MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Source Code Review 

sanitize everything displayed from the db.
(and some small coding standard whitespaces)
pull/63/head
noud 2012-12-12 14:01:00 +01:00
parent 26518fd813
commit 52a7625a9d
9 changed files with 66 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/Controller/AppController.php
View File

@ -101,7 +101,7 @@ class AppController extends Controller {
}
// These variables are required for every view
$this->set('me', $this->Auth->user());
$this->set('me', Sanitize::clean($this->Auth->user()));
$this->set('isAdmin', $this->_isAdmin());
// TODO ACL: 5: from Controller to Views

22
app/Controller/AttributesController.php
View File

@ -96,7 +96,7 @@ class AttributesController extends AppController {
*/
public function index() {
$this->Attribute->recursive = 0;
$this->set('attributes', $this->paginate());
$this->set('attributes', Sanitize::clean($this->paginate()));
$this->set('attrDescriptions', $this->Attribute->fieldDescriptions);
$this->set('typeDefinitions', $this->Attribute->typeDefinitions);
@ -224,11 +224,11 @@ class AttributesController extends AppController {
$file = new File(APP . DS . "files" . DS . $this->Attribute->data['Attribute']['event_id'] . DS . $this->Attribute->data['Attribute']['id']);
$filename = '';
if ('attachment' == $this->Attribute->data['Attribute']['type']) {
$filename = $this->Attribute->data['Attribute']['value'];
$filename = Sanitize::clean($this->Attribute->data['Attribute']['value']);
$fileExt = pathinfo($filename, PATHINFO_EXTENSION);
$filename = substr($filename, 0, strlen($filename) - strlen($fileExt) - 1);
} elseif ('malware-sample' == $this->Attribute->data['Attribute']['type']) {
$filenameHash = explode('|', $this->Attribute->data['Attribute']['value']);
$filenameHash = explode('|', Sanitize::clean($this->Attribute->data['Attribute']['value']));
$filename = $filenameHash[0];
$filename = substr($filenameHash[0], strrpos($filenameHash[0], '\\'));
$fileExt = "zip";
@ -446,17 +446,17 @@ class AttributesController extends AppController {
if (!CakeSession::read('Message.flash')) {
$this->Session->setFlash(__('The attribute could not be saved. Please, try again.'));
} else {
$this->request->data = $this->Attribute->read(null, $id);
$this->request->data = Sanitize::clean($this->Attribute->read(null, $id));
}
}
} else {
$this->request->data = $this->Attribute->read(null, $id);
$this->request->data = Sanitize::clean($this->Attribute->read(null, $id));
}
// needed for RBAC
$this->set('attribute', $this->request->data);
$this->set('attribute', Sanitize::clean($this->request->data));
// combobox for types
$types = $types = array_keys($this->Attribute->typeDefinitions);
$types = array_keys($this->Attribute->typeDefinitions);
$types = $this->_arrayToValuesIndexArray($types);
$this->set('types', $types);
// combobox for categories
@ -594,7 +594,7 @@ class AttributesController extends AppController {
}
}
$this->set('attributes', $this->paginate());
$this->set('attributes', Sanitize::clean($this->paginate()));
// and store into session
$this->Session->write('paginate_conditions',$this->paginate);
@ -624,7 +624,7 @@ class AttributesController extends AppController {
$this->Attribute->recursive = 0;
// re-get pagination
$this->paginate = $this->Session->read('paginate_conditions');
$this->set('attributes', $this->paginate());
$this->set('attributes', Sanitize::clean($this->paginate()));
// set the same view as the index page
$this->render('index');
@ -656,11 +656,11 @@ class AttributesController extends AppController {
'limit' => 60,
'conditions' => $conditions
);
$this->set('attributes', $this->paginate());
$this->set('attributes', Sanitize::clean($this->paginate()));
// the parent event..
$event = ClassRegistry::init('Event')->findById($attributeId);
$this->set('event', $event);
$this->set('event', Sanitize::clean($event));
$this->loadModel('Event');
$this->set('eventDescriptions', $this->Event->fieldDescriptions);

34
app/Controller/EventsController.php
View File

@ -116,7 +116,7 @@ class EventsController extends AppController {
public function index() {
// list the events
$this->Event->recursive = 0;
$this->set('events', $this->paginate());
$this->set('events', Sanitize::clean($this->paginate()));
if (!$this->Auth->user('gpgkey')) {
$this->Session->setFlash(__('No GPG key set in your profile. To receive emails, submit your public key in your profile.'));
@ -285,7 +285,7 @@ class EventsController extends AppController {
$this->set('eventDescriptions', $this->Event->fieldDescriptions);
$this->set('attrDescriptions', $this->Attribute->fieldDescriptions);
$this->set('event', $this->Event->data);
$this->set('event', Sanitize::clean($this->Event->data));
$this->set('relatedEvents', $relatedEvents);
$this->set('categories', $this->Attribute->validate['category']['rule'][1]);
@ -498,7 +498,7 @@ class EventsController extends AppController {
if ($this->Event->saveAssociated($this->request->data, array('validate' => true, 'fieldList' => $fieldList))) {
$message = 'Saved';
$this->set('event', $this->Event);
$this->set('event', Sanitize::clean($this->Event));
// REST users want to see the newly created event
$this->view($this->Event->getId());
@ -519,7 +519,7 @@ class EventsController extends AppController {
if ($this->_isAdmin()) {
// set the same org as existed before
$this->Event->read();
$this->request->data['Event']['org'] = $this->Event->data['Event']['org'];
$this->request->data['Event']['org'] = Sanitize::clean($this->Event->data['Event']['org']);
}
// we probably also want to remove the published flag
$this->request->data['Event']['published'] = 0;
@ -535,7 +535,7 @@ class EventsController extends AppController {
$this->Session->setFlash(__('The event could not be saved. Please, try again.'));
}
} else {
$this->request->data = $this->Event->read(null, $id);
$this->request->data = Sanitize::clean($this->Event->read(null, $id));
}
// combobox for distribution
@ -824,11 +824,11 @@ class EventsController extends AppController {
// prepare the the unencrypted email
$this->Email->from = Configure::read('CyDefSIG.email');
//$this->Email->to = "CyDefSIG <sig@cyber-defence.be>"; TODO check if it doesn't break things to not set a to , like being spammed away
$this->Email->bcc = $alertEmails;
$this->Email->bcc = Sanitize::clean($alertEmails);
$this->Email->subject = "[" . Configure::read('CyDefSIG.name') . "] Event " . $id . " - " . $event['Event']['risk'] . " - TLP Amber";
$this->Email->template = 'body';
$this->Email->sendAs = 'text'; // both text or html
$this->set('body', $bodySigned);
$this->set('body', Sanitize::clean($bodySigned));
// send it
$this->Email->send();
// If you wish to send multiple emails using a loop, you'll need
@ -849,7 +849,7 @@ class EventsController extends AppController {
foreach ($alertUsers as &$user) {
// send the email
$this->Email->from = Configure::read('CyDefSIG.email');
$this->Email->to = $user['User']['email'];
$this->Email->to = Sanitize::clean($user['User']['email']);
$this->Email->subject = "[" . Configure::read('CyDefSIG.name') . "] Event " . $id . " - " . $event['Event']['risk'] . " - TLP Amber";
$this->Email->template = 'body';
$this->Email->sendAs = 'text'; // both text or html
@ -865,7 +865,7 @@ class EventsController extends AppController {
$bodyEncSig = $gpg->encrypt($bodySigned, true);
$this->set('body', $bodyEncSig);
$this->set('body', Sanitize::clean($bodyEncSig));
$this->Email->send();
} catch (Exception $e){
// catch errors like expired PGP keys
@ -912,7 +912,7 @@ class EventsController extends AppController {
}
// User didn't see the contact form yet. Present it to him.
if (empty($this->data)) {
$this->data = $this->Event->read(null, $id);
$this->data = Sanitize::clean($this->Event->read(null, $id));
}
}
@ -1030,12 +1030,12 @@ class EventsController extends AppController {
// prepare the email
$this->Email->from = Configure::read('CyDefSIG.email');
$this->Email->to = $reporter['User']['email'];
$this->Email->to = Sanitize::clean($reporter['User']['email']);
$this->Email->subject = "[" . Configure::read('CyDefSIG.name') . "] Need info about event " . $id . " - TLP Amber";
//$this->Email->delivery = 'debug'; // do not really send out mails, only display it on the screen
$this->Email->template = 'body';
$this->Email->sendAs = 'text'; // both text or html
$this->set('body', $bodyEncSig);
$this->set('body', Sanitize::clean($bodyEncSig));
// Add the GPG key of the user as attachment
// LATER sign the attached GPG key
if (!empty($meUser['gpgkey'])) {
@ -1099,7 +1099,7 @@ class EventsController extends AppController {
);
$results = $this->Event->find('all', $params);
$this->set('results', $results);
$this->set('results', Sanitize::clean($results));
}
public function nids($key) {
@ -1134,7 +1134,7 @@ class EventsController extends AppController {
print $rule . "\n";
print "#</pre>\n";
$this->set('rules', $rules);
$this->set('rules', Sanitize::clean($rules));
}
public function hids_md5($key) {
@ -1170,7 +1170,7 @@ class EventsController extends AppController {
print $rule . "\n";
print "#</pre>\n";
$this->set('rules', $rules);
$this->set('rules', Sanitize::clean($rules));
} else {
print "Not any MD5 found to export\n";
}
@ -1211,7 +1211,7 @@ class EventsController extends AppController {
}
print "#</pre>\n";
$this->set('rules', $rules);
$this->set('rules', Sanitize::clean($rules));
} else {
print "Not any SHA-1 found to export\n";
}
@ -1241,7 +1241,7 @@ class EventsController extends AppController {
);
$attributes = $this->Attribute->find('all', $params);
$this->set('attributes', $attributes);
$this->set('attributes', Sanitize::clean($attributes));
}
//public function dot($key) {

8
app/Controller/GroupsController.php
View File

@ -43,7 +43,7 @@ class GroupsController extends AppController {
if (!$this->Group->exists()) {
throw new NotFoundException(__('Invalid role'));
}
$this->set('group', $this->Group->read(null, $id));
$this->set('group', Sanitize::clean($this->Group->read(null, $id)));
}
/**
@ -53,7 +53,7 @@ class GroupsController extends AppController {
*/
public function admin_index() {
$this->Group->recursive = 0;
$this->set('groups', $this->paginate());
$this->set('groups', Sanitize::clean($this->paginate()));
$this->set('options', $this->options);
}
@ -68,7 +68,7 @@ class GroupsController extends AppController {
if (!$this->Group->exists()) {
throw new NotFoundException(__('Invalid role'));
}
$this->set('group', $this->Group->read(null, $id));
$this->set('group', Sanitize::clean($this->Group->read(null, $id)));
}
/**
@ -115,7 +115,7 @@ class GroupsController extends AppController {
} else {
$this->Group->recursive=0;
$this->Group->read(null, $id);
$this->request->data = $this->Group->data;
$this->request->data = Sanitize::clean($this->Group->data);
}
$this->set('options', $this->options);
}

8
app/Controller/LogsController.php
View File

@ -42,7 +42,7 @@ class LogsController extends AppController {
*/
public function admin_index() {
$this->Log->recursive = 0;
$this->set('logs', $this->paginate());
$this->set('logs', Sanitize::clean($this->paginate()));
}
/**
@ -56,7 +56,7 @@ class LogsController extends AppController {
if (!$this->Log->exists()) {
throw new NotFoundException(__('Invalid log'));
}
$this->set('log', $this->Log->read(null, $id));
$this->set('log', Sanitize::clean($this->Log->read(null, $id)));
}
public function search() {
@ -103,7 +103,7 @@ class LogsController extends AppController {
'maxLimit' => 9999, // LATER we will bump here on a problem once we have more than 9999 logs(?)
'conditions' => $conditions
);
$this->set('logs', $this->paginate());
$this->set('logs', Sanitize::clean($this->paginate()));
// and store into session
$this->Session->write('paginate_conditions_log', $this->paginate);
@ -124,7 +124,7 @@ class LogsController extends AppController {
$this->Log->recursive = 0;
// re-get pagination
$this->paginate = $this->Session->read('paginate_conditions_log');
$this->set('logs', $this->paginate());
$this->set('logs', Sanitize::clean($this->paginate()));
// set the same view as the index page
$this->render('admin_index');

4
app/Controller/RegexController.php
View File

@ -42,7 +42,7 @@ class RegexController extends AppController {
*/
public function admin_index() {
$this->Regex->recursive = 0;
$this->set('regexs', $this->paginate());
$this->set('regexs', Sanitize::clean($this->paginate()));
}
/**
@ -82,7 +82,7 @@ class RegexController extends AppController {
$this->Session->setFlash(__('The regex could not be saved. Please, try again.'));
}
} else {
$this->request->data = $this->Regex->read(null, $id);
$this->request->data = Sanitize::clean($this->Regex->read(null, $id));
}
}

4
app/Controller/ServersController.php
View File

@ -61,7 +61,7 @@ class ServersController extends AppController {
$this->paginate = array(
'conditions' => array('Server.org' => $this->Auth->user('org')),
);
$this->set('servers', $this->paginate());
$this->set('servers', Sanitize::clean($this->paginate()));
}
/**
@ -113,7 +113,7 @@ class ServersController extends AppController {
} else {
$this->Server->read(null, $id);
$this->Server->set('authkey', '');
$this->request->data = $this->Server->data;
$this->request->data = Sanitize::clean($this->Server->data);
}
}

21
app/Controller/UsersController.php
View File

@ -1,5 +1,6 @@
<?php
App::uses('AppController', 'Controller');
/**
* Users Controller
*
@ -57,7 +58,7 @@ class UsersController extends AppController {
throw new NotFoundException(__('Invalid user'));
}
// Only own profile verified by isAuthorized
$this->set('user', $this->User->read(null, $id));
$this->set('user', Sanitize::clean($this->User->read(null, $id)));
}
/**
@ -91,10 +92,10 @@ class UsersController extends AppController {
$this->User->recursive = 0;
$this->User->read(null, $id);
$this->User->set('password', '');
$this->request->data = $this->User->data;
$this->request->data = Sanitize::clean($this->User->data);
}
// XXX ACL groups
$groups = $this->User->Group->find('list');
$groups = Sanitize::clean($this->User->Group->find('list'));
$this->set(compact('groups'));
}
@ -134,7 +135,7 @@ class UsersController extends AppController {
*/
public function admin_index() {
$this->User->recursive = 0;
$this->set('users', $this->paginate());
$this->set('users', Sanitize::clean($this->paginate()));
}
/**
@ -149,7 +150,7 @@ class UsersController extends AppController {
if (!$this->User->exists()) {
throw new NotFoundException(__('Invalid user'));
}
$this->set('user', $this->User->read(null, $id));
$this->set('user', Sanitize::clean($this->User->read(null, $id)));
}
/**
@ -176,7 +177,7 @@ class UsersController extends AppController {
$this->set('authkey', $this->newkey);
}
// XXX ACL groups
$groups = $this->User->Group->find('list');
$groups = Sanitize::clean($this->User->Group->find('list'));
$this->set(compact('groups'));
}
@ -249,7 +250,7 @@ class UsersController extends AppController {
$this->User->recursive = 0;
$this->User->read(null, $id);
$this->User->set('password', '');
$this->request->data = $this->User->data;
$this->request->data = Sanitize::clean($this->User->data);
}
// TODO ACL CLEANUP combobox for orgs
@ -257,7 +258,7 @@ class UsersController extends AppController {
$orgIds = $this->_arrayToValuesIndexArray($orgIds);
$this->set('orgIds', compact('orgIds'));
// XXX ACL, Groups in Users
$groups = $this->User->Group->find('list');
$groups = Sanitize::clean($this->User->Group->find('list'));
$this->set(compact('groups'));
}
@ -362,7 +363,7 @@ class UsersController extends AppController {
'order' => array('User.org'),
);
$orgs = $this->User->find('all', $params);
$this->set('orgs', $orgs);
$this->set('orgs', Sanitize::clean($orgs));
// What org posted what type of attribute
$this->loadModel('Attribute');
@ -372,7 +373,7 @@ class UsersController extends AppController {
'group' => array('Attribute.type', 'Event.org'),
'order' => array('Event.org', 'num_types DESC'),
);
$typesHistogram = $this->Attribute->find('all', $params);
$typesHistogram = Sanitize::clean($this->Attribute->find('all', $params));
$this->set('typesHistogram', $typesHistogram);
// Nice graphical histogram

6
app/Controller/WhitelistsController.php
View File

@ -33,7 +33,7 @@ class WhitelistsController extends AppController {
*/
public function admin_index() {
$this->Whitelist->recursive = 0;
$this->set('whitelists', $this->paginate());
$this->set('whitelists', Sanitize::clean($this->paginate()));
}
/**
@ -48,7 +48,7 @@ class WhitelistsController extends AppController {
if (!$this->Whitelist->exists()) {
throw new NotFoundException(__('Invalid whitelist'));
}
$this->set('whitelist', $this->Whitelist->read(null, $id));
$this->set('whitelist', Sanitize::clean($this->Whitelist->read(null, $id)));
}
/**
@ -88,7 +88,7 @@ class WhitelistsController extends AppController {
$this->Session->setFlash(__('The whitelist could not be saved. Please, try again.'));
}
} else {
$this->request->data = $this->Whitelist->read(null, $id);
$this->request->data = Sanitize::clean($this->Whitelist->read(null, $id));
}
}