mirror of https://github.com/MISP/MISP
fixes information leakage vulnerability on REST XML outputs
parent
62a3da46f2
commit
0614db919e
|
@ -121,10 +121,7 @@ Configure::write('CyDefSIG.logo', 'orgs/ORGNAME.png'); // used in Events::in
|
|||
Configure::write('CyDefSIG.showorg', 'true'); // show the name/flag of the organisation that uploaded the data
|
||||
|
||||
Configure::write('CyDefSIG.sync', 'true'); // enable features related to syncing with other CyDefSIG instances - should be always on because of the current distribution model.
|
||||
Configure::write('CyDefSIG.private', 'true'); // respect private to org or server.
|
||||
if ('true' == Configure::read('CyDefSIG.private')) {
|
||||
Configure::write('CyDefSIG.sync', 'true');
|
||||
}
|
||||
|
||||
Configure::write('CyDefSIG.email', 'email@address.com'); // email from for all the mails
|
||||
Configure::write('CyDefSIG.contact', 'email@address.com'); // contact address for this instance's support person / group
|
||||
|
||||
|
|
|
@ -78,16 +78,6 @@ class EventsController extends AppController {
|
|||
);
|
||||
}
|
||||
|
||||
//// do not show cluster outside server
|
||||
//if ('true' == Configure::read('CyDefSIG.private')) {
|
||||
// if ($this->_isRest()) {
|
||||
// $this->paginate = Set::merge($this->paginate,array(
|
||||
// 'conditions' =>
|
||||
// array(array('Event.cluster !=' => true)),
|
||||
// //array("AND" => array(array('Event.private !=' => 2))),
|
||||
// ));
|
||||
// }
|
||||
//}
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -268,7 +258,7 @@ class EventsController extends AppController {
|
|||
//return false;
|
||||
$this->Session->setFlash(__('You may only upload GFI Sandbox zip files.'));
|
||||
} else {
|
||||
if ($this->_add($this->request->data, $this->Auth, $this->_isRest(),'')) {
|
||||
if ($this->_add($this->request->data, $this->_isRest(),'')) {
|
||||
if ($this->_isRest()) {
|
||||
// REST users want to see the newly created event
|
||||
$this->view($this->Event->getId());
|
||||
|
@ -333,8 +323,9 @@ class EventsController extends AppController {
|
|||
*
|
||||
* @return bool true if success
|
||||
*/
|
||||
public function _add(&$data, &$auth, $fromXml, $or='', $passAlong = null, $fromPull = false) {
|
||||
public function _add(&$data, $fromXml, $or='', $passAlong = null, $fromPull = false) {
|
||||
// force check userid and orgname to be from yourself
|
||||
$auth = $this->Auth;
|
||||
$data['Event']['user_id'] = $auth->user('id');
|
||||
$data['Event']['org'] = $auth->user('org');
|
||||
//$data['Event']['org'] = strlen($or) ? $or : $auth->user('org'); // FIXME security - org problem
|
||||
|
|
|
@ -241,7 +241,7 @@ class ServersController extends AppController {
|
|||
$eventsController->constructClasses();
|
||||
$passAlong = $this->Server->data['Server']['url'];
|
||||
try {
|
||||
$result = $eventsController->_add($event, $this->Auth, $fromXml = true, $this->Server->data['Server']['organization'], $passAlong, true);
|
||||
$result = $eventsController->_add($event, $fromXml = true, $this->Server->data['Server']['organization'], $passAlong, true);
|
||||
} catch (MethodNotAllowedException $e) {
|
||||
if ($e->getMessage() == 'Event already exists') {
|
||||
//$successes[] = $eventId; // commented given it's in a catch..
|
||||
|
|
|
@ -10,7 +10,7 @@ foreach ($attributes as $key => $attribute) {
|
|||
if ('true' != Configure::read('CyDefSIG.sync')) {
|
||||
unset($attributes[$key]['private']);
|
||||
}
|
||||
unset($attributes[$key]['sharing']);
|
||||
|
||||
unset($attributes[$key]['cluster']);
|
||||
}
|
||||
|
||||
|
|
|
@ -1,21 +1,22 @@
|
|||
<?php
|
||||
// TODO also output a kind of status code and data what was requested in the REST result
|
||||
$xmlArray = array();
|
||||
|
||||
foreach ($events as $key => $event) {
|
||||
// rearrange things to be compatible with the Xml::fromArray()
|
||||
$events[$key] = $events[$key]['Event'];
|
||||
unset($events[$key]['Event']);
|
||||
|
||||
// cleanup the array from things we do not want to expose
|
||||
unset($events[$key]['Event']);
|
||||
// hide the private field is we are not in sync mode
|
||||
if ('true' != Configure::read('CyDefSIG.sync')) {
|
||||
unset($events[$key]['private']);
|
||||
}
|
||||
unset($events[$key]['user_id']);
|
||||
unset($events[$key]['cluster']);
|
||||
unset($events[$key]['sharing']);
|
||||
unset($events[$key]['private']);
|
||||
unset($events[$key]['communitie']);
|
||||
// hide the org field is we are not in showorg mode
|
||||
if ('true' != Configure::read('CyDefSIG.showorg') && !$isAdmin) {
|
||||
unset($events[$key]['org']);
|
||||
unset($events[$key]['orgc']);
|
||||
unset($events[$key]['from']);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -4,30 +4,6 @@ $xmlArray = array();
|
|||
$event['Event']['Attribute'] = $event['Attribute'];
|
||||
unset($event['Attribute']);
|
||||
|
||||
// cleanup the array from things we do not want to expose
|
||||
// remove value1 and value2 from the output
|
||||
foreach ($event['Event']['Attribute'] as $key => $value) {
|
||||
unset($event['Event']['Attribute'][$key]['value1']);
|
||||
unset($event['Event']['Attribute'][$key]['value2']);
|
||||
unset($event['Event']['Attribute'][$key]['category_order']);
|
||||
|
||||
unset($event['Event']['Attribute'][$key]['private']);
|
||||
unset($event['Event']['Attribute'][$key]['communitie']);
|
||||
unset($event['Event']['Attribute'][$key]['cluster']);
|
||||
}
|
||||
|
||||
// hide the share fields is we are not in private mode
|
||||
unset($event['Event']['cluster']);
|
||||
unset($event['Event']['sharing']);
|
||||
foreach ($event['Event']['Attribute'] as $key => $value) {
|
||||
unset($event['Event']['Attribute'][$key]['sharing']);
|
||||
}
|
||||
|
||||
// hide the org field is we are not in showorg mode
|
||||
if ('true' != Configure::read('CyDefSIG.showorg') && !$isAdmin) {
|
||||
unset($event['Event']['org']);
|
||||
}
|
||||
|
||||
// build up a list of the related events
|
||||
if (isset($relatedEvents)) {
|
||||
foreach ($relatedEvents as $relatedEvent) {
|
||||
|
@ -35,6 +11,41 @@ if (isset($relatedEvents)) {
|
|||
}
|
||||
}
|
||||
|
||||
//
|
||||
// cleanup the array from things we do not want to expose
|
||||
//
|
||||
unset($event['Event']['user_id']);
|
||||
unset($event['Event']['cluster']);
|
||||
unset($event['Event']['private']);
|
||||
unset($event['Event']['communitie']);
|
||||
// hide the org field is we are not in showorg mode
|
||||
if ('true' != Configure::read('CyDefSIG.showorg') && !$isAdmin) {
|
||||
unset($event['Event']['org']);
|
||||
unset($event['Event']['orgc']);
|
||||
unset($event['Event']['from']);
|
||||
}
|
||||
|
||||
// remove value1 and value2 from the output
|
||||
foreach ($event['Event']['Attribute'] as $key => $value) {
|
||||
unset($event['Event']['Attribute'][$key]['private']);
|
||||
unset($event['Event']['Attribute'][$key]['communitie']);
|
||||
unset($event['Event']['Attribute'][$key]['cluster']);
|
||||
|
||||
unset($event['Event']['Attribute'][$key]['value1']);
|
||||
unset($event['Event']['Attribute'][$key]['value2']);
|
||||
}
|
||||
foreach ($event['Event']['RelatedEvent'] as $key => $value) {
|
||||
unset($event['Event']['RelatedEvent'][$key]['user_id']);
|
||||
unset($event['Event']['RelatedEvent'][$key]['private']);
|
||||
unset($event['Event']['RelatedEvent'][$key]['communitie']);
|
||||
unset($event['Event']['RelatedEvent'][$key]['cluster']);
|
||||
if ('true' != Configure::read('CyDefSIG.showorg') && !$isAdmin) {
|
||||
unset($event['Event']['RelatedEvent'][$key]['org']);
|
||||
unset($event['Event']['RelatedEvent'][$key]['orgc']);
|
||||
unset($event['Event']['RelatedEvent'][$key]['from']);
|
||||
}
|
||||
}
|
||||
|
||||
// display the XML to the user
|
||||
$xmlArray['response']['Event'][] = $event['Event'];
|
||||
$xmlObject = Xml::fromArray($xmlArray, array('format' => 'tags'));
|
||||
|
|
Loading…
Reference in New Issue