Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-74vp-ww64-w2gm
Improper access control for controllers
  • Loading branch information
PierreRambaud committed Apr 15, 2020
2 parents f9f442c + c85734f commit 4444fb8
Show file tree
Hide file tree
Showing 19 changed files with 117 additions and 28 deletions.
4 changes: 4 additions & 0 deletions controllers/admin/AdminCartRulesController.php
Expand Up @@ -56,6 +56,10 @@ public function __construct()

public function ajaxProcessLoadCartRules()
{
if (!$this->access('view')) {
return die(json_encode(array('error' => 'You do not have the right permission')));
}

$type = $token = $search = '';
$limit = $count = $id_cart_rule = 0;
if (Tools::getIsset('limit')) {
Expand Down
12 changes: 12 additions & 0 deletions controllers/admin/AdminStatsController.php
Expand Up @@ -629,6 +629,10 @@ public static function getExpenses($date_from, $date_to, $granularity = false)

public function displayAjaxGetKpi()
{
if (!$this->access('view')) {
return die(json_encode(array('error' => 'You do not have the right permission')));
}

$currency = new Currency(Configuration::get('PS_CURRENCY_DEFAULT'));
$tooltip = null;
switch (Tools::getValue('kpi')) {
Expand Down Expand Up @@ -1039,6 +1043,10 @@ public function displayAjaxGetKpi()
*/
public function displayAjaxGraphDraw()
{
if (!$this->access('view')) {
return die(json_encode(array('error' => 'You do not have the right permission')));
}

$module = Tools::getValue('module');
$render = Tools::getValue('render');
$type = Tools::getValue('type');
Expand Down Expand Up @@ -1071,6 +1079,10 @@ public function displayAjaxGraphDraw()
*/
public function displayAjaxGraphGrid()
{
if (!$this->access('view')) {
return die(json_encode(array('error' => 'You do not have the right permission')));
}

$module = Tools::getValue('module');
$render = Tools::getValue('render');
$type = Tools::getValue('type');
Expand Down
24 changes: 24 additions & 0 deletions controllers/admin/AdminStatusesController.php
Expand Up @@ -540,6 +540,10 @@ public function postProcess()
}

if (Tools::isSubmit('submitAddorder_return_state')) {
if (!$this->access('add')) {
return;
}

$id_order_return_state = Tools::getValue('id_order_return_state');

// Create Object OrderReturnState
Expand All @@ -560,13 +564,21 @@ public function postProcess()
}

if (Tools::isSubmit('submitBulkdeleteorder_return_state')) {
if (!$this->access('delete')) {
return;
}

$this->className = 'OrderReturnState';
$this->table = 'order_return_state';
$this->boxes = Tools::getValue('order_return_stateBox');
parent::processBulkDelete();
}

if (Tools::isSubmit('deleteorder_return_state')) {
if (!$this->access('delete')) {
return;
}

$id_order_return_state = Tools::getValue('id_order_return_state');

// Create Object OrderReturnState
Expand All @@ -580,6 +592,10 @@ public function postProcess()
}

if (Tools::isSubmit('submitAdd' . $this->table)) {
if (!$this->access('add')) {
return;
}

$this->deleted = false; // Disabling saving historisation
$_POST['invoice'] = (int) Tools::getValue('invoice_on');
$_POST['logable'] = (int) Tools::getValue('logable_on');
Expand All @@ -598,13 +614,21 @@ public function postProcess()

return parent::postProcess();
} elseif (Tools::isSubmit('delete' . $this->table)) {
if (!$this->access('delete')) {
return;
}

$order_state = new OrderState(Tools::getValue('id_order_state'), $this->context->language->id);
if (!$order_state->isRemovable()) {
$this->errors[] = $this->trans('For security reasons, you cannot delete default order statuses.', array(), 'Admin.Shopparameters.Notification');
} else {
return parent::postProcess();
}
} elseif (Tools::isSubmit('submitBulkdelete' . $this->table)) {
if (!$this->access('delete')) {
return;
}

foreach (Tools::getValue($this->table . 'Box') as $selection) {
$order_state = new OrderState((int) $selection, $this->context->language->id);
if (!$order_state->isRemovable()) {
Expand Down
10 changes: 5 additions & 5 deletions src/PrestaShopBundle/Controller/Admin/AttributeController.php
Expand Up @@ -39,7 +39,7 @@ class AttributeController extends FrameworkBundleAdminController
/**
* get All Attributes as json.
*
* @AdminSecurity("is_granted(['read'], 'ADMINPRODUCTS_')")
* @AdminSecurity("is_granted(['read'], request.get('_legacy_controller'))")
*
* @return JsonResponse
*/
Expand Down Expand Up @@ -82,7 +82,7 @@ public function getAllAttributesAction()
/**
* Attributes generator.
*
* @AdminSecurity("is_granted(['create', 'update'], 'ADMINPRODUCTS_')")
* @AdminSecurity("is_granted(['create', 'update'], request.get('_legacy_controller'))")
*
* @param Request $request The request
*
Expand Down Expand Up @@ -200,7 +200,7 @@ public function ensureProductHasDefaultCombination(Product $product, array $comb
/**
* Delete a product attribute.
*
* @AdminSecurity("is_granted(['delete'], 'ADMINPRODUCTS_')")
* @AdminSecurity("is_granted(['delete'], request.get('_legacy_controller'))")
*
* @param int $idProduct The product ID
* @param Request $request The request
Expand Down Expand Up @@ -237,7 +237,7 @@ public function deleteAttributeAction($idProduct, Request $request)
/**
* Delete all product attributes.
*
* @AdminSecurity("is_granted(['delete'], 'ADMINPRODUCTS_')")
* @AdminSecurity("is_granted(['delete'], request.get('_legacy_controller'))")
*
* @param int $idProduct The product ID
* @param Request $request The request
Expand Down Expand Up @@ -277,7 +277,7 @@ public function deleteAllAttributeAction($idProduct, Request $request)
/**
* get the images form for a product combinations.
*
* @AdminSecurity("is_granted(['read'], 'ADMINPRODUCTS_')")
* @AdminSecurity("is_granted(['read'], request.get('_legacy_controller'))")
*
* @param int $idProduct The product id
* @param Request $request The request
Expand Down
Expand Up @@ -256,7 +256,7 @@ public function getAvailableEntityFieldsAction(Request $request)
/**
* Process the import.
*
* @AdminSecurity("is_granted(['read','update', 'create','delete'], request.get('_legacy_controller'))", redirectRoute="admin_import")
* @AdminSecurity("is_granted(['update', 'create', 'delete'], request.get('_legacy_controller'))", redirectRoute="admin_import")
* @DemoRestricted(redirectRoute="admin_import")
*
* @param Request $request
Expand Down
Expand Up @@ -80,7 +80,7 @@ public function indexAction(FormInterface $form = null)
/**
* Process the Performance configuration form.
*
* @AdminSecurity("is_granted(['read','update', 'create','delete'], request.get('_legacy_controller'))", message="You do not have permission to update this.")
* @AdminSecurity("is_granted(['update', 'create', 'delete'], request.get('_legacy_controller'))", message="You do not have permission to update this.")
* @DemoRestricted(redirectRoute="admin_performance")
*
* @param Request $request
Expand Down
Expand Up @@ -66,7 +66,7 @@ public function indexAction(Request $request)
/**
* Process the Customer Preferences configuration form.
*
* @AdminSecurity("is_granted(['read','update', 'create','delete'], request.get('_legacy_controller'))", message="You do not have permission to update this.", redirectRoute="admin_customer_preferences")
* @AdminSecurity("is_granted(['update', 'create','delete'], request.get('_legacy_controller'))", message="You do not have permission to update this.", redirectRoute="admin_customer_preferences")
* @DemoRestricted(redirectRoute="admin_customer_preferences")
*
* @param Request $request
Expand Down
Expand Up @@ -68,7 +68,7 @@ public function indexAction(Request $request)
* Process geolocation configuration form.
*
* @AdminSecurity(
* "is_granted(['read', 'update', 'create', 'delete'], request.get('_legacy_controller'))",
* "is_granted(['update', 'create', 'delete'], request.get('_legacy_controller'))",
* message="You do not have permission to edit this.",
* redirectRoute="admin_geolocation"
* )
Expand Down
Expand Up @@ -75,7 +75,7 @@ public function indexAction(Request $request)
/**
* Save localization settings.
*
* @AdminSecurity("is_granted(['read','update', 'create','delete'], request.get('_legacy_controller'))", message="You do not have permission to edit this.")
* @AdminSecurity("is_granted(['update', 'create', 'delete'], request.get('_legacy_controller'))", message="You do not have permission to edit this.")
* @DemoRestricted(redirectRoute="admin_localization_index")
*
* @param Request $request
Expand Down
4 changes: 4 additions & 0 deletions src/PrestaShopBundle/Controller/Admin/ProductController.php
Expand Up @@ -262,6 +262,10 @@ public function listAction(
$sortOrder = 'asc',
$view = 'full'
) {
if (!$this->isGranted(array(PageVoter::READ), self::PRODUCT_OBJECT)) {
return $this->redirect('admin_dashboard');
}

/** @var $productProvider ProductInterfaceProvider */
$productProvider = $this->get('prestashop.core.admin.data_provider.product_interface');
$adminProductWrapper = $this->get('prestashop.adapter.admin.wrapper.product');
Expand Down
3 changes: 3 additions & 0 deletions src/PrestaShopBundle/Controller/Api/I18nController.php
Expand Up @@ -27,6 +27,7 @@
namespace PrestaShopBundle\Controller\Api;

use Exception;
use PrestaShopBundle\Security\Annotation\AdminSecurity;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
Expand All @@ -36,6 +37,8 @@ class I18nController extends ApiController
/**
* Show translation for page-app build with vue-js.
*
* @AdminSecurity("is_granted('read', request.get('_legacy_controller'))")
*
* @param Request $request
*
* @return JsonResponse
Expand Down
9 changes: 9 additions & 0 deletions src/PrestaShopBundle/Controller/Api/StockController.php
Expand Up @@ -34,6 +34,7 @@
use PrestaShopBundle\Entity\Repository\StockRepository;
use PrestaShopBundle\Exception\InvalidPaginationParamsException;
use PrestaShopBundle\Exception\ProductNotFoundException;
use PrestaShopBundle\Security\Annotation\AdminSecurity;
use PrestaShopBundle\Security\Voter\PageVoter;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
Expand Down Expand Up @@ -64,6 +65,10 @@ class StockController extends ApiController
*/
public function listProductsAction(Request $request)
{
if (!$this->isGranted([PageVoter::READ], $request->get('_legacy_controller'))) {
return new JsonResponse(null, Response::HTTP_FORBIDDEN);
}

try {
$queryParamsCollection = $this->queryParams->fromRequest($request);
} catch (InvalidPaginationParamsException $exception) {
Expand Down Expand Up @@ -150,6 +155,10 @@ public function bulkEditProductsAction(Request $request)
*/
public function listProductsExportAction(Request $request)
{
if (!$this->isGranted([PageVoter::READ], $request->get('_legacy_controller'))) {
return new JsonResponse(null, Response::HTTP_FORBIDDEN);
}

try {
$queryParamsCollection = $this->queryParams->fromRequest($request);
} catch (InvalidPaginationParamsException $exception) {
Expand Down
Expand Up @@ -29,6 +29,7 @@
use PrestaShopBundle\Api\QueryStockMovementParamsCollection;
use PrestaShopBundle\Entity\Repository\StockMovementRepository;
use PrestaShopBundle\Exception\InvalidPaginationParamsException;
use PrestaShopBundle\Security\Annotation\AdminSecurity;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
Expand All @@ -46,6 +47,8 @@ class StockMovementController extends ApiController
public $queryParams;

/**
* @AdminSecurity("is_granted(['read'], request.get('_legacy_controller'))")
*
* @param Request $request
*
* @return JsonResponse
Expand All @@ -65,6 +68,8 @@ public function listMovementsAction(Request $request)
}

/**
* @AdminSecurity("is_granted(['read'], request.get('_legacy_controller'))")
*
* @param Request $request
*
* @return JsonResponse
Expand All @@ -75,6 +80,8 @@ public function listMovementsEmployeesAction(Request $request)
}

/**
* @AdminSecurity("is_granted(['read'], request.get('_legacy_controller'))")
*
* @param Request $request
*
* @return JsonResponse
Expand Down
9 changes: 9 additions & 0 deletions src/PrestaShopBundle/Controller/Api/TranslationController.php
Expand Up @@ -29,6 +29,7 @@
use Exception;
use PrestaShopBundle\Api\QueryTranslationParamsCollection;
use PrestaShopBundle\Exception\InvalidLanguageException;
use PrestaShopBundle\Security\Annotation\AdminSecurity;
use PrestaShopBundle\Service\TranslationService;
use PrestaShopBundle\Translation\View\TreeBuilder;
use Symfony\Component\HttpFoundation\JsonResponse;
Expand All @@ -51,6 +52,8 @@ class TranslationController extends ApiController
/**
* Show translations for 1 domain & 1 locale given & 1 theme given (optional).
*
* @AdminSecurity("is_granted('read', request.get('_legacy_controller'))")
*
* @param Request $request
*
* @return JsonResponse
Expand Down Expand Up @@ -115,6 +118,8 @@ public function listDomainTranslationAction(Request $request)
/**
* Show tree for translation page with some params.
*
* @AdminSecurity("is_granted('read', request.get('_legacy_controller'))")
*
* @param Request $request
*
* @return JsonResponse
Expand Down Expand Up @@ -166,6 +171,8 @@ public function listTreeAction(Request $request)
/**
* Route to edit translation.
*
* @AdminSecurity("is_granted(['create', 'update'], request.get('_legacy_controller'))")
*
* @param Request $request
*
* @return JsonResponse
Expand Down Expand Up @@ -211,6 +218,8 @@ public function translationEditAction(Request $request)
/**
* Route to reset translation.
*
* @AdminSecurity("is_granted(['create', 'update'], request.get('_legacy_controller'))")
*
* @param Request $request
*
* @return JsonResponse
Expand Down
Expand Up @@ -4,24 +4,28 @@ admin_attribute_get_all:
defaults:
_controller: PrestaShopBundle:Admin/Attribute:getAllAttributes
_format: json
_legacy_controller: AdminProducts

admin_attribute_generator:
path: /generator
methods: [POST]
defaults:
_controller: PrestaShopBundle:Admin/Attribute:attributesGenerator
_legacy_controller: AdminProducts

admin_delete_attribute:
path: /{idProduct}
methods: [DELETE]
defaults:
_controller: PrestaShopBundle:Admin/Attribute:deleteAttribute
_legacy_controller: AdminProducts

admin_delete_all_attributes:
path: /delete-all/{idProduct}
methods: [GET]
defaults:
_controller: PrestaShopBundle:Admin/Attribute:deleteAllAttribute
_legacy_controller: AdminProducts
idProduct: 0
requirements:
idProduct: \d+
Expand All @@ -32,6 +36,7 @@ admin_get_form_images_combination:
defaults:
_controller: PrestaShopBundle:Admin/Attribute:getFormImages
_format: json
_legacy_controller: AdminProducts
idProduct: 0
requirements:
idProduct: \d+
1 change: 1 addition & 0 deletions src/PrestaShopBundle/Resources/config/routing/api/i18n.yml
Expand Up @@ -3,5 +3,6 @@ api_i18n_translations_list:
methods: [GET]
defaults:
_controller: prestashop.core.api.i18n.controller:listTranslationAction
_legacy_controller: AdminTranslations
requirements:
page: \w+

0 comments on commit 4444fb8

Please sign in to comment.