MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Proposal changes 

- anyone can see proposals that can see an event
- fixed a vulnerability where a user could add a proposal to an event blindly that he couldn't see
pull/217/head
iglocska 2014-01-10 14:56:21 +01:00
parent 89c80a8b7c
commit 772f60ff40
2 changed files with 24 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
app/Controller/ShadowAttributesController.php
View File

@ -199,7 +199,17 @@ class ShadowAttributesController extends AppController {
* @throws NotFoundException // TODO Exception
*/
public function add($eventId = null) {
$event = $this->ShadowAttribute->Event->find('first', array(
'conditions' => array('Event.id' => $eventId),
'recursive' => -1,
'fields' => array('id', 'orgc', 'distribution', 'org'),
));
if ((($event['Event']['distribution'] == 0 && !$event['Event']['org'] != $this->Auth->user('org'))) || ($event['Event']['orgc'] == $this->Auth->user('org'))) {
$this->Session->setFlash(__('Invalid Event.'));
$this->redirect(array('controller' => 'events', 'action' => 'index'));
}
if ($this->request->is('post')) {
// Give error if someone tried to submit a attribute with attachment or malware-sample type.
// TODO change behavior attachment options - this is bad ... it should rather by a messagebox or should be filtered out on the view level
if (isset($this->request->data['ShadowAttribute']['type']) && $this->ShadowAttribute->typeIsAttachment($this->request->data['ShadowAttribute']['type'])) {
@ -340,6 +350,15 @@ class ShadowAttributesController extends AppController {
* @throws InternalErrorException
*/
public function add_attachment($eventId = null) {
$event = $this->ShadowAttribute->Event->find('first', array(
'conditions' => array('Event.id' => $eventId),
'recursive' => -1,
'fields' => array('id', 'orgc', 'distribution', 'org'),
));
if ((($event['Event']['distribution'] == 0 && !$event['Event']['org'] != $this->Auth->user('org'))) || ($event['Event']['orgc'] == $this->Auth->user('org'))) {
$this->Session->setFlash(__('Invalid Event.'));
$this->redirect(array('controller' => 'events', 'action' => 'index'));
}
if ($this->request->is('post')) {
// Check if there were problems with the file upload
// only keep the last part of the filename, this should prevent directory attacks
@ -496,7 +515,10 @@ class ShadowAttributesController extends AppController {
}
$uuid = $this->Attribute->data['Attribute']['uuid'];
if (!$this->_isSiteAdmin()) {
if (($this->Attribute->data['Attribute']['distribution'] == 0) || ($this->Attribute->data['Event']['orgc'] == $this->Auth->user('org'))) {
// If the attribute's distribution is private and the user is not the owner of the event or if the user is of the original creator org -> exception
// The owner should be able to create a shadow attribute, since a pushed community event would be private and tied to a single organisation on a synced instance
// The users of that organisation can only view but not edit the event, but they should be able to propose a change
if ((($this->Attribute->data['Attribute']['distribution'] == 0 && !$this->Attribute->data['Event']['org'] != $this->Auth->user('org'))) || ($this->Attribute->data['Event']['orgc'] == $this->Auth->user('org'))) {
$this->Session->setFlash(__('Invalid Attribute.'));
$this->redirect(array('controller' => 'events', 'action' => 'index'));
}

11
app/Model/Event.php
View File

@ -839,7 +839,6 @@ class Event extends AppModel {
// if we come from automation, we may not be logged in - instead we used an auth key in the URL.
$conditionsAttributes = array();
$conditionsShadowAttributes = array();
//restricting to non-private or same org if the user is not a site-admin.
if (!$isSiteAdmin) {
$conditions['AND']['OR'] = array(
@ -850,13 +849,6 @@ class Event extends AppModel {
'Attribute.distribution >' => 0,
'(SELECT events.org FROM events WHERE events.id = Attribute.event_id) LIKE' => $org
);
$conditionsShadowAttributes['OR'] = array(
// We are currently looking at events.org matching the user's org, but later on, once we start syncing shadow attributes, we may want to change this to orgc
// Right now the org that currently owns the event on an instance can see, accept and decline these requests, but in the long run once we can distribute
// the requests back to the creator, we may want to leave these decisions up to them.
array('(SELECT events.org FROM events WHERE events.id = ShadowAttribute.event_id) LIKE' => $org),
array('ShadowAttribute.org LIKE' => $org),
);
}
if ($idList) {
@ -871,7 +863,7 @@ class Event extends AppModel {
// do not expose all the data ...
$fields = array('Event.id', 'Event.org', 'Event.date', 'Event.threat_level_id', 'Event.info', 'Event.published', 'Event.uuid', 'Event.attribute_count', 'Event.analysis', 'Event.timestamp', 'Event.distribution', 'Event.proposal_email_lock', 'Event.orgc', 'Event.user_id', 'Event.locked');
$fieldsAtt = array('Attribute.id', 'Attribute.type', 'Attribute.category', 'Attribute.value', 'Attribute.to_ids', 'Attribute.uuid', 'Attribute.event_id', 'Attribute.distribution', 'Attribute.timestamp', 'Attribute.comment');
$fieldsShadowAtt = array('ShadowAttribute.id', 'ShadowAttribute.type', 'ShadowAttribute.category', 'ShadowAttribute.value', 'ShadowAttribute.to_ids', 'ShadowAttribute.uuid', 'ShadowAttribute.event_id', 'ShadowAttribute.old_id', 'ShadowAttribute.comment');
$fieldsShadowAtt = array('ShadowAttribute.id', 'ShadowAttribute.type', 'ShadowAttribute.category', 'ShadowAttribute.value', 'ShadowAttribute.to_ids', 'ShadowAttribute.uuid', 'ShadowAttribute.event_id', 'ShadowAttribute.old_id', 'ShadowAttribute.comment', 'ShadowAttribute.org');
$params = array('conditions' => $conditions,
'recursive' => 0,
@ -886,7 +878,6 @@ class Event extends AppModel {
),
'ShadowAttribute' => array(
'fields' => $fieldsShadowAtt,
'conditions' => $conditionsShadowAttributes,
),
)
);