fix: [internal] Added a setting to skip positive attribute level filters on the event scope

- when running a large MISP community, it is bound to happen that your instance will be used as the back-end for internal tooling - often these tools are configured to fetch aggressively, often with heavy consequences on the server load - some filter that serves mostly edge-case lookups can mistakenly lead to heavy server load for no good reason We have identified attribute level positive filters on the event scope to be such a filter and made them optionally toggle-able via the MISP.attribute_fitlers_block_only flag. Turning the setting on will remove all event level filters such as "type" from being viable filter candidates unless used to block the inclusion of attribute types. Some examples: "type": {"OR": ["ip-dst", "ip-src", "hostname", "domain"]} would normally return ANY event that has at least one of the listed attribute types. This is the behaviour that can now be disabled. "type": {"NOT": ["iban", "cc-number"]} would normally remove any attributes with the given types from the list of returned events. This functionality is NOT affected by the toggle.
2020-04-15 06:21:15 +02:00 · 2020-04-15 06:21:15 +02:00 · ec93389669
parent 5d5b7a79ac
commit ec93389669
2 changed files with 15 additions and 1 deletions
--- a/app/Model/Event.php
+++ b/app/Model/Event.php
@ -2585,7 +2585,7 @@ class Event extends AppModel
        }
        return $conditions;
    }
-    
+
    public function set_filter_uuid(&$params, $conditions, $options)
    {
        if ($options['scope'] === 'Event') {
@ -2701,6 +2701,11 @@ class Event extends AppModel
    {
        if (!empty($params[$options['filter']])) {
            $params[$options['filter']] = $this->convert_filters($params[$options['filter']]);
+            if (!empty(Configure::read('MISP.attribute_filters_block_only'))) {
+                if ($options['context'] === 'Event' && !empty($params[$options['filter']]['OR'])) {
+                    unset($params[$options['filter']]['OR']);
+                }
+            }
            $conditions = $this->generic_add_filter($conditions, $params[$options['filter']], 'Attribute.' . $options['filter']);
        }
        return $conditions;
--- a/app/Model/Server.php
+++ b/app/Model/Server.php
@ -1072,6 +1072,15 @@ class Server extends AppModel
                               'test' => 'testForNumeric',
                               'type' => 'numeric',
                               'null' => true
+                       ),
+                       'attribute_filters_block_only' => array(
+                               'level' => 1,
+                               'description' => __('This is a performance tweak to change the behaviour of restSearch to use attribute filters solely for blocking. This means that a lookup on the event scope with for example the type field set will be ignored unless it\'s used to strip unwanted attributes from the results. If left disabled, passing [ip-src, ip-dst] for example will return any event with at least one ip-src or ip-dst attribute. This is generally not considered to be too useful and is a heavy burden on the database.'),
+                               'value' => false,
+                               'errorMessage' => '',
+                               'test' => 'testBool',
+                               'type' => 'boolean',
+                               'null' => true
                       )
                ),
                'GnuPG' => array(