mirror of https://github.com/MISP/MISP
fix: [security] Do not allow to use API key authenticated session to do non API calls
parent
9896f67358
commit
d92123c915
|
@ -260,6 +260,10 @@ class AppController extends Controller
|
|||
$this->_stop(); // just for sure
|
||||
}
|
||||
|
||||
if (isset($user['logged_by_authkey']) && $user['logged_by_authkey'] && !($this->_isRest() || $this->_isAutomation())) {
|
||||
throw new ForbiddenException("When user is authenticated by authkey, just REST request can be processed");
|
||||
}
|
||||
|
||||
$this->set('default_memory_limit', ini_get('memory_limit'));
|
||||
if (isset($user['Role']['memory_limit'])) {
|
||||
if ($user['Role']['memory_limit'] !== '') {
|
||||
|
@ -788,12 +792,7 @@ class AppController extends Controller
|
|||
|
||||
protected function _isAutomation()
|
||||
{
|
||||
foreach ($this->automationArray as $controllerName => $controllerActions) {
|
||||
if ($this->params['controller'] == $controllerName && in_array($this->params['action'], $controllerActions)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
return $this->IndexFilter->isApiFunction($this->params['controller'], $this->params['action']);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -6,7 +6,8 @@
|
|||
|
||||
class IndexFilterComponent extends Component
|
||||
{
|
||||
public $Controller = false;
|
||||
/** @var Controller */
|
||||
public $Controller;
|
||||
public $isRest = null;
|
||||
|
||||
public function initialize(Controller $controller) {
|
||||
|
@ -74,7 +75,7 @@ class IndexFilterComponent extends Component
|
|||
}
|
||||
}
|
||||
}
|
||||
$this->Controller->set('passedArgs', json_encode($this->Controller->passedArgs, true));
|
||||
$this->Controller->set('passedArgs', json_encode($this->Controller->passedArgs));
|
||||
return $data;
|
||||
}
|
||||
|
||||
|
@ -85,7 +86,7 @@ class IndexFilterComponent extends Component
|
|||
return $this->isRest;
|
||||
}
|
||||
$api = $this->isApiFunction($this->Controller->request->params['controller'], $this->Controller->request->params['action']);
|
||||
if (isset($this->Controller->RequestHandler) && ($api || $this->Controller->RequestHandler->isXml() || $this->isJson() || $this->isCsv())) {
|
||||
if (isset($this->Controller->RequestHandler) && ($api || $this->isJson() || $this->Controller->RequestHandler->isXml() || $this->isCsv())) {
|
||||
if ($this->isJson()) {
|
||||
if (!empty($this->Controller->request->input()) && empty($this->Controller->request->input('json_decode'))) {
|
||||
throw new MethodNotAllowedException('Invalid JSON input. Make sure that the JSON input is a correctly formatted JSON string. This request has been blocked to avoid an unfiltered request.');
|
||||
|
@ -117,12 +118,13 @@ class IndexFilterComponent extends Component
|
|||
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $controller
|
||||
* @param string $action
|
||||
* @return bool
|
||||
*/
|
||||
public function isApiFunction($controller, $action)
|
||||
{
|
||||
if (isset($this->Controller->automationArray[$controller]) && in_array($action, $this->Controller->automationArray[$controller])) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
return isset($this->Controller->automationArray[$controller]) && in_array($action, $this->Controller->automationArray[$controller], true);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue