From 041ee4d5da6790cb8c2fd4ace36271d6daf46b02 Mon Sep 17 00:00:00 2001
From: chrisr3d <chris.studer.68@gmail.com>
Date: Thu, 4 Apr 2019 14:21:10 +0200
Subject: [PATCH] fix: [enrichment] Avoiding errors on distribution and sharing
 group data

- Making sure we do have a value for distribution
  and sharing group
- Avoid translating distribution levels into their
  human meaning because the output process capturing
  data from the form will anyway use the numeric
  values. Readable values are btw displayed in the
  form for users confort
- Also sanitized data displayed
---
 app/Controller/EventsController.php      | 12 ++++------
 app/View/Events/resolved_misp_format.ctp | 30 ++++++++----------------
 2 files changed, 14 insertions(+), 28 deletions(-)

diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php
index 53e99c717..46aaa60cf 100644
--- a/app/Controller/EventsController.php
+++ b/app/Controller/EventsController.php
@@ -5105,11 +5105,8 @@ class EventsController extends AppController
         }
         if (isset($result['results']['Object']) && !empty($result['results']['Object'])) {
             foreach ($result['results']['Object'] as $tmp_object) {
-                if (!isset($tmp_object['distribution'])) {
-                    $tmp_object['distribution'] = $defaultDistribution;
-                } else {
-                    $tmp_object['distribution'] = (int)$tmp_object['distribution'];
-                }
+                $tmp_object['distribution'] = (isset($tmp_object['distribution']) ? (int)$tmp_object['distribution'] : $defaultDistribution);
+                $tmp_object['sharing_group_id'] = (isset($tmp_object['sharing_group_id']) ? (int)$tmp_object['sharing_group_id'] : 0);
                 if (isset($tmp_object['Attribute']) && $tmp_object['Attribute']) {
                     foreach ($tmp_object['Attribute'] as &$tmp_attribute) {
                         $tmp_attribute = $this->__fillAttribute($tmp_attribute, $defaultDistribution);
@@ -5146,9 +5143,8 @@ class EventsController extends AppController
         if (!isset($attribute['to_ids'])) {
             $attribute['to_ids'] = $this->Event->Attribute->typeDefinitions[$attribute['type']]['to_ids'];
         }
-        if (!isset($attribute['distribution'])) {
-            $attribute['distribution'] = $defaultDistribution;
-        }
+        $attribute['distribution'] = (isset($attribute['distribution']) ? (int)$attribute['distribution'] : $defaultDistribution);
+        $attribute['sharing_group_id'] = (isset($attribute['sharing_group_id']) ? (int)$attribute['sharing_group_id'] : 0);
         return $attribute;
     }
 
diff --git a/app/View/Events/resolved_misp_format.ctp b/app/View/Events/resolved_misp_format.ctp
index d640a1543..938b7ab9b 100644
--- a/app/View/Events/resolved_misp_format.ctp
+++ b/app/View/Events/resolved_misp_format.ctp
@@ -61,18 +61,18 @@
               <td style="width:60px;text-align:center;">
                 <select class='ObjectDistribution' style='padding:0px;height:20px;margin-bottom:0px;'>
                   <?php
-                      foreach ($distributions as $distKey => $distValue) {
-                          echo '<option value="' . $distKey . '" ' . ($distKey == $object['distribution'] ? 'selected="selected"' : '') . '>' . $distValue . '</option>';
-                      }
+                    foreach ($distributions as $distKey => $distValue) {
+                        echo '<option value="' . h($distKey) . '" ' . ($distKey == $object['distribution'] ? 'selected="selected"' : '') . '>' . h($distValue) . '</option>';
+                    }
                   ?>
                 </select>
               </td>
               <div style="display:none;">
                 <select class='ObjectSharingGroup' style='padding:0px;height:20px;margin-top:3px;margin-bottom:0px;'>
                   <?php
-                        foreach ($sgs as $sgKey => $sgValue) {
-                            echo '<option value="' . h($sgKey) . '">' . h($sgValue) . '</option>';
-                        }
+                    foreach ($sgs as $sgKey => $sgValue) {
+                        echo '<option value="' . h($sgKey) . '" ' . ($sgKey == $object['sharing_group_id'] ? 'selected="selected"' : '') . '>' . h($sgValue) . '</option>';
+                    }
                   ?>
                 </select>
               </div>
@@ -141,11 +141,6 @@
                     foreach ($object['Attribute'] as $a => $attribute) {
                         echo '<tr class="ObjectAttribute">';
                         echo '<td class="ObjectRelation">' . h($attribute['object_relation']) . '</td>';
-                        if ($attribute['distribution'] != 4) {
-                            $attribute['distribution'] = $distributions[$attribute['distribution']];
-                        } else {
-                            $attribute['distribution'] = $sgs[$attribute['sharing_group_id']];
-                        }
                         foreach ($attributeFields as $field) {
                             echo '<td class="Attribute' . ucfirst($field) . '">' . (isset($attribute[$field]) ? h($attribute[$field]) : '') . '</td>';
                         }
@@ -163,7 +158,7 @@
               <select class='AttributeDistribution' style='padding:0px;height:20px;margin-bottom:0px;'>
                 <?php
                         foreach ($distributions as $distKey => $distValue) {
-                            echo '<option value="' . $distKey . '" ' . ($distKey == $attribute['distribution'] ? 'selected="selected"' : '') . '>' . $distValue . '</option>';
+                            echo '<option value="' . h($distKey) . '" ' . ($distKey == $attribute['distribution'] ? 'selected="selected"' : '') . '>' . h($distValue) . '</option>';
                         }
                 ?>
               </select>
@@ -171,7 +166,7 @@
                 <select class='AttributeSharingGroup' style='padding:0px;height:20px;margin-top:3px;margin-bottom:0px;'>
                   <?php
                         foreach ($sgs as $sgKey => $sgValue) {
-                            echo '<option value="' . h($sgKey) . '">' . h($sgValue) . '</option>';
+                            echo '<option value="' . h($sgKey) . '" ' . ($sgKey == $attribute['sharing_group_id'] ? 'selected="selected"' : '') . '>' . h($sgValue) . '</option>';
                         }
                   ?>
                 </select>
@@ -210,11 +205,6 @@
           <?php
             foreach ($event['Attribute'] as $a => $attribute) {
                 echo '<tr class="MISPAttribute">';
-                if ($attribute['distribution'] != 4) {
-                    $attribute['distribution'] = $distributions[$attribute['distribution']];
-                } else {
-                    $attribute['distribution'] = $sgs[$attribute['sharing_group_id']];
-                }
                 foreach ($attributeFields as $field) {
                     echo '<td class="Attribute' . ucfirst($field) . '">' . (isset($attribute[$field]) ? h($attribute[$field]) : '') . '</td>';
                 }
@@ -232,7 +222,7 @@
             <select class='AttributeDistribution' style='padding:0px;height:20px;margin-bottom:0px;'>
             <?php
                 foreach ($distributions as $distKey => $distValue) {
-                    echo '<option value="' . $distKey . '" ' . ($distKey == $attribute['distribution'] ? 'selected="selected"' : '') . '>' . $distValue . '</option>';
+                    echo '<option value="' . h($distKey) . '" ' . ($distKey == $attribute['distribution'] ? 'selected="selected"' : '') . '>' . h($distValue) . '</option>';
                 }
             ?>
             </select>
@@ -240,7 +230,7 @@
               <select class='AttributeSharingGroup' style='padding:0px;height:20px;margin-top:3px;margin-bottom:0px;'>
                 <?php
                 foreach ($sgs as $sgKey => $sgValue) {
-                    echo '<option value="' . h($sgKey) . '">' . h($sgValue) . '</option>';
+                    echo '<option value="' . h($sgKey) . '" ' . ($sgKey == $attribute['sharing_group_id'] ? 'selected="selected"' : '') . '>' . h($sgValue) . '</option>';
                 }
                 ?>
               </select>