MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: [security] Check if user can access sharing group when uploading attachment

pull/6181/head
Jakub Onderka 2020-08-06 11:52:53 +02:00
parent 72e108b44f
commit 421e94bc2f
2 changed files with 53 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
app/Controller/AttributesController.php
View File

@ -108,8 +108,7 @@ class AttributesController extends AppController
if (!$this->userRole['perm_add']) {
throw new MethodNotAllowedException(__('You do not have permissions to create attributes'));
}
$this->loadModel('Event');
$event = $this->Event->fetchSimpleEvent($this->Auth->user(), $eventId);
$event = $this->Attribute->Event->fetchSimpleEvent($this->Auth->user(), $eventId);
if (!$event) {
throw new NotFoundException(__('Invalid event'));
}
@ -117,7 +116,7 @@ class AttributesController extends AppController
throw new ForbiddenException(__('You do not have permission to do that.'));
}
if (!$this->_isRest()) {
$this->Event->insertLock($this->Auth->user(), $event['Event']['id']);
$this->Attribute->Event->insertLock($this->Auth->user(), $event['Event']['id']);
}
if ($this->request->is('ajax')) {
$this->set('ajax', true);
@ -133,15 +132,13 @@ class AttributesController extends AppController
$this->request->data = array('Attribute' => $this->request->data);
}
if (isset($this->request->data['Attribute']['distribution']) && $this->request->data['Attribute']['distribution'] == 4) {
$sg = $this->Event->SharingGroup->fetchAllAuthorised($this->Auth->user(), 'name', 1, $this->request->data['Attribute']['sharing_group_id']);
if (empty($sg)) {
if (!$this->__canUseSharingGroup($this->request->data['Attribute']['sharing_group_id'])) {
throw new ForbiddenException(__('Invalid Sharing Group or not authorised.'));
}
}
//
// multiple attributes in batch import
//
$attributes = array();
if (!empty($this->request->data['Attribute']['batch_import']) || (!empty($this->request->data['Attribute']['value']) && is_array($this->request->data['Attribute']['value']))) {
$attributes = array();
if (is_array($this->request->data['Attribute']['value'])) {
@ -176,7 +173,7 @@ class AttributesController extends AppController
}
}
if (!empty($successes)) {
$this->Event->unpublishEvent($event['Event']['id']);
$this->Attribute->Event->unpublishEvent($event['Event']['id']);
}
if ($this->_isRest()) {
if (!empty($successes)) {
@ -395,6 +392,12 @@ class AttributesController extends AppController
}
if ($this->request->is('post')) {
if (isset($this->request->data['Attribute']['distribution']) && $this->request->data['Attribute']['distribution'] == 4) {
if (!$this->__canUseSharingGroup($this->request->data['Attribute']['sharing_group_id'])) {
throw new ForbiddenException(__('Invalid Sharing Group or not authorised.'));
}
}
$fails = array();
$success = 0;
@ -456,17 +459,17 @@ class AttributesController extends AppController
}
} else {
$attribute = array(
'Attribute' => array(
'value' => $filename,
'category' => $this->request->data['Attribute']['category'],
'type' => 'attachment',
'event_id' => $event['Event']['id'],
'data' => base64_encode($tmpfile->read()),
'comment' => $this->request->data['Attribute']['comment'],
'to_ids' => 0,
'distribution' => $this->request->data['Attribute']['distribution'],
'sharing_group_id' => isset($this->request->data['Attribute']['sharing_group_id']) ? $this->request->data['Attribute']['sharing_group_id'] : 0,
)
'Attribute' => array(
'value' => $filename,
'category' => $this->request->data['Attribute']['category'],
'type' => 'attachment',
'event_id' => $event['Event']['id'],
'data' => base64_encode($tmpfile->read()),
'comment' => $this->request->data['Attribute']['comment'],
'to_ids' => 0,
'distribution' => $this->request->data['Attribute']['distribution'],
'sharing_group_id' => isset($this->request->data['Attribute']['sharing_group_id']) ? $this->request->data['Attribute']['sharing_group_id'] : 0,
)
);
$this->Attribute->create();
$r = $this->Attribute->save($attribute);
@ -477,7 +480,7 @@ class AttributesController extends AppController
}
}
}
$message = __('The attachment(s) have been uploaded.');
$message = __n('The attachment have been uploaded.', 'The attachments have been uploaded.', $success);
if (!empty($fails)) {
$message = __('Some of the attachments failed to upload. The failed files were: %s - This can be caused by the attachments already existing in the event.', implode(', ', $fails));
}
@ -765,8 +768,7 @@ class AttributesController extends AppController
$this->request->data = array('Attribute' => $this->request->data);
}
if (isset($this->request->data['Attribute']['distribution']) && $this->request->data['Attribute']['distribution'] == 4) {
$sg = $this->Attribute->Event->SharingGroup->fetchAllAuthorised($this->Auth->user(), 'name', 1, $this->request->data['Attribute']['sharing_group_id']);
if (empty($sg)) {
if (!$this->__canUseSharingGroup($this->request->data['Attribute']['sharing_group_id'])) {
throw new ForbiddenException(__('Invalid Sharing Group or not authorised.'));
}
}
@ -1049,24 +1051,14 @@ class AttributesController extends AppController
public function delete($id, $hard = false)
{
if (Validation::uuid($id)) {
$this->Attribute->recursive = -1;
$temp = $this->Attribute->findByUuid($id);
if ($temp == null) {
throw new NotFoundException('Invalid attribute');
}
$id = $temp['Attribute']['id'];
} elseif (!is_numeric($id)) {
throw new NotFoundException('Invalid attribute');
}
if (isset($this->params['named']['hard'])) {
$hard = $this->params['named']['hard'];
}
if (isset($this->request->data['hard'])) {
$hard = $this->request->data['hard'];
}
$this->set('id', $id);
$conditions = array('id' => $id);
$conditions = $this->__idToConditions($id);
if (!$hard) {
$conditions['deleted'] = 0;
}
@ -1078,9 +1070,10 @@ class AttributesController extends AppController
if (empty($attribute)) {
throw new NotFoundException('Invalid attribute');
}
$this->set('id', $attribute['Attribute']['id']);
if ($this->request->is('ajax')) {
if ($this->request->is('post')) {
if ($this->Attribute->deleteAttribute($id, $this->Auth->user(), $hard)) {
if ($this->Attribute->deleteAttribute($attribute['Attribute']['id'], $this->Auth->user(), $hard)) {
return new CakeResponse(array('body'=> json_encode(array('saved' => true, 'success' => 'Attribute deleted.')), 'status'=>200, 'type' => 'json'));
} else {
return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'Attribute was not deleted.')), 'status'=>200, 'type' => 'json'));
@ -1094,7 +1087,7 @@ class AttributesController extends AppController
if (!$this->request->is('post') && !$this->request->is('delete')) {
throw new MethodNotAllowedException(__('This function is only accessible via POST requests.'));
}
if ($this->Attribute->deleteAttribute($id, $this->Auth->user(), $hard)) {
if ($this->Attribute->deleteAttribute($attribute['Attribute']['id'], $this->Auth->user(), $hard)) {
if ($this->_isRest() || $this->response->type() === 'application/json') {
$this->set('message', 'Attribute deleted.');
$this->set('_serialize', array('message'));
@ -1114,7 +1107,6 @@ class AttributesController extends AppController
}
}
public function restore($id = null)
{
$attribute = $this->Attribute->find('first', array(
@ -1197,6 +1189,9 @@ class AttributesController extends AppController
'recursive' => -1,
'fields' => array('id', 'orgc_id', 'user_id')
));
if (!$event) {
throw new NotFoundException(__('Invalid event'));
}
if (!$this->__canModifyEvent($event)) {
throw new ForbiddenException(__('You do not have permission to do that.'));
}
@ -1440,8 +1435,7 @@ class AttributesController extends AppController
}
if ($this->request->data['Attribute']['distribution'] == 4) {
$sharingGroupId = $this->request->data['Attribute']['sharing_group_id'];
$sg = $this->Attribute->SharingGroup->fetchAllAuthorised($this->Auth->user(), 'name', true, $sharingGroupId);
if (empty($sg)) {
if (!$this->__canUseSharingGroup($sharingGroupId)) {
throw new ForbiddenException(__('Invalid Sharing Group or not authorised.'));
}
@ -3018,6 +3012,10 @@ class AttributesController extends AppController
return $info;
}
/**
* @param int|string $id Attribute ID or UUID
* @return array
*/
private function __fetchAttribute($id)
{
$options = array(
@ -3039,6 +3037,10 @@ class AttributesController extends AppController
}
}
/**
* @param int|string $id Attribute ID or UUID
* @return array
*/
private function __idToConditions($id)
{
if (is_numeric($id)) {
@ -3050,4 +3052,14 @@ class AttributesController extends AppController
}
return $conditions;
}
/**
* @param int $sharingGroupId
* @return bool
*/
private function __canUseSharingGroup($sharingGroupId)
{
$sg = $this->Attribute->Event->SharingGroup->fetchAllAuthorised($this->Auth->user(), 'name', true, $sharingGroupId);
return !empty($sg);
}
}

3
app/Model/Attribute.php
View File

@ -8,6 +8,9 @@ App::uses('RandomTool', 'Tools');
App::uses('MalwareTool', 'Tools');
App::uses('TmpFileTool', 'Tools');
/**
* @property Event $Event
*/
class Attribute extends AppModel
{
public $combinedKeys = array('event_id', 'category', 'type');