fix: [security] Enforce usage of POST to start an export generation process

As reported by Andrei Agape / Teliacompany
2024-01-31 14:24:17 +01:00 · 2024-01-31 14:24:17 +01:00 · 0ac2468c28
parent 9425c99894
commit 0ac2468c28
2 changed files with 11 additions and 3 deletions
--- a/app/Controller/JobsController.php
+++ b/app/Controller/JobsController.php
@ -154,6 +154,9 @@ class JobsController extends AppController
        if (Configure::read('MISP.disable_cached_exports')) {
            throw new MethodNotAllowedException('This feature is currently disabled');
        }
+        if (!$this->request->is('post')) {
+            throw new MethodNotAllowedException('This endpoint only accept POST.');
+        }
        if ($this->_isSiteAdmin()) {
            $target = 'All events.';
        } else {
--- a/app/View/Events/export.ctp
+++ b/app/View/Events/export.ctp
@ -114,7 +114,7 @@
                        '<td><span class="btn-group">%s%s</span></td>',
                        ($k === 'text') ? '' : $this->Html->link(__('Download'), array('action' => 'downloadExport', $k), array('class' => 'btn btn-inverse btn-small')),
                        sprintf(
-                            '<button class="btn btn-inverse btn-small" id=button%s onClick="generate(\'%s\', \'%s\', \'%s\', \'%s\', \'%s\')" %s>%s</button>',
+                            '<button class="btn btn-inverse btn-small" id=button%s onClick="generate(\'%s\', \'%s\', \'%s\', \'%s\', \'%s\')" %s>%s</button><div class="hidden">%s</div>',
                            $i,
                            h($i),
                            h($k),
@ -122,7 +122,8 @@
                            h($type['progress']),
                            h($type['lastModified']),
                            (!$type['recommendation']) ? 'disabled' : '',
-                            __('Generate')
+                            __('Generate'),
+                            $this->Form->postLink(__('Download'), array('controller' => 'jobs', 'action' => 'cache', h($k)), array('class' => 'btn btn-inverse btn-small')),
                        )
                    );
                } else {
@ -174,8 +175,12 @@
 ?>
 <script type="text/javascript">
    function generate(i, type, id, progress, modified) {
+        var $clicked = $('#button'+i)
+        var $form = $clicked.next().find('form')
        $.ajax({
-            url: "<?php echo $baseurl; ?>/jobs/cache/" + type,
+            url: $form.attr('action'),
+            type:'post',
+            data: $form.serialize()
            })
            .done(function(data) {
                jobsArray[i] = data;