From 20632d5e1027d2a6dfc66639ac384e5761988e18 Mon Sep 17 00:00:00 2001
From: Jakub Onderka <ahoj@jakubonderka.cz>
Date: Thu, 8 Aug 2019 09:25:40 +0200
Subject: [PATCH] chg: [warning-list] Filter CIDR warning list before eval

---
 app/Model/Warninglist.php | 38 +++++++++++++++++++++++++++++++++-----
 1 file changed, 33 insertions(+), 5 deletions(-)

diff --git a/app/Model/Warninglist.php b/app/Model/Warninglist.php
index a8ec791e4..079984221 100644
--- a/app/Model/Warninglist.php
+++ b/app/Model/Warninglist.php
@@ -257,6 +257,33 @@ class Warninglist extends AppModel
         return $entries;
     }
 
+    private function filterCidrList($inputValues)
+    {
+        $outputValues = [];
+        foreach ($inputValues as $v) {
+            $parts = explode('/', $v, 2);
+            if (filter_var($parts[0], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+                $maximumNetmask = 32;
+            } else if (filter_var($parts[0], FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+                $maximumNetmask = 128;
+            } else {
+                // IP address part of CIDR is invalid
+                continue;
+            }
+
+            if (!isset($parts[1])) {
+                // If CIDR doesnt contains '/', we will consider CIDR as /32 for IPv4 or /128 for IPv6
+                $v = "$v/$maximumNetmask";
+            } else if ($parts[1] > $maximumNetmask || $parts[1] < 0) {
+                // Netmask part of CIDR is invalid
+                continue;
+            }
+
+            $outputValues[] = $v;
+        }
+        return $outputValues;
+    }
+
     public function fetchForEventView()
     {
         $warninglists = $this->getWarninglists(array('enabled' => 1));
@@ -270,10 +297,12 @@ class Warninglist extends AppModel
                 foreach ($t['values'] as $vk => $v) {
                     $t['values'][$vk] = rtrim($v, '.');
                 }
-            }
-            if ($t['Warninglist']['type'] == 'string' || $t['Warninglist']['type'] == 'hostname') {
+            } else if ($t['Warninglist']['type'] == 'string' || $t['Warninglist']['type'] == 'hostname') {
                 $t['values'] = array_combine($t['values'], $t['values']);
+            } else if ($t['Warninglist']['type'] === 'cidr') {
+                $t['values'] = $this->filterCidrList($t['values']);
             }
+
             foreach ($t['WarninglistType'] as &$wt) {
                 $t['types'][] = $wt['type'];
             }
@@ -411,10 +440,9 @@ class Warninglist extends AppModel
         $ipv6cidrlist = array();
         // separate the CIDR list into IPv4 and IPv6
         foreach ($listValues as $lv) {
-            $base = substr($lv, 0, strpos($lv, '/'));
-            if (filter_var($base, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            if (strpos($lv, '.') !== false) { // IPv4 address must contain dot
                 $ipv4cidrlist[] = $lv;
-            } elseif (filter_var($base, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+            } else {
                 $ipv6cidrlist[] = $lv;
             }
         }