chg: [warning-list] Filter CIDR warning list before eval

2019-08-08 09:25:40 +02:00 · 2019-08-08 09:25:40 +02:00 · 20632d5e10
parent 8e58e27697
commit 20632d5e10
1 changed files with 33 additions and 5 deletions
--- a/app/Model/Warninglist.php
+++ b/app/Model/Warninglist.php
@ -257,6 +257,33 @@ class Warninglist extends AppModel
        return $entries;
    }

+    private function filterCidrList($inputValues)
+    {
+        $outputValues = [];
+        foreach ($inputValues as $v) {
+            $parts = explode('/', $v, 2);
+            if (filter_var($parts[0], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+                $maximumNetmask = 32;
+            } else if (filter_var($parts[0], FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+                $maximumNetmask = 128;
+            } else {
+                // IP address part of CIDR is invalid
+                continue;
+            }
+
+            if (!isset($parts[1])) {
+                // If CIDR doesnt contains '/', we will consider CIDR as /32 for IPv4 or /128 for IPv6
+                $v = "$v/$maximumNetmask";
+            } else if ($parts[1] > $maximumNetmask || $parts[1] < 0) {
+                // Netmask part of CIDR is invalid
+                continue;
+            }
+
+            $outputValues[] = $v;
+        }
+        return $outputValues;
+    }
+
    public function fetchForEventView()
    {
        $warninglists = $this->getWarninglists(array('enabled' => 1));
@ -270,10 +297,12 @@ class Warninglist extends AppModel
                foreach ($t['values'] as $vk => $v) {
                    $t['values'][$vk] = rtrim($v, '.');
                }
-            }
-            if ($t['Warninglist']['type'] == 'string' || $t['Warninglist']['type'] == 'hostname') {
+            } else if ($t['Warninglist']['type'] == 'string' || $t['Warninglist']['type'] == 'hostname') {
                $t['values'] = array_combine($t['values'], $t['values']);
+            } else if ($t['Warninglist']['type'] === 'cidr') {
+                $t['values'] = $this->filterCidrList($t['values']);
            }
+
            foreach ($t['WarninglistType'] as &$wt) {
                $t['types'][] = $wt['type'];
            }
@ -411,10 +440,9 @@ class Warninglist extends AppModel
        $ipv6cidrlist = array();
        // separate the CIDR list into IPv4 and IPv6
        foreach ($listValues as $lv) {
-            $base = substr($lv, 0, strpos($lv, '/'));
-            if (filter_var($base, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            if (strpos($lv, '.') !== false) { // IPv4 address must contain dot
                $ipv4cidrlist[] = $lv;
-            } elseif (filter_var($base, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+            } else {
                $ipv6cidrlist[] = $lv;
            }
        }