MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Implemented correct from / to api parameter checks 

- based on stevengoossensB's pull request
pull/516/head
iglocska 2015-05-13 16:12:06 +02:00
parent c9afc365a8
commit 35134a7f2e
4 changed files with 34 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION.json
View File

@ -1 +1 @@
{"major":2, "minor":3, "hotfix":63}
{"major":2, "minor":3, "hotfix":64}

16
app/Controller/AttributesController.php
View File

@ -1495,11 +1495,6 @@ class AttributesController extends AppController {
// ! - you can negate a search term. For example: google.com&&!mail would search for all attributes with value google.com but not ones that include mail. www.google.com would get returned, mail.google.com wouldn't.
public function restSearch($key='download', $value=false, $type=false, $category=false, $org=false, $tags=false, $from=false, $to=false) {
if ($tags) $tags = str_replace(';', ':', $tags);
if ($tags === 'null') $tags = null;
if ($value === 'null') $value = null;
if ($type === 'null') $type = null;
if ($category === 'null') $category = null;
if ($org === 'null') $org = null;
if ($key!=null && $key!='download') {
$user = $this->checkAuthUser($key);
} else {
@ -1530,6 +1525,13 @@ class AttributesController extends AppController {
else ${$p} = null;
}
}
$simpleFalse = array('value' , 'type', 'category', 'org', 'tags', 'from', 'to');
foreach ($simpleFalse as $sF) {
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
}
if ($from) $from = $this->Attribute->Event->dateFieldCheck($from);
if ($to) $from = $this->Attribute->Event->dateFieldCheck($to);
if (!isset($this->request->params['ext']) || $this->request->params['ext'] !== 'json') {
$this->response->type('xml'); // set the content type
$this->layout = 'xml/default';
@ -1768,8 +1770,8 @@ class AttributesController extends AppController {
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
}
if ($type === 'null' || $type === '0' || $type === 'false') $type = 'all';
if ($from && !preg_match('/^[0-9]{4}-[0-9]{2}-[0-9]{2}$/', $from)) $from = false;
if ($to && !preg_match('/^[0-9]{4}-[l0-9]{2}-[0-9]{2}$/', $from)) $from = false;
if ($from) $from = $this->Attribute->Event->dateFieldCheck($from);
if ($to) $from = $this->Attribute->Event->dateFieldCheck($to);
if ($key != 'download') {
// check if the key is valid -> search for users based on key
$user = $this->checkAuthUser($key);

16
app/Controller/EventsController.php
View File

@ -1725,6 +1725,8 @@ class EventsController extends AppController {
foreach ($simpleFalse as $sF) {
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
}
if ($from) $from = $this->Event->dateFieldCheck($from);
if ($to) $from = $this->Event->dateFieldCheck($to);
if ($tags) $tags = str_replace(';', ':', $tags);
$eventIdArray = array();
@ -1802,6 +1804,9 @@ class EventsController extends AppController {
foreach ($simpleFalse as $sF) {
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
}
if ($from) $from = $this->Event->dateFieldCheck($from);
if ($to) $from = $this->Event->dateFieldCheck($to);
if ($tags) $tags = str_replace(';', ':', $tags);
// backwards compatibility, swap key and format
if ($format != 'snort' && $format != 'suricata') {
@ -1837,6 +1842,9 @@ class EventsController extends AppController {
foreach ($simpleFalse as $sF) {
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
}
if ($from) $from = $this->Event->dateFieldCheck($from);
if ($to) $from = $this->Event->dateFieldCheck($to);
if ($tags) $tags = str_replace(';', ':', $tags);
$this->response->type('txt'); // set the content type
$this->header('Content-Disposition: download; filename="misp.' . $type . '.rules"');
@ -1869,6 +1877,9 @@ class EventsController extends AppController {
foreach ($simpleFalse as $sF) {
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
}
if ($from) $from = $this->Event->dateFieldCheck($from);
if ($to) $from = $this->Event->dateFieldCheck($to);
if ($tags) $tags = str_replace(';', ':', $tags);
$list = array();
if ($key != 'download') {
@ -2399,6 +2410,9 @@ class EventsController extends AppController {
foreach ($simpleFalse as $sF) {
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
}
if ($from) $from = $this->Event->dateFieldCheck($from);
if ($to) $from = $this->Event->dateFieldCheck($to);
if ($tags) $tags = str_replace(';', ':', $tags);
if ($searchall === 'true') $searchall = "1";
@ -2974,6 +2988,8 @@ class EventsController extends AppController {
foreach ($simpleFalse as $sF) {
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
}
if ($from) $from = $this->Event->dateFieldCheck($from);
if ($to) $from = $this->Event->dateFieldCheck($to);
// set null if a null string is passed
$numeric = false;

8
app/Model/Event.php
View File

@ -1916,4 +1916,12 @@ class Event extends AppModel {
}
return $fn;
}
// expects a date string in the DD-MM-YYYY format
// returns the passed string or false if the format is invalid
// based on the fix provided by stevengoosensB
public function dateFieldCheck($date) {
// regex check for from / to field by stevengoossensB
return (preg_match('/^[0-9]{4}-(0[1-9]|1[012])-(0[1-9]|1[0-9]|2[0-9]|3[01])$/', $date)) ? $date : false;
}
}