MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: [security] Do not allow to use API key authenticated session to do non API calls

pull/6581/head
Jakub Onderka 2020-12-02 19:35:31 +01:00
parent 9896f67358
commit d92123c915
2 changed files with 15 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
app/Controller/AppController.php
View File

@ -260,6 +260,10 @@ class AppController extends Controller
$this->_stop(); // just for sure
}
if (isset($user['logged_by_authkey']) && $user['logged_by_authkey'] && !($this->_isRest() || $this->_isAutomation())) {
throw new ForbiddenException("When user is authenticated by authkey, just REST request can be processed");
}
$this->set('default_memory_limit', ini_get('memory_limit'));
if (isset($user['Role']['memory_limit'])) {
if ($user['Role']['memory_limit'] !== '') {
@ -788,12 +792,7 @@ class AppController extends Controller
protected function _isAutomation()
{
foreach ($this->automationArray as $controllerName => $controllerActions) {
if ($this->params['controller'] == $controllerName && in_array($this->params['action'], $controllerActions)) {
return true;
}
}
return false;
return $this->IndexFilter->isApiFunction($this->params['controller'], $this->params['action']);
}
/**

18
app/Controller/Component/IndexFilterComponent.php
View File

@ -6,7 +6,8 @@
class IndexFilterComponent extends Component
{
public $Controller = false;
/** @var Controller */
public $Controller;
public $isRest = null;
public function initialize(Controller $controller) {
@ -74,7 +75,7 @@ class IndexFilterComponent extends Component
}
}
}
$this->Controller->set('passedArgs', json_encode($this->Controller->passedArgs, true));
$this->Controller->set('passedArgs', json_encode($this->Controller->passedArgs));
return $data;
}
@ -85,7 +86,7 @@ class IndexFilterComponent extends Component
return $this->isRest;
}
$api = $this->isApiFunction($this->Controller->request->params['controller'], $this->Controller->request->params['action']);
if (isset($this->Controller->RequestHandler) && ($api || $this->Controller->RequestHandler->isXml() || $this->isJson() || $this->isCsv())) {
if (isset($this->Controller->RequestHandler) && ($api || $this->isJson() || $this->Controller->RequestHandler->isXml() || $this->isCsv())) {
if ($this->isJson()) {
if (!empty($this->Controller->request->input()) && empty($this->Controller->request->input('json_decode'))) {
throw new MethodNotAllowedException('Invalid JSON input. Make sure that the JSON input is a correctly formatted JSON string. This request has been blocked to avoid an unfiltered request.');
@ -117,12 +118,13 @@ class IndexFilterComponent extends Component
}
/**
* @param string $controller
* @param string $action
* @return bool
*/
public function isApiFunction($controller, $action)
{
if (isset($this->Controller->automationArray[$controller]) && in_array($action, $this->Controller->automationArray[$controller])) {
return true;
}
return false;
return isset($this->Controller->automationArray[$controller]) && in_array($action, $this->Controller->automationArray[$controller], true);
}
}