
         };
-        $fn($this->statements);
+
+        //verify system tables
+        $tables = $config['tables'];
+        $fn($this->statements, function ($table) use ($tables) {
+            if (in_array($table, $tables)) {
+                throw new Exception(G::loadTranslation('ID_NOT_EXECUTE_QUERY', [$table]));
+            }
+        });
+
+        //verify pmtables
+        $pmtables = $config['pmtables'];
+        $fn($this->statements, function ($table) use ($pmtables, $notExecuteQuery) {
+            if (in_array($table, $pmtables) && $notExecuteQuery) {
+                throw new Exception(G::loadTranslation('ID_NOT_EXECUTE_QUERY', [$table]));
+            }
+        });
     }
 }