fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merged in bugfix/PMCORE-1225-B (pull request #7915)

Browse Source 
PMCORE-1225 execute-query-blacklist.ini not working according to the documentation

Approved-by: Julio Cesar Laura Avendaño
This commit is contained in:
Roly Rudy Gutierrez Pinto
2021-05-05 14:51:00 +00:00
committed by Julio Cesar Laura Avendaño
parent fd7f21d68c fcbbd06afe
commit d0f6f7de56
1 changed files with 22 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
workflow/engine/src/ProcessMaker/Validation/SqlBlacklist.php
View File

@@ -95,30 +95,44 @@ class SqlBlacklist extends Parser
$config = $this->getConfigValues();
//verify statements
$notExecuteQuery = false;
foreach ($this->statements as $statement) {
$signed = get_class($statement);
foreach (Parser::$STATEMENT_PARSERS as $key => $value) {
if ($signed === $value && in_array(strtoupper($key), $config['statements'])) {
throw new Exception(G::loadTranslation('ID_INVALID_QUERY'));
$notExecuteQuery = true;
break;
}
}
}
//verify tables
//tokens are formed multidimensionally, it is necessary to recursively traverse the multidimensional object.
$listTables = array_merge($config['tables'], $config['pmtables']);
$fn = function ($object) use (&$fn, $listTables) {
$fn = function ($object, $callback) use (&$fn) {
foreach ($object as $key => $value) {
if (is_array($value) || is_object($value)) {
$fn($value);
$fn($value, $callback);
}
if ($key === 'table' && is_string($value)) {
if (in_array($value, $listTables)) {
throw new Exception(G::loadTranslation('ID_NOT_EXECUTE_QUERY', [$value]));
}
$callback($value);
}
}
};
$fn($this->statements);
//verify system tables
$tables = $config['tables'];
$fn($this->statements, function ($table) use ($tables) {
if (in_array($table, $tables)) {
throw new Exception(G::loadTranslation('ID_NOT_EXECUTE_QUERY', [$table]));
}
});
//verify pmtables
$pmtables = $config['pmtables'];
$fn($this->statements, function ($table) use ($pmtables, $notExecuteQuery) {
if (in_array($table, $pmtables) && $notExecuteQuery) {
throw new Exception(G::loadTranslation('ID_NOT_EXECUTE_QUERY', [$table]));
}
});
}
}