new: [paranoid logging] Added POST/PUT body logging on demand

2019-05-17 12:04:19 +02:00 · 2019-05-17 12:04:19 +02:00 · 1aef957d5f
parent f71bb17ea4
commit 1aef957d5f
2 changed files with 19 additions and 2 deletions
--- a/app/Controller/AppController.php
+++ b/app/Controller/AppController.php
@ -46,7 +46,7 @@ class AppController extends Controller

    public $helpers = array('Utility', 'OrgImg', 'FontAwesome');

-    private $__queryVersion = '69';
+    private $__queryVersion = '68';
    public $pyMispVersion = '2.4.106';
    public $phpmin = '7.0';
    public $phprec = '7.2';
@ -447,6 +447,14 @@ class AppController extends Controller
            if (Configure::read('MISP.log_paranoid')) {
                $this->Log = ClassRegistry::init('Log');
                $this->Log->create();
+                $change = 'HTTP method: ' . $_SERVER['REQUEST_METHOD'] . PHP_EOL . 'Target: ' . $this->here;
+                if (($this->request->is('post') || $this->request->is('put')) && !empty(Configure::read('MISP.log_paranoid_include_post_body'))) {
+                    $payload = $this->request->data;
+                    if (!empty($payload['_Token'])) {
+                        unset($payload['_Token']);
+                    }
+                    $change .= PHP_EOL . 'Request body: ' . json_encode($payload);
+                }
                $log = array(
                        'org' => $this->Auth->user('Organisation')['name'],
                        'model' => 'User',
@ -454,7 +462,7 @@ class AppController extends Controller
                        'email' => $this->Auth->user('email'),
                        'action' => 'request',
                        'title' => 'Paranoid log entry',
-                        'change' => 'HTTP method: ' . $_SERVER['REQUEST_METHOD'] . PHP_EOL . 'Target: ' . $this->here,
+                        'change' => $change,
                );
                $this->Log->save($log);
            }
--- a/app/Model/Server.php
+++ b/app/Model/Server.php
@ -730,6 +730,15 @@ class Server extends AppModel
                                'type' => 'boolean',
                                'null' => true
                        ),
+                        'log_paranoid_include_post_body' => array(
+                                'level' => 0,
+                                'description' => __('If paranoid logging is enabled, include the POST body in the entries.'),
+                                'value' => false,
+                                'errorMessage' => '',
+                                'test' => 'testBool',
+                                'type' => 'boolean',
+                                'null' => true
+                        ),
                        'delegation' => array(
                                'level' => 1,
                                'description' => __('This feature allows users to create org only events and ask another organisation to take ownership of the event. This allows organisations to remain anonymous by asking a partner to publish an event for them.'),