[mri_violations ]Bring back clickable images #2843
Conversation
gluneau
added
the
Bug
|
It looks as safe as the dicom processing code but, just to be safe, maybe |
| "use strict"; |
There was a problem hiding this comment.
compile using npm run compile make sure you npm folder is up-to-date
modules/brainbrowser/ajax/minc.php
Outdated
| $query = "select MincFile from mri_violations_log where LogID = :LogID"; | ||
| } elseif ($l == 3) { | ||
| $query = "select MincFile from MRICandidateErrors where ID = :LogID"; | ||
| } |
There was a problem hiding this comment.
There should be an else here which aborts with a bad request error in an unhandled case, otherwise if a user provides bad input with url hacking it's still going to get down to the passthru case, which will result in spawning a completely unnecessary process.
There won't be any user input making it to the shell, so it couldn't be used as a remote code exploit, but it could probably be used as part of a denial of service attack.
(Unrelatedly, stylistically I think this code would be a little cleaner with a switch statement than an if/elseif chain, and the SQL keywords should be capitalized.)
driusan
added
the
Needs Work
|
@driusan @jstirling91 Please take a look and confirm your comments were addressed. |
gluneau
removed
the
Needs Work
modules/brainbrowser/ajax/minc.php
Outdated
| $minc_file = $DB->pselectOne( | ||
| $query, | ||
| array( | ||
| 'MincID' => escapeshellcmd($_REQUEST['minc_id']), |
There was a problem hiding this comment.
I don't see what's gained by calling escapeshellcmd here. It's being passed to a prepared statement binding, not being passed to a shell.
modules/brainbrowser/ajax/minc.php
Outdated
| $minc_file = $DB->pselectOne($query, array('MincID' => $_REQUEST['minc_id'])); | ||
| $minc_file = getMincLocation() . $minc_file; | ||
| if (strpos(escapeshellcmd($_REQUEST['minc_id']), 'l') !== false) { | ||
| list($l, $id) = explode('l', escapeshellcmd($_REQUEST['minc_id'])); |
There was a problem hiding this comment.
Why are these being shell escaped here? It's not being passed to a shell or used as a command. This should be done right before the passthru command, not everywhere that the minc_id is used.
If you really want to check if the user was trying to inject something and abort early, you could probably do something like if (escapeshellcmd(x) !== x) { print error and exit} (note: I haven't tried that, but it should work.)
There's also this warning from the escapeshellcmd documentation that should be taken into account:
Warning escapeshellcmd() should be used on the whole command string, and it still allows the attacker to pass arbitrary number of arguments. For escaping a single argument escapeshellarg() should be used instead. (http://php.net/manual/en/function.escapeshellcmd.php)
modules/brainbrowser/ajax/minc.php
Outdated
| $query = "select File from files where FileID = :MincID"; | ||
| $minc_file = $DB->pselectOne($query, array('MincID' => $_REQUEST['minc_id'])); | ||
| $minc_file = getMincLocation() . $minc_file; | ||
| if (strpos($_REQUEST['minc_id'], 'l') !== false) { |
There was a problem hiding this comment.
I'm not sure that this will work as intended. If you look here, !== will always return true when compared with numeric values. I tried it on the command line with -1, 0, and 1 and this was the case.
As strpos always returns a number, this condition will always be true.
There was a problem hiding this comment.
@johnsaigle, it's the small case letter "L" being checked here. So it's not a number. ;-)
There was a problem hiding this comment.
But strpos still returns a number regardless of what you check, right? 😅
There was a problem hiding this comment.
Note that the use of !== false is deliberate; strpos returns either the offset at which the needle string begins in the haystack string, or the boolean false if the needle isn't found. Since 0 is a valid offset and 0 is "falsey", we can't use simpler constructs like !strpos($a, 'are').
There was a problem hiding this comment.
Oh I'm sorry about that. I thought strpos returned a -1 on failure, not false. Bizarre behaviour...
There was a problem hiding this comment.
The PHP standard functions are relatively consistent (relative to the rest of PHP) in returning false if a needle isn't found.
modules/brainbrowser/ajax/minc.php
Outdated
|
|
||
| $header = $_REQUEST['minc_headers']; | ||
| $header_data = $_REQUEST['raw_data']; | ||
| if (strpos($minc_file, 'assembly') !== false) { |
There was a problem hiding this comment.
See comment above. I believe this will always return true.
Resolved above.
modules/brainbrowser/ajax/minc.php
Outdated
| if (strpos($minc_file, 'assembly') === 0) { | ||
| $minc_file = getMincLocation() . $minc_file; | ||
| } else { | ||
| $minc_file = $minc_file; |
There was a problem hiding this comment.
This is tautological.
Maybe refactor this section like the following...
if (strpos($minc_file, 'assembly') === 0) {
$minc_file = getMincLocation() . $minc_file;
} else if (strpos($minc_file, 'assemby') < 0) {
$minc_file = getMincLocation() . "trashbin/" . $file;
}...and remove line 48 also.
There was a problem hiding this comment.
This refers to line 52.. sorry I think I messed up the formatting
There was a problem hiding this comment.
I still think this should be changed but I won't block the PR just for this. Going to approve changes. 👍
|
Once this #2861 gets merged, I'll rebase this one. |
jstirling91
added
the
Blocked
gluneau
force-pushed
the
mri_violations_view
branch
from
0eb7e21
to
9c3c013
Compare
|
@gluneau @jstirling91 This is still tagged as "Blocked". The only reason I can see is the above comment, and the PR that it references looks like it's been merged. Does this still need to be rebased and can the tag be removed? |
gluneau
force-pushed
the
mri_violations_view
branch
from
d28dc24
to
072916e
Compare
gluneau
removed
the
Blocked
MounaSafiHarab
added
the
Passed Manual Tests
|
works well!
|
Being able to review mri violations visually is essential to the review process.