mirror of https://github.com/MISP/MISP
Source Code Review
sanitize everything displayed from the db. (and some small coding standard whitespaces)pull/63/head
parent
26518fd813
commit
52a7625a9d
|
@ -101,7 +101,7 @@ class AppController extends Controller {
|
|||
}
|
||||
|
||||
// These variables are required for every view
|
||||
$this->set('me', $this->Auth->user());
|
||||
$this->set('me', Sanitize::clean($this->Auth->user()));
|
||||
$this->set('isAdmin', $this->_isAdmin());
|
||||
|
||||
// TODO ACL: 5: from Controller to Views
|
||||
|
|
|
@ -96,7 +96,7 @@ class AttributesController extends AppController {
|
|||
*/
|
||||
public function index() {
|
||||
$this->Attribute->recursive = 0;
|
||||
$this->set('attributes', $this->paginate());
|
||||
$this->set('attributes', Sanitize::clean($this->paginate()));
|
||||
|
||||
$this->set('attrDescriptions', $this->Attribute->fieldDescriptions);
|
||||
$this->set('typeDefinitions', $this->Attribute->typeDefinitions);
|
||||
|
@ -224,11 +224,11 @@ class AttributesController extends AppController {
|
|||
$file = new File(APP . DS . "files" . DS . $this->Attribute->data['Attribute']['event_id'] . DS . $this->Attribute->data['Attribute']['id']);
|
||||
$filename = '';
|
||||
if ('attachment' == $this->Attribute->data['Attribute']['type']) {
|
||||
$filename = $this->Attribute->data['Attribute']['value'];
|
||||
$filename = Sanitize::clean($this->Attribute->data['Attribute']['value']);
|
||||
$fileExt = pathinfo($filename, PATHINFO_EXTENSION);
|
||||
$filename = substr($filename, 0, strlen($filename) - strlen($fileExt) - 1);
|
||||
} elseif ('malware-sample' == $this->Attribute->data['Attribute']['type']) {
|
||||
$filenameHash = explode('|', $this->Attribute->data['Attribute']['value']);
|
||||
$filenameHash = explode('|', Sanitize::clean($this->Attribute->data['Attribute']['value']));
|
||||
$filename = $filenameHash[0];
|
||||
$filename = substr($filenameHash[0], strrpos($filenameHash[0], '\\'));
|
||||
$fileExt = "zip";
|
||||
|
@ -446,17 +446,17 @@ class AttributesController extends AppController {
|
|||
if (!CakeSession::read('Message.flash')) {
|
||||
$this->Session->setFlash(__('The attribute could not be saved. Please, try again.'));
|
||||
} else {
|
||||
$this->request->data = $this->Attribute->read(null, $id);
|
||||
$this->request->data = Sanitize::clean($this->Attribute->read(null, $id));
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$this->request->data = $this->Attribute->read(null, $id);
|
||||
$this->request->data = Sanitize::clean($this->Attribute->read(null, $id));
|
||||
}
|
||||
// needed for RBAC
|
||||
$this->set('attribute', $this->request->data);
|
||||
$this->set('attribute', Sanitize::clean($this->request->data));
|
||||
|
||||
// combobox for types
|
||||
$types = $types = array_keys($this->Attribute->typeDefinitions);
|
||||
$types = array_keys($this->Attribute->typeDefinitions);
|
||||
$types = $this->_arrayToValuesIndexArray($types);
|
||||
$this->set('types', $types);
|
||||
// combobox for categories
|
||||
|
@ -594,7 +594,7 @@ class AttributesController extends AppController {
|
|||
}
|
||||
}
|
||||
|
||||
$this->set('attributes', $this->paginate());
|
||||
$this->set('attributes', Sanitize::clean($this->paginate()));
|
||||
|
||||
// and store into session
|
||||
$this->Session->write('paginate_conditions',$this->paginate);
|
||||
|
@ -624,7 +624,7 @@ class AttributesController extends AppController {
|
|||
$this->Attribute->recursive = 0;
|
||||
// re-get pagination
|
||||
$this->paginate = $this->Session->read('paginate_conditions');
|
||||
$this->set('attributes', $this->paginate());
|
||||
$this->set('attributes', Sanitize::clean($this->paginate()));
|
||||
|
||||
// set the same view as the index page
|
||||
$this->render('index');
|
||||
|
@ -656,11 +656,11 @@ class AttributesController extends AppController {
|
|||
'limit' => 60,
|
||||
'conditions' => $conditions
|
||||
);
|
||||
$this->set('attributes', $this->paginate());
|
||||
$this->set('attributes', Sanitize::clean($this->paginate()));
|
||||
|
||||
// the parent event..
|
||||
$event = ClassRegistry::init('Event')->findById($attributeId);
|
||||
$this->set('event', $event);
|
||||
$this->set('event', Sanitize::clean($event));
|
||||
$this->loadModel('Event');
|
||||
$this->set('eventDescriptions', $this->Event->fieldDescriptions);
|
||||
|
||||
|
|
|
@ -116,7 +116,7 @@ class EventsController extends AppController {
|
|||
public function index() {
|
||||
// list the events
|
||||
$this->Event->recursive = 0;
|
||||
$this->set('events', $this->paginate());
|
||||
$this->set('events', Sanitize::clean($this->paginate()));
|
||||
|
||||
if (!$this->Auth->user('gpgkey')) {
|
||||
$this->Session->setFlash(__('No GPG key set in your profile. To receive emails, submit your public key in your profile.'));
|
||||
|
@ -285,7 +285,7 @@ class EventsController extends AppController {
|
|||
$this->set('eventDescriptions', $this->Event->fieldDescriptions);
|
||||
$this->set('attrDescriptions', $this->Attribute->fieldDescriptions);
|
||||
|
||||
$this->set('event', $this->Event->data);
|
||||
$this->set('event', Sanitize::clean($this->Event->data));
|
||||
$this->set('relatedEvents', $relatedEvents);
|
||||
|
||||
$this->set('categories', $this->Attribute->validate['category']['rule'][1]);
|
||||
|
@ -498,7 +498,7 @@ class EventsController extends AppController {
|
|||
if ($this->Event->saveAssociated($this->request->data, array('validate' => true, 'fieldList' => $fieldList))) {
|
||||
$message = 'Saved';
|
||||
|
||||
$this->set('event', $this->Event);
|
||||
$this->set('event', Sanitize::clean($this->Event));
|
||||
|
||||
// REST users want to see the newly created event
|
||||
$this->view($this->Event->getId());
|
||||
|
@ -519,7 +519,7 @@ class EventsController extends AppController {
|
|||
if ($this->_isAdmin()) {
|
||||
// set the same org as existed before
|
||||
$this->Event->read();
|
||||
$this->request->data['Event']['org'] = $this->Event->data['Event']['org'];
|
||||
$this->request->data['Event']['org'] = Sanitize::clean($this->Event->data['Event']['org']);
|
||||
}
|
||||
// we probably also want to remove the published flag
|
||||
$this->request->data['Event']['published'] = 0;
|
||||
|
@ -535,7 +535,7 @@ class EventsController extends AppController {
|
|||
$this->Session->setFlash(__('The event could not be saved. Please, try again.'));
|
||||
}
|
||||
} else {
|
||||
$this->request->data = $this->Event->read(null, $id);
|
||||
$this->request->data = Sanitize::clean($this->Event->read(null, $id));
|
||||
}
|
||||
|
||||
// combobox for distribution
|
||||
|
@ -824,11 +824,11 @@ class EventsController extends AppController {
|
|||
// prepare the the unencrypted email
|
||||
$this->Email->from = Configure::read('CyDefSIG.email');
|
||||
//$this->Email->to = "CyDefSIG <sig@cyber-defence.be>"; TODO check if it doesn't break things to not set a to , like being spammed away
|
||||
$this->Email->bcc = $alertEmails;
|
||||
$this->Email->bcc = Sanitize::clean($alertEmails);
|
||||
$this->Email->subject = "[" . Configure::read('CyDefSIG.name') . "] Event " . $id . " - " . $event['Event']['risk'] . " - TLP Amber";
|
||||
$this->Email->template = 'body';
|
||||
$this->Email->sendAs = 'text'; // both text or html
|
||||
$this->set('body', $bodySigned);
|
||||
$this->set('body', Sanitize::clean($bodySigned));
|
||||
// send it
|
||||
$this->Email->send();
|
||||
// If you wish to send multiple emails using a loop, you'll need
|
||||
|
@ -849,7 +849,7 @@ class EventsController extends AppController {
|
|||
foreach ($alertUsers as &$user) {
|
||||
// send the email
|
||||
$this->Email->from = Configure::read('CyDefSIG.email');
|
||||
$this->Email->to = $user['User']['email'];
|
||||
$this->Email->to = Sanitize::clean($user['User']['email']);
|
||||
$this->Email->subject = "[" . Configure::read('CyDefSIG.name') . "] Event " . $id . " - " . $event['Event']['risk'] . " - TLP Amber";
|
||||
$this->Email->template = 'body';
|
||||
$this->Email->sendAs = 'text'; // both text or html
|
||||
|
@ -865,7 +865,7 @@ class EventsController extends AppController {
|
|||
|
||||
$bodyEncSig = $gpg->encrypt($bodySigned, true);
|
||||
|
||||
$this->set('body', $bodyEncSig);
|
||||
$this->set('body', Sanitize::clean($bodyEncSig));
|
||||
$this->Email->send();
|
||||
} catch (Exception $e){
|
||||
// catch errors like expired PGP keys
|
||||
|
@ -912,7 +912,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
// User didn't see the contact form yet. Present it to him.
|
||||
if (empty($this->data)) {
|
||||
$this->data = $this->Event->read(null, $id);
|
||||
$this->data = Sanitize::clean($this->Event->read(null, $id));
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1030,12 +1030,12 @@ class EventsController extends AppController {
|
|||
|
||||
// prepare the email
|
||||
$this->Email->from = Configure::read('CyDefSIG.email');
|
||||
$this->Email->to = $reporter['User']['email'];
|
||||
$this->Email->to = Sanitize::clean($reporter['User']['email']);
|
||||
$this->Email->subject = "[" . Configure::read('CyDefSIG.name') . "] Need info about event " . $id . " - TLP Amber";
|
||||
//$this->Email->delivery = 'debug'; // do not really send out mails, only display it on the screen
|
||||
$this->Email->template = 'body';
|
||||
$this->Email->sendAs = 'text'; // both text or html
|
||||
$this->set('body', $bodyEncSig);
|
||||
$this->set('body', Sanitize::clean($bodyEncSig));
|
||||
// Add the GPG key of the user as attachment
|
||||
// LATER sign the attached GPG key
|
||||
if (!empty($meUser['gpgkey'])) {
|
||||
|
@ -1099,7 +1099,7 @@ class EventsController extends AppController {
|
|||
);
|
||||
$results = $this->Event->find('all', $params);
|
||||
|
||||
$this->set('results', $results);
|
||||
$this->set('results', Sanitize::clean($results));
|
||||
}
|
||||
|
||||
public function nids($key) {
|
||||
|
@ -1134,7 +1134,7 @@ class EventsController extends AppController {
|
|||
print $rule . "\n";
|
||||
print "#</pre>\n";
|
||||
|
||||
$this->set('rules', $rules);
|
||||
$this->set('rules', Sanitize::clean($rules));
|
||||
}
|
||||
|
||||
public function hids_md5($key) {
|
||||
|
@ -1170,7 +1170,7 @@ class EventsController extends AppController {
|
|||
print $rule . "\n";
|
||||
print "#</pre>\n";
|
||||
|
||||
$this->set('rules', $rules);
|
||||
$this->set('rules', Sanitize::clean($rules));
|
||||
} else {
|
||||
print "Not any MD5 found to export\n";
|
||||
}
|
||||
|
@ -1211,7 +1211,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
print "#</pre>\n";
|
||||
|
||||
$this->set('rules', $rules);
|
||||
$this->set('rules', Sanitize::clean($rules));
|
||||
} else {
|
||||
print "Not any SHA-1 found to export\n";
|
||||
}
|
||||
|
@ -1241,7 +1241,7 @@ class EventsController extends AppController {
|
|||
);
|
||||
$attributes = $this->Attribute->find('all', $params);
|
||||
|
||||
$this->set('attributes', $attributes);
|
||||
$this->set('attributes', Sanitize::clean($attributes));
|
||||
}
|
||||
|
||||
//public function dot($key) {
|
||||
|
|
|
@ -43,7 +43,7 @@ class GroupsController extends AppController {
|
|||
if (!$this->Group->exists()) {
|
||||
throw new NotFoundException(__('Invalid role'));
|
||||
}
|
||||
$this->set('group', $this->Group->read(null, $id));
|
||||
$this->set('group', Sanitize::clean($this->Group->read(null, $id)));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -53,7 +53,7 @@ class GroupsController extends AppController {
|
|||
*/
|
||||
public function admin_index() {
|
||||
$this->Group->recursive = 0;
|
||||
$this->set('groups', $this->paginate());
|
||||
$this->set('groups', Sanitize::clean($this->paginate()));
|
||||
$this->set('options', $this->options);
|
||||
}
|
||||
|
||||
|
@ -68,7 +68,7 @@ class GroupsController extends AppController {
|
|||
if (!$this->Group->exists()) {
|
||||
throw new NotFoundException(__('Invalid role'));
|
||||
}
|
||||
$this->set('group', $this->Group->read(null, $id));
|
||||
$this->set('group', Sanitize::clean($this->Group->read(null, $id)));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -115,7 +115,7 @@ class GroupsController extends AppController {
|
|||
} else {
|
||||
$this->Group->recursive=0;
|
||||
$this->Group->read(null, $id);
|
||||
$this->request->data = $this->Group->data;
|
||||
$this->request->data = Sanitize::clean($this->Group->data);
|
||||
}
|
||||
$this->set('options', $this->options);
|
||||
}
|
||||
|
|
|
@ -42,7 +42,7 @@ class LogsController extends AppController {
|
|||
*/
|
||||
public function admin_index() {
|
||||
$this->Log->recursive = 0;
|
||||
$this->set('logs', $this->paginate());
|
||||
$this->set('logs', Sanitize::clean($this->paginate()));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -56,7 +56,7 @@ class LogsController extends AppController {
|
|||
if (!$this->Log->exists()) {
|
||||
throw new NotFoundException(__('Invalid log'));
|
||||
}
|
||||
$this->set('log', $this->Log->read(null, $id));
|
||||
$this->set('log', Sanitize::clean($this->Log->read(null, $id)));
|
||||
}
|
||||
|
||||
public function search() {
|
||||
|
@ -103,7 +103,7 @@ class LogsController extends AppController {
|
|||
'maxLimit' => 9999, // LATER we will bump here on a problem once we have more than 9999 logs(?)
|
||||
'conditions' => $conditions
|
||||
);
|
||||
$this->set('logs', $this->paginate());
|
||||
$this->set('logs', Sanitize::clean($this->paginate()));
|
||||
|
||||
// and store into session
|
||||
$this->Session->write('paginate_conditions_log', $this->paginate);
|
||||
|
@ -124,7 +124,7 @@ class LogsController extends AppController {
|
|||
$this->Log->recursive = 0;
|
||||
// re-get pagination
|
||||
$this->paginate = $this->Session->read('paginate_conditions_log');
|
||||
$this->set('logs', $this->paginate());
|
||||
$this->set('logs', Sanitize::clean($this->paginate()));
|
||||
|
||||
// set the same view as the index page
|
||||
$this->render('admin_index');
|
||||
|
|
|
@ -42,7 +42,7 @@ class RegexController extends AppController {
|
|||
*/
|
||||
public function admin_index() {
|
||||
$this->Regex->recursive = 0;
|
||||
$this->set('regexs', $this->paginate());
|
||||
$this->set('regexs', Sanitize::clean($this->paginate()));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -82,7 +82,7 @@ class RegexController extends AppController {
|
|||
$this->Session->setFlash(__('The regex could not be saved. Please, try again.'));
|
||||
}
|
||||
} else {
|
||||
$this->request->data = $this->Regex->read(null, $id);
|
||||
$this->request->data = Sanitize::clean($this->Regex->read(null, $id));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -61,7 +61,7 @@ class ServersController extends AppController {
|
|||
$this->paginate = array(
|
||||
'conditions' => array('Server.org' => $this->Auth->user('org')),
|
||||
);
|
||||
$this->set('servers', $this->paginate());
|
||||
$this->set('servers', Sanitize::clean($this->paginate()));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -113,7 +113,7 @@ class ServersController extends AppController {
|
|||
} else {
|
||||
$this->Server->read(null, $id);
|
||||
$this->Server->set('authkey', '');
|
||||
$this->request->data = $this->Server->data;
|
||||
$this->request->data = Sanitize::clean($this->Server->data);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
<?php
|
||||
App::uses('AppController', 'Controller');
|
||||
|
||||
/**
|
||||
* Users Controller
|
||||
*
|
||||
|
@ -57,7 +58,7 @@ class UsersController extends AppController {
|
|||
throw new NotFoundException(__('Invalid user'));
|
||||
}
|
||||
// Only own profile verified by isAuthorized
|
||||
$this->set('user', $this->User->read(null, $id));
|
||||
$this->set('user', Sanitize::clean($this->User->read(null, $id)));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -91,10 +92,10 @@ class UsersController extends AppController {
|
|||
$this->User->recursive = 0;
|
||||
$this->User->read(null, $id);
|
||||
$this->User->set('password', '');
|
||||
$this->request->data = $this->User->data;
|
||||
$this->request->data = Sanitize::clean($this->User->data);
|
||||
}
|
||||
// XXX ACL groups
|
||||
$groups = $this->User->Group->find('list');
|
||||
$groups = Sanitize::clean($this->User->Group->find('list'));
|
||||
$this->set(compact('groups'));
|
||||
}
|
||||
|
||||
|
@ -134,7 +135,7 @@ class UsersController extends AppController {
|
|||
*/
|
||||
public function admin_index() {
|
||||
$this->User->recursive = 0;
|
||||
$this->set('users', $this->paginate());
|
||||
$this->set('users', Sanitize::clean($this->paginate()));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -149,7 +150,7 @@ class UsersController extends AppController {
|
|||
if (!$this->User->exists()) {
|
||||
throw new NotFoundException(__('Invalid user'));
|
||||
}
|
||||
$this->set('user', $this->User->read(null, $id));
|
||||
$this->set('user', Sanitize::clean($this->User->read(null, $id)));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -176,7 +177,7 @@ class UsersController extends AppController {
|
|||
$this->set('authkey', $this->newkey);
|
||||
}
|
||||
// XXX ACL groups
|
||||
$groups = $this->User->Group->find('list');
|
||||
$groups = Sanitize::clean($this->User->Group->find('list'));
|
||||
$this->set(compact('groups'));
|
||||
}
|
||||
|
||||
|
@ -249,7 +250,7 @@ class UsersController extends AppController {
|
|||
$this->User->recursive = 0;
|
||||
$this->User->read(null, $id);
|
||||
$this->User->set('password', '');
|
||||
$this->request->data = $this->User->data;
|
||||
$this->request->data = Sanitize::clean($this->User->data);
|
||||
|
||||
}
|
||||
// TODO ACL CLEANUP combobox for orgs
|
||||
|
@ -257,7 +258,7 @@ class UsersController extends AppController {
|
|||
$orgIds = $this->_arrayToValuesIndexArray($orgIds);
|
||||
$this->set('orgIds', compact('orgIds'));
|
||||
// XXX ACL, Groups in Users
|
||||
$groups = $this->User->Group->find('list');
|
||||
$groups = Sanitize::clean($this->User->Group->find('list'));
|
||||
$this->set(compact('groups'));
|
||||
}
|
||||
|
||||
|
@ -362,7 +363,7 @@ class UsersController extends AppController {
|
|||
'order' => array('User.org'),
|
||||
);
|
||||
$orgs = $this->User->find('all', $params);
|
||||
$this->set('orgs', $orgs);
|
||||
$this->set('orgs', Sanitize::clean($orgs));
|
||||
|
||||
// What org posted what type of attribute
|
||||
$this->loadModel('Attribute');
|
||||
|
@ -372,7 +373,7 @@ class UsersController extends AppController {
|
|||
'group' => array('Attribute.type', 'Event.org'),
|
||||
'order' => array('Event.org', 'num_types DESC'),
|
||||
);
|
||||
$typesHistogram = $this->Attribute->find('all', $params);
|
||||
$typesHistogram = Sanitize::clean($this->Attribute->find('all', $params));
|
||||
$this->set('typesHistogram', $typesHistogram);
|
||||
|
||||
// Nice graphical histogram
|
||||
|
|
|
@ -33,7 +33,7 @@ class WhitelistsController extends AppController {
|
|||
*/
|
||||
public function admin_index() {
|
||||
$this->Whitelist->recursive = 0;
|
||||
$this->set('whitelists', $this->paginate());
|
||||
$this->set('whitelists', Sanitize::clean($this->paginate()));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -48,7 +48,7 @@ class WhitelistsController extends AppController {
|
|||
if (!$this->Whitelist->exists()) {
|
||||
throw new NotFoundException(__('Invalid whitelist'));
|
||||
}
|
||||
$this->set('whitelist', $this->Whitelist->read(null, $id));
|
||||
$this->set('whitelist', Sanitize::clean($this->Whitelist->read(null, $id)));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -88,7 +88,7 @@ class WhitelistsController extends AppController {
|
|||
$this->Session->setFlash(__('The whitelist could not be saved. Please, try again.'));
|
||||
}
|
||||
} else {
|
||||
$this->request->data = $this->Whitelist->read(null, $id);
|
||||
$this->request->data = Sanitize::clean($this->Whitelist->read(null, $id));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue