fix: [internal] Check if setting value is scalar

2020-12-04 09:23:12 +01:00 · 2020-12-04 09:23:12 +01:00 · 5bc7037c45
parent 8a045673c7
commit 5bc7037c45
2 changed files with 13 additions and 4 deletions
--- a/app/Controller/ServersController.php
+++ b/app/Controller/ServersController.php
@ -1448,7 +1448,7 @@ class ServersController extends AppController
            if (!isset($this->request->data['Server'])) {
                $this->request->data = array('Server' => $this->request->data);
            }
-            if (!isset($this->request->data['Server']['value'])) {
+            if (!isset($this->request->data['Server']['value']) || !is_scalar($this->request->data['Server']['value'])) {
                if ($this->_isRest()) {
                    return $this->RestResponse->saveFailResponse('Servers', 'serverSettingsEdit', false, 'Invalid input. Expected: {"value": "new_setting"}', $this->response->type());
                }
@ -1491,7 +1491,7 @@ class ServersController extends AppController
                    return new CakeResponse(array('body'=> json_encode(array('saved' => true, 'success' => 'Field updated.')), 'status'=>200, 'type' => 'json'));
                }
            } else {
-                if ($this->_isRest) {
+                if ($this->_isRest()) {
                    return $this->RestResponse->saveFailResponse('Servers', 'serverSettingsEdit', false, $result, $this->response->type());
                } else {
                    return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => $result)), 'status'=>200, 'type' => 'json'));
--- a/tests/testlive_security.py
+++ b/tests/testlive_security.py
@ -184,6 +184,11 @@ class TestSecurity(unittest.TestCase):
        # TODO: Try to reload config cache
        self.admin_misp_connector.get_server_setting("MISP.live")

+    def tearDown(self):
+        # Ensure correct config
+        setting = self.admin_misp_connector.get_server_setting("Security.advanced_authkeys")
+        self.assertEqual(setting["value"], False, "Security.advanced_authkeys should be False after test")
+
    def test_not_logged_in(self):
        session = requests.Session()

@ -399,18 +404,22 @@ class TestSecurity(unittest.TestCase):
            logged_in = PyMISP(url, auth_key["authkey_raw"])
            self.assertEqual(logged_in._current_user.id, self.test_usr.id)

-            self.__delete_advanced_authkey(auth_key["id"])
            # Wait one second to really know that session will be reloaded
            time.sleep(1)
+
+            self.__delete_advanced_authkey(auth_key["id"])
+
            with self.assertRaises(MISPServerError):
                logged_in.get_user()

+        time.sleep(1)
+
    def test_advanced_authkeys_own_key_not_possible(self):
        with MISPSetting(self.admin_misp_connector, "Security.advanced_authkeys", True):
            authkey = ("a" * 40)
            auth_key = self.__create_advanced_authkey(self.test_usr.id, {"authkey": authkey})
            self.__delete_advanced_authkey(auth_key["id"])
-            self.assertNotEqual(authkey, auth_key["authkey"])
+            self.assertNotEqual(authkey, auth_key["authkey_raw"])

    def test_advanced_authkeys_reset_own(self):
        with self.__setting("Security.advanced_authkeys", True):