Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] Sharing group misassociation on sync
- when an object has a sharing group associated on an event edit, the sharing group object is ignored and instead the passed local ID is reused
- as reported by Jeroen Pinoy
  • Loading branch information
iglocska committed Apr 8, 2021
1 parent 46a3772 commit a0f0850
Showing 1 changed file with 26 additions and 1 deletion.
27 changes: 26 additions & 1 deletion app/Model/MispObject.php
Expand Up @@ -964,6 +964,31 @@ public function captureObject($object, $eventId, $user, $log = false, $unpublish
public function editObject($object, $eventId, $user, $log, $force = false, &$nothingToChange = false)
{
$object['event_id'] = $eventId;
if (isset($object['distribution']) && $object['distribution'] == 4) {
if (!empty($object['SharingGroup'])) {
$object['sharing_group_id'] = $this->SharingGroup->captureSG($object['SharingGroup'], $user);
} elseif (!empty($object['sharing_group_id'])) {
if (!$this->SharingGroup->checkIfAuthorised($user, $object['sharing_group_id'])) {
unset($object['sharing_group_id']);
}
}
if (empty($object['sharing_group_id'])) {
$object_short = (isset($object['meta-category']) ? $object['meta-category'] : 'N/A') . '/' . (isset($object['name']) ? $object['name'] : 'N/A') . ' ' . (isset($object['uuid']) ? $object['uuid'] : 'N/A');
$this->Log = ClassRegistry::init('Log');
$this->Log->create();
$this->Log->save(array(
'org' => $user['Organisation']['name'],
'model' => 'MispObject',
'model_id' => 0,
'email' => $user['email'],
'action' => 'edit',
'user_id' => $user['id'],
'title' => 'Object dropped due to invalid sharing group for Event ' . $eventId . ' failed: ' . $object_short,
'change' => 'Validation errors: ' . json_encode($this->validationErrors) . ' Full Object: ' . json_encode($object),
));
return 'Invalid sharing group choice.';
}
}
if (isset($object['uuid'])) {
$existingObject = $this->find('first', array(
'recursive' => -1,
Expand All @@ -976,7 +1001,7 @@ public function editObject($object, $eventId, $user, $log, $force = false, &$not
$log->create();
$log->save(array(
'org' => $user['Organisation']['name'],
'model' => 'Object',
'model' => 'MispObject',
'model_id' => 0,
'email' => $user['email'],
'action' => 'edit',
Expand Down

0 comments on commit a0f0850

Please sign in to comment.