mirror of https://github.com/MISP/MISP
chg: [internal] Do not modify session when not necessary
parent
e6e716971a
commit
b100377a73
|
@ -5,7 +5,6 @@ App::uses('AppController', 'Controller');
|
|||
class AllowedlistsController extends AppController
|
||||
{
|
||||
public $components = array(
|
||||
'Security',
|
||||
'AdminCrud'
|
||||
);
|
||||
|
||||
|
|
|
@ -22,6 +22,7 @@ App::uses('BlowfishConstantPasswordHasher', 'Controller/Component/Auth');
|
|||
* @property CompressedRequestHandlerComponent $CompressedRequestHandler
|
||||
* @property DeprecationComponent $Deprecation
|
||||
* @property RestSearchComponent $RestSearch
|
||||
* @property BetterSecurityComponent $Security
|
||||
*/
|
||||
class AppController extends Controller
|
||||
{
|
||||
|
@ -81,7 +82,9 @@ class AppController extends Controller
|
|||
)
|
||||
)
|
||||
),
|
||||
'Security',
|
||||
'Security' => [
|
||||
'className' => 'BetterSecurity',
|
||||
],
|
||||
'ACL',
|
||||
'CompressedRequestHandler',
|
||||
'RestResponse',
|
||||
|
@ -217,6 +220,7 @@ class AppController extends Controller
|
|||
// Throw exception if JSON in request is invalid. Default CakePHP behaviour would just ignore that error.
|
||||
$this->RequestHandler->addInputType('json', [$jsonDecode]);
|
||||
$this->Security->unlockedActions = array($this->request->action);
|
||||
$this->Security->doNotGenerateToken = true;
|
||||
}
|
||||
|
||||
if (
|
||||
|
@ -230,9 +234,7 @@ class AppController extends Controller
|
|||
// REST authentication
|
||||
if ($this->_isRest() || $this->_isAutomation()) {
|
||||
// disable CSRF for REST access
|
||||
if (isset($this->components['Security'])) {
|
||||
$this->Security->csrfCheck = false;
|
||||
}
|
||||
$this->Security->csrfCheck = false;
|
||||
if ($this->__loginByAuthKey() === false || $this->Auth->user() === null) {
|
||||
if ($this->__loginByAuthKey() === null) {
|
||||
$this->loadModel('Log');
|
||||
|
|
|
@ -9,7 +9,7 @@ App::uses('AttachmentTool', 'Tools');
|
|||
*/
|
||||
class AttributesController extends AppController
|
||||
{
|
||||
public $components = array('Security', 'RequestHandler');
|
||||
public $components = array('RequestHandler');
|
||||
|
||||
public $paginate = [
|
||||
'limit' => 60,
|
||||
|
@ -47,9 +47,8 @@ class AttributesController extends AppController
|
|||
$this->Security->unlockedActions[] = 'getMassEditForm';
|
||||
$this->Security->unlockedActions[] = 'search';
|
||||
if ($this->request->action === 'add_attachment') {
|
||||
$this->Security->disabledFields = array('values');
|
||||
$this->Security->unlockedFields = array('values');
|
||||
}
|
||||
$this->Security->validatePost = true;
|
||||
|
||||
// convert uuid to id if present in the url and overwrite id field
|
||||
if (isset($this->request->params->query['uuid'])) {
|
||||
|
|
|
@ -8,7 +8,6 @@ App::uses('AuditLog', 'Model');
|
|||
class AuditLogsController extends AppController
|
||||
{
|
||||
public $components = [
|
||||
'Security',
|
||||
'RequestHandler',
|
||||
];
|
||||
|
||||
|
|
|
@ -7,7 +7,6 @@ App::uses('AppController', 'Controller');
|
|||
class AuthKeysController extends AppController
|
||||
{
|
||||
public $components = array(
|
||||
'Security',
|
||||
'CRUD',
|
||||
'RequestHandler'
|
||||
);
|
||||
|
|
|
@ -0,0 +1,61 @@
|
|||
<?php
|
||||
App::uses('SecurityComponent', 'Controller/Component');
|
||||
|
||||
/**
|
||||
* @property SessionComponent $Session
|
||||
*/
|
||||
class BetterSecurityComponent extends SecurityComponent
|
||||
{
|
||||
/**
|
||||
* Do not generate CSRF token. This make sense for REST calls and for calls that do not use tokens. So session
|
||||
* will not be big with csrfLimit (by default 100) of token.
|
||||
* @var bool
|
||||
*/
|
||||
public $doNotGenerateToken = false;
|
||||
|
||||
public function generateToken(CakeRequest $request)
|
||||
{
|
||||
if (isset($request->params['requested']) && $request->params['requested'] === 1) {
|
||||
if ($this->Session->check('_Token')) {
|
||||
$request->params['_Token'] = $this->Session->read('_Token');
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
if ($this->doNotGenerateToken) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// No need to hash random data
|
||||
$authKey = bin2hex(Security::randomBytes(16));
|
||||
$token = array(
|
||||
'key' => $authKey,
|
||||
'allowedControllers' => $this->allowedControllers,
|
||||
'allowedActions' => $this->allowedActions,
|
||||
'unlockedFields' => array_merge($this->disabledFields, $this->unlockedFields),
|
||||
'csrfTokens' => array(),
|
||||
);
|
||||
|
||||
if ($this->Session->check('_Token')) {
|
||||
$tokenData = $this->Session->read('_Token');
|
||||
if (!empty($tokenData['csrfTokens']) && is_array($tokenData['csrfTokens'])) {
|
||||
$token['csrfTokens'] = $this->_expireTokens($tokenData['csrfTokens']);
|
||||
}
|
||||
}
|
||||
if ($this->csrfUseOnce || empty($token['csrfTokens'])) {
|
||||
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
|
||||
}
|
||||
if (!$this->csrfUseOnce) {
|
||||
$csrfTokens = array_keys($token['csrfTokens']);
|
||||
$authKey = $csrfTokens[0];
|
||||
$token['key'] = $authKey;
|
||||
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
|
||||
}
|
||||
$this->Session->write('_Token', $token);
|
||||
$request->params['_Token'] = array(
|
||||
'key' => $token['key'],
|
||||
'unlockedFields' => $token['unlockedFields'],
|
||||
);
|
||||
return true;
|
||||
}
|
||||
}
|
|
@ -7,7 +7,6 @@ App::uses('AppController', 'Controller');
|
|||
class CorrelationExclusionsController extends AppController
|
||||
{
|
||||
public $components = array(
|
||||
'Security',
|
||||
'CRUD',
|
||||
'RequestHandler'
|
||||
);
|
||||
|
|
|
@ -6,7 +6,7 @@ App::uses('AppController', 'Controller');
|
|||
*/
|
||||
class CorrelationsController extends AppController
|
||||
{
|
||||
public $components = array('Security', 'RequestHandler');
|
||||
public $components = array('RequestHandler');
|
||||
|
||||
public function top()
|
||||
{
|
||||
|
|
|
@ -4,7 +4,7 @@ App::uses('AppController', 'Controller');
|
|||
|
||||
class DecayingModelController extends AppController
|
||||
{
|
||||
public $components = array('Security' ,'RequestHandler');
|
||||
public $components = array('RequestHandler');
|
||||
|
||||
public $paginate = array(
|
||||
'limit' => 50,
|
||||
|
|
|
@ -4,7 +4,7 @@ App::uses('AppController', 'Controller');
|
|||
|
||||
class DecayingModelMappingController extends AppController
|
||||
{
|
||||
public $components = array('Security' ,'RequestHandler');
|
||||
public $components = array('RequestHandler');
|
||||
|
||||
public $paginate = array(
|
||||
'limit' => 50,
|
||||
|
|
|
@ -7,7 +7,6 @@ App::uses('AppController', 'Controller');
|
|||
class EventGraphController extends AppController
|
||||
{
|
||||
public $components = array(
|
||||
'Security',
|
||||
'RequestHandler'
|
||||
);
|
||||
|
||||
|
|
|
@ -7,7 +7,6 @@ App::uses('AppController', 'Controller');
|
|||
class EventReportsController extends AppController
|
||||
{
|
||||
public $components = array(
|
||||
'Security',
|
||||
'AdminCrud',
|
||||
'RequestHandler'
|
||||
);
|
||||
|
|
|
@ -9,10 +9,8 @@ App::uses('Xml', 'Utility');
|
|||
class EventsController extends AppController
|
||||
{
|
||||
public $components = array(
|
||||
'Security',
|
||||
'Email',
|
||||
'RequestHandler',
|
||||
'IOCImport',
|
||||
'RequestHandler',
|
||||
'IOCImport',
|
||||
);
|
||||
|
||||
public $paginate = array(
|
||||
|
@ -102,6 +100,10 @@ class EventsController extends AppController
|
|||
}
|
||||
$this->paginate = Set::merge($this->paginate, array('conditions' => $conditions));
|
||||
}
|
||||
|
||||
if ($this->request->action === 'checkLocks') {
|
||||
$this->Security->doNotGenerateToken = true;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -4444,21 +4446,21 @@ class EventsController extends AppController
|
|||
return new CakeResponse(array('body' => json_encode($json), 'status' => 200, 'type' => 'json'));
|
||||
}
|
||||
|
||||
private function genDistributionGraph($id, $type = 'event', $extended = 0)
|
||||
private function genDistributionGraph($id, $type = 'event', $extended = 0, $user = null)
|
||||
{
|
||||
$validTools = array('event');
|
||||
if (!in_array($type, $validTools)) {
|
||||
throw new MethodNotAllowedException(__('Invalid type.'));
|
||||
}
|
||||
|
||||
App::uses('DistributionGraphTool', 'Tools');
|
||||
$grapher = new DistributionGraphTool();
|
||||
|
||||
$this->loadModel('Server');
|
||||
$servers = $this->Server->find('column', array(
|
||||
'fields' => array('Server.name'),
|
||||
));
|
||||
$grapher->construct($this->Event, $servers, $this->Auth->user(), $extended);
|
||||
|
||||
App::uses('DistributionGraphTool', 'Tools');
|
||||
$user = $user ?: $this->Auth->user();
|
||||
$grapher = new DistributionGraphTool($this->Event, $servers, $user, $extended);
|
||||
$json = $grapher->get_distributions_graph($id);
|
||||
|
||||
array_walk_recursive($json, function (&$item, $key) {
|
||||
|
@ -4500,8 +4502,12 @@ class EventsController extends AppController
|
|||
|
||||
public function getDistributionGraph($id, $type = 'event')
|
||||
{
|
||||
// Close session without writing changes to them.
|
||||
$user = $this->Auth->user();
|
||||
session_abort();
|
||||
|
||||
$extended = isset($this->params['named']['extended']) ? 1 : 0;
|
||||
$json = $this->genDistributionGraph($id, $type, $extended);
|
||||
$json = $this->genDistributionGraph($id, $type, $extended, $user);
|
||||
return $this->RestResponse->viewData($json, 'json');
|
||||
}
|
||||
|
||||
|
@ -5440,17 +5446,20 @@ class EventsController extends AppController
|
|||
|
||||
public function checkLocks($id, $timestamp)
|
||||
{
|
||||
// Close session without writing changes to them.
|
||||
$user = $this->Auth->user();
|
||||
session_abort();
|
||||
|
||||
$event = $this->Event->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => ['Event.id' => $id],
|
||||
'fields' => ['Event.orgc_id', 'Event.timestamp'],
|
||||
));
|
||||
// Return empty response if event not found or user org is not owner
|
||||
if (empty($event) || ($event['Event']['orgc_id'] != $this->Auth->user('org_id') && !$this->_isSiteAdmin())) {
|
||||
if (empty($event) || ($event['Event']['orgc_id'] != $user['org_id'] && !$this->_isSiteAdmin())) {
|
||||
return new CakeResponse(['status' => 204]);
|
||||
}
|
||||
|
||||
$user = $this->Auth->user();
|
||||
$this->loadModel('EventLock');
|
||||
$locks = $this->EventLock->checkLock($user, $id);
|
||||
|
||||
|
|
|
@ -7,7 +7,6 @@ App::uses('AppController', 'Controller');
|
|||
class FeedsController extends AppController
|
||||
{
|
||||
public $components = array(
|
||||
'Security',
|
||||
'CRUD',
|
||||
'RequestHandler'
|
||||
); // XXX ACL component
|
||||
|
|
|
@ -6,7 +6,7 @@ App::uses('AppController', 'Controller');
|
|||
*/
|
||||
class JobsController extends AppController
|
||||
{
|
||||
public $components = array('Security', 'RequestHandler', 'Session');
|
||||
public $components = array('RequestHandler', 'Session');
|
||||
|
||||
public $paginate = array(
|
||||
'limit' => 20,
|
||||
|
|
|
@ -5,7 +5,6 @@ App::uses('AppController', 'Controller');
|
|||
class LogsController extends AppController
|
||||
{
|
||||
public $components = array(
|
||||
'Security',
|
||||
'RequestHandler',
|
||||
'AdminCrud' => array(
|
||||
'crud' => array('index')
|
||||
|
|
|
@ -3,7 +3,6 @@ App::uses('AppController', 'Controller');
|
|||
class ModulesController extends AppController
|
||||
{
|
||||
public $components = array(
|
||||
'Security',
|
||||
'RequestHandler'
|
||||
);
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ App::uses('AppController', 'Controller');
|
|||
*/
|
||||
class ObjectReferencesController extends AppController
|
||||
{
|
||||
public $components = array('Security' ,'RequestHandler', 'Session');
|
||||
public $components = array('RequestHandler', 'Session');
|
||||
|
||||
public $paginate = array(
|
||||
'limit' => 20,
|
||||
|
|
|
@ -4,7 +4,7 @@ App::uses('AppController', 'Controller');
|
|||
|
||||
class ObjectTemplateElementsController extends AppController
|
||||
{
|
||||
public $components = array('Security' ,'RequestHandler', 'Session');
|
||||
public $components = array('RequestHandler', 'Session');
|
||||
|
||||
public $paginate = array(
|
||||
'limit' => 60,
|
||||
|
|
|
@ -6,7 +6,7 @@ App::uses('AppController', 'Controller');
|
|||
*/
|
||||
class ObjectTemplatesController extends AppController
|
||||
{
|
||||
public $components = array('Security' ,'RequestHandler', 'Session');
|
||||
public $components = array('RequestHandler', 'Session');
|
||||
|
||||
public $paginate = array(
|
||||
'limit' => 60,
|
||||
|
|
|
@ -10,7 +10,7 @@ class ObjectsController extends AppController
|
|||
{
|
||||
public $uses = 'MispObject';
|
||||
|
||||
public $components = array('Security' ,'RequestHandler', 'Session');
|
||||
public $components = array('RequestHandler', 'Session');
|
||||
|
||||
public $paginate = array(
|
||||
'limit' => 20,
|
||||
|
|
|
@ -9,7 +9,6 @@ App::uses('AppController', 'Controller');
|
|||
class PostsController extends AppController
|
||||
{
|
||||
public $components = array(
|
||||
'Security',
|
||||
'Session',
|
||||
'RequestHandler'
|
||||
);
|
||||
|
|
|
@ -4,7 +4,7 @@ App::uses('AppController', 'Controller');
|
|||
|
||||
class RegexpController extends AppController
|
||||
{
|
||||
public $components = array('Security', 'RequestHandler', 'AdminCrud');
|
||||
public $components = array('RequestHandler', 'AdminCrud');
|
||||
|
||||
public $paginate = array(
|
||||
'limit' => 60,
|
||||
|
|
|
@ -5,7 +5,6 @@ App::uses('AppController', 'Controller');
|
|||
class RestClientHistoryController extends AppController
|
||||
{
|
||||
public $components = array(
|
||||
'Security',
|
||||
'AdminCrud',
|
||||
'RequestHandler'
|
||||
);
|
||||
|
|
|
@ -10,7 +10,6 @@ App::uses('AppController', 'Controller');
|
|||
class RolesController extends AppController
|
||||
{
|
||||
public $components = array(
|
||||
'Security',
|
||||
'Session',
|
||||
'RequestHandler'
|
||||
);
|
||||
|
|
|
@ -9,7 +9,7 @@ App::uses('SecurityAudit', 'Tools');
|
|||
*/
|
||||
class ServersController extends AppController
|
||||
{
|
||||
public $components = array('Security' ,'RequestHandler'); // XXX ACL component
|
||||
public $components = array('RequestHandler'); // XXX ACL component
|
||||
|
||||
public $paginate = array(
|
||||
'limit' => 60,
|
||||
|
|
|
@ -9,7 +9,7 @@ App::uses('AttachmentTool', 'Tools');
|
|||
*/
|
||||
class ShadowAttributesController extends AppController
|
||||
{
|
||||
public $components = array('Acl', 'Security', 'RequestHandler', 'Email');
|
||||
public $components = array('RequestHandler');
|
||||
|
||||
public $paginate = array(
|
||||
'limit' => 60,
|
||||
|
@ -20,7 +20,6 @@ class ShadowAttributesController extends AppController
|
|||
{
|
||||
parent::beforeFilter();
|
||||
$this->set('title_for_layout', 'Proposals');
|
||||
$this->Security->validatePost = true;
|
||||
|
||||
// convert uuid to id if present in the url, and overwrite id field
|
||||
if (isset($this->params->query['uuid'])) {
|
||||
|
|
|
@ -8,7 +8,6 @@ App::uses('AppController', 'Controller');
|
|||
class TagCollectionsController extends AppController
|
||||
{
|
||||
public $components = array(
|
||||
'Security',
|
||||
'AdminCrud',
|
||||
'RequestHandler'
|
||||
);
|
||||
|
|
|
@ -6,7 +6,7 @@ App::uses('AppController', 'Controller');
|
|||
*/
|
||||
class TagsController extends AppController
|
||||
{
|
||||
public $components = array('Security' ,'RequestHandler');
|
||||
public $components = array('RequestHandler');
|
||||
|
||||
public $paginate = array(
|
||||
'limit' => 50,
|
||||
|
|
|
@ -4,7 +4,7 @@ App::uses('AppController', 'Controller');
|
|||
|
||||
class TasksController extends AppController
|
||||
{
|
||||
public $components = array('Security' ,'RequestHandler', 'Session');
|
||||
public $components = array('RequestHandler', 'Session');
|
||||
|
||||
public $paginate = array(
|
||||
'limit' => 20,
|
||||
|
|
|
@ -4,7 +4,7 @@ App::uses('AppController', 'Controller');
|
|||
|
||||
class TemplateElementsController extends AppController
|
||||
{
|
||||
public $components = array('Security' ,'RequestHandler');
|
||||
public $components = array('RequestHandler');
|
||||
|
||||
public $paginate = array(
|
||||
'limit' => 50,
|
||||
|
|
|
@ -6,7 +6,7 @@ App::uses('File', 'Utility');
|
|||
|
||||
class TemplatesController extends AppController
|
||||
{
|
||||
public $components = array('Security' ,'RequestHandler', 'CRUD');
|
||||
public $components = array('RequestHandler', 'CRUD');
|
||||
|
||||
public $paginate = array(
|
||||
'limit' => 50,
|
||||
|
|
|
@ -7,7 +7,6 @@ App::uses('AppController', 'Controller');
|
|||
class ThreadsController extends AppController
|
||||
{
|
||||
public $components = array(
|
||||
'Security',
|
||||
'RequestHandler',
|
||||
'Session',
|
||||
);
|
||||
|
|
|
@ -9,9 +9,7 @@ class UsersController extends AppController
|
|||
public $newkey;
|
||||
|
||||
public $components = array(
|
||||
'Security',
|
||||
'Email',
|
||||
'RequestHandler'
|
||||
'RequestHandler'
|
||||
);
|
||||
|
||||
public $paginate = array(
|
||||
|
|
|
@ -11,7 +11,7 @@ class DistributionGraphTool
|
|||
/** @var array */
|
||||
private $__serverList;
|
||||
|
||||
public function construct(Event $eventModel, array $servers, array $user, $extended_view=0)
|
||||
public function __construct(Event $eventModel, array $servers, array $user, $extended_view=0)
|
||||
{
|
||||
$this->__eventModel = $eventModel;
|
||||
$this->__serverList = $servers;
|
||||
|
@ -33,8 +33,6 @@ class DistributionGraphTool
|
|||
];
|
||||
}
|
||||
$this->__json['distributionInfo'][5] = ""; // inherit event. Will be deleted afterward
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
private function __fetchAndAddDistributionInfo($elem)
|
||||
|
|
Loading…
Reference in New Issue