Authorize request before returning images

app/Http/Controllers/ImageController.php

@@ -3,12 +3,21 @@
 namespace App\Http\Controllers;
 
 use CDash\Model\Image;
+use Illuminate\Support\Facades\Gate;
 use Symfony\Component\HttpFoundation\StreamedResponse;
+use Symfony\Component\HttpKernel\Exception\HttpException;
 
 class ImageController extends AbstractController
 {
+    /**
+     * @throws HttpException
+     */
     public function image(Image $image): StreamedResponse
     {
+        if (Gate::denies('view-image', $image)) {
+            abort(404);
+        }
+
         return response()->stream(function () use ($image) {
             echo $image->Data;
         }, 200, ['Content-type' => $image->Extension]);

app/Models/BuildTest.php

@@ -5,6 +5,8 @@
 use CDash\Model\Label;
 
 use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+use Illuminate\Support\Facades\Config;
 
 class BuildTest extends Model
 {
@@ -20,16 +22,18 @@ class BuildTest extends Model
 
     /**
      * Get the test record for this buildtest.
+     *
+     * @return BelongsTo<Test, self>
      */
-    public function test()
+    public function test(): BelongsTo
     {
         return $this->belongsTo('App\Models\Test', 'testid');
     }
 
     /**
      * Add a label to this buildtest.
      **/
-    public function addLabel(Label $label)
+    public function addLabel(Label $label): void
     {
         if (is_null($this->labels)) {
             $this->labels = collect();
@@ -60,18 +64,18 @@ public function getLabels()
 
     /**
      * Returns a self referencing URI for the current BuildTest.
-     *
-     * @return string
      */
-    public function GetUrlForSelf()
+    public function GetUrlForSelf(): string
     {
-        $host_base = \Config::get('app.url');
+        $host_base = Config::get('app.url');
         return "{$host_base}/test/{$this->id}";
     }
 
 
-    // Marshal functions moved here from the old BuildTest model class.
-    public static function marshalMissing($name, $buildid, $projectid, $projectshowtesttime, $testtimemaxstatus, $testdate)
+    /**
+     * Marshal functions moved here from the old BuildTest model class.
+     */
+    public static function marshalMissing($name, $buildid, $projectid, $projectshowtesttime, $testtimemaxstatus, $testdate): array
     {
         $data = array();
         $data['name'] = $name;
@@ -94,7 +98,7 @@ public static function marshalMissing($name, $buildid, $projectid, $projectshowt
         return $test;
     }
 
-    public static function marshalStatus($status)
+    public static function marshalStatus($status): array
     {
         $statuses = array('passed' => array('Passed', 'normal'),
                           'failed' => array('Failed', 'error'),
@@ -105,7 +109,7 @@ public static function marshalStatus($status)
     }
 
     // Only used in api/v1/viewTest.php
-    public static function marshal($data, $buildid, $projectid, $projectshowtesttime, $testtimemaxstatus, $testdate)
+    public static function marshal($data, $buildid, $projectid, $projectshowtesttime, $testtimemaxstatus, $testdate): array
     {
         require_once 'include/common.php';
         $marshaledStatus = self::marshalStatus($data['status']);

app/Models/TestImage.php

@@ -3,11 +3,20 @@
 namespace App\Models;
 
 use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
 
 class TestImage extends Model
 {
     protected $table = 'test2image';
     protected $fillable = ['imgid', 'outputid', 'role'];
 
     public $timestamps = false;
+
+    /**
+     * @return BelongsTo<TestOutput, self>
+     */
+    public function testOutput(): BelongsTo
+    {
+        return $this->belongsTo('App\Models\TestOutput', 'outputid');
+    }
 }

app/Models/TestOutput.php

@@ -2,9 +2,8 @@
 
 namespace App\Models;
 
-use CDash\Models\Build;
-
 use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
 
 class TestOutput extends Model
 {
@@ -14,16 +13,24 @@ class TestOutput extends Model
     public $timestamps = false;
 
     /**
-     * Returns uncompressed test output.
+     * Get the test record for this output.
      *
-     * @return string
+     * @return BelongsTo<Test, self>
+     */
+    public function test(): BelongsTo
+    {
+        return $this->belongsTo('App\Models\Test', 'testid');
+    }
+
+    /**
+     * Returns uncompressed test output.
      */
     public static function DecompressOutput($output)
     {
         if (!config('cdash.use_compression')) {
             return $output;
         }
-        if (config('database.default') == 'pgsql') {
+        if (config('database.default') === 'pgsql') {
             if (is_resource($output)) {
                 $output = base64_decode(stream_get_contents($output));
             } else {

app/Providers/AuthServiceProvider.php

@@ -4,11 +4,15 @@
 
 namespace App\Providers;
 
+use App\Models\Test;
+use App\Models\TestImage;
 use App\Models\User;
 use App\Services\ProjectPermissions;
 use CDash\Config;
+use CDash\Model\Image;
 use CDash\Model\Project;
 use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Gate;
 use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
 
@@ -25,10 +29,8 @@ class AuthServiceProvider extends ServiceProvider
 
     /**
      * Register any authentication / authorization services.
-     *
-     * @return void
      */
-    public function boot()
+    public function boot(): void
     {
         $this->registerPolicies();
         Auth::provider('cdash', function ($app, array $config) {
@@ -52,5 +54,33 @@ private function defineGates(): void
             $config = Config::getInstance();
             return $user->IsAdmin() || $config->get('CDASH_USER_CREATE_PROJECTS');
         });
+
+        Gate::define('view-test', function (?User $user, Test $test) {
+            $project = new Project();
+            $project->Id = $test->projectid;
+            return Gate::allows('view-project', $project);
+        });
+
+        Gate::define('view-image', function (?User $user, Image $image) {
+            // Make sure the current user has access to at least one project with this image as the project icon
+            $projects_with_img = DB::select('SELECT id AS projectid FROM project WHERE imageid=?', [$image->Id]);
+            foreach ($projects_with_img as $project_row) {
+                $project = new Project();
+                $project->Id = $project_row->projectid;
+                if (Gate::allows('view-project', $project)) {
+                    return true;
+                }
+            }
+
+            // Make sure the current user has access to a test result with this image
+            $outputs_with_image = TestImage::where('imgid', '=', $image->Id)->get();
+            foreach ($outputs_with_image as $output) {
+                if (Gate::allows('view-test', $output->testOutput->test)) {
+                    return true;
+                }
+            }
+
+            return false;
+        });
     }
 }

app/Services/TestCreator.php

@@ -17,13 +17,11 @@
 namespace App\Services;
 
 use App\Models\BuildTest;
-use App\Models\Test;
 use App\Models\TestImage;
-use App\Models\TestMeasurement;
-use App\Models\TestOutput;
 
 use CDash\Model\Build;
 use CDash\Model\Image;
+use Illuminate\Support\Facades\DB;
 
 /**
  * This class is responsible for creating the various models associated
@@ -64,7 +62,7 @@ public function __construct()
         $this->testStatus = '';
     }
 
-    public function loadImage(Image $image)
+    public function loadImage(Image $image): void
     {
         if ($image->Checksum) {
             return;
@@ -75,10 +73,8 @@ public function loadImage(Image $image)
         $img = imagecreatefromstring($imgStr);
         ob_start();
         switch ($image->Extension) {
-            case 'image/jpg':
-                imagejpeg($img);
-                break;
             case 'image/jpeg':
+            case 'image/jpg':
                 imagejpeg($img);
                 break;
             case 'image/gif':
@@ -98,7 +94,7 @@ public function loadImage(Image $image)
         $image->Checksum = crc32($imageVariable);
     }
 
-    public function saveImage(Image $image, $outputid)
+    public function saveImage(Image $image, $outputid): void
     {
         $image->Save();
         $testImage = new TestImage;
@@ -108,17 +104,17 @@ public function saveImage(Image $image, $outputid)
         $testImage->save();
     }
 
-    public function computeCrc32()
+    public function computeCrc32(): int
     {
-        $crc32_input = pdo_real_escape_string($this->testName);
-        $crc32_input .= pdo_real_escape_string($this->testPath);
-        $crc32_input .= pdo_real_escape_string($this->testCommand);
-        $crc32_input .= pdo_real_escape_string($this->testOutput);
-        $crc32_input .= pdo_real_escape_string($this->testDetails);
+        $crc32_input = $this->testName;
+        $crc32_input .= $this->testPath;
+        $crc32_input .= $this->testCommand;
+        $crc32_input .= $this->testOutput;
+        $crc32_input .= $this->testDetails;
         foreach ($this->measurements as $measurement) {
-            $crc32_input .= "_" . pdo_real_escape_string($measurement->type);
-            $crc32_input .= "_" . pdo_real_escape_string($measurement->name);
-            $crc32_input .= "_" . pdo_real_escape_string($measurement->value);
+            $crc32_input .= "_" . $measurement->type;
+            $crc32_input .= "_" . $measurement->name;
+            $crc32_input .= "_" . $measurement->value;
         }
 
         foreach ($this->images as $image) {
@@ -132,10 +128,10 @@ public function computeCrc32()
     /**
      * Compress test output before storing it in the database.
      */
-    public function compressOutput()
+    public function compressOutput(): void
     {
         if ($this->alreadyCompressed) {
-            if (config('database.default') == 'pgsql') {
+            if (config('database.default') === 'pgsql') {
                 $compressed_output = $this->testOutput;
             } else {
                 $compressed_output = base64_decode($this->testOutput);
@@ -162,40 +158,41 @@ public function compressOutput()
     /**
      * Record this test in the database.
      **/
-    public function create(Build $build)
+    public function create(Build $build): void
     {
         // Raw SQL makes this a bit faster than TestOutput:firstOrCreate.
-        $test_exists_results = \DB::select(
+        $test_exists_results = DB::select(
             'SELECT id FROM test WHERE projectid=? AND name=?',
             [$this->projectid, $this->testName]);
         if ($test_exists_results) {
             $testid = $test_exists_results[0]->id;
         } else {
-            \DB::insert('INSERT INTO test (projectid, name) VALUES (:projectid, :name)',
-                [':projectid' => $this->projectid,
-                 ':name'      => $this->testName]);
-            $testid = \DB::getPdo()->lastInsertId();
+            DB::insert('INSERT INTO test (projectid, name) VALUES (:projectid, :name)', [
+                ':projectid' => $this->projectid,
+                ':name'      => $this->testName
+            ]);
+            $testid = DB::getPdo()->lastInsertId();
         }
 
         // testoutput
         $crc32 = $this->computeCrc32();
         // As above, raw SQL for performance improvement.
-        $output_exists_results = \DB::select(
+        $output_exists_results = DB::select(
             'SELECT id FROM testoutput WHERE crc32=? AND testid=?',
             [$crc32, $testid]);
         if ($output_exists_results) {
             $outputid = $output_exists_results[0]->id;
         } else {
             $this->compressOutput();
-            \DB::insert(
+            DB::insert(
                 'INSERT INTO testoutput (testid, path, command, output, crc32)
                 VALUES (:testid, :path, :command, :output, :crc32)',
                 [':testid'  => $testid,
                  ':path'    => $this->testPath,
                  ':command' => $this->testCommand,
                  ':output'  => $this->testOutput,
                  ':crc32'   => $crc32]);
-            $outputid = \DB::getPdo()->lastInsertId();
+            $outputid = DB::getPdo()->lastInsertId();
 
             // testmeasurement
             foreach ($this->measurements as $measurement) {

app/cdash/app/Model/Image.php

@@ -37,7 +37,7 @@ public function __construct()
         $this->PDO = Database::getInstance();
     }
 
-    private function GetData()
+    private function GetData(): void
     {
         if (strlen($this->Filename) > 0) {
             $h = fopen($this->Filename, 'rb');
@@ -48,7 +48,7 @@ private function GetData()
     }
 
     /** Check if exists */
-    public function Exists()
+    public function Exists(): bool
     {
         $db = Database::getInstance();
         // If no id specify return false
@@ -71,7 +71,7 @@ public function Exists()
     }
 
     /** Save the image */
-    public function Save($update=false)
+    public function Save($update=false): bool
     {
         // Get the data from the file if necessary
         $this->GetData();
@@ -115,7 +115,7 @@ public function Save($update=false)
     }
 
     /** Load the image from the database. */
-    public function Load()
+    public function Load(): bool
     {
         $stmt = $this->PDO->prepare('SELECT * FROM image WHERE id=?');
         $this->PDO->execute($stmt, [$this->Id]);

app/cdash/tests/CMakeLists.txt

@@ -137,6 +137,7 @@ add_php_test(committerinfo)
 add_php_test(dailyupdatefile)
 add_php_test(edituser)
 add_php_test(image)
+add_php_test(displayimage)
 add_php_test(import)
 add_php_test(importbackup)
 add_php_test(importbuilds)