fix(security): sanitize host_id and service_id (#7862)

* fix(security): sanitize host_id and service_id * fix(acl): add acl before to display result * fix(php): improve code
centreon · Sep 30, 2019 · 6029ba3 · 6029ba3
1 parent 1a74152
commit 6029ba3
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 4 deletions.
diff --git a/www/include/monitoring/status/Services/xml/makeXMLForOneHost.php b/www/include/monitoring/status/Services/xml/makeXMLForOneHost.php
@@ -40,6 +40,7 @@
 require_once realpath(__DIR__ . "/../../../../../../bootstrap.php");
 
 include_once $centreon_path . "www/class/centreonUtils.class.php";
+include_once $centreon_path . "www/class/centreonACL.class.php";
 
 /**
  * Include Monitoring Classes
@@ -65,7 +66,7 @@
 if (isset($obj->session_id) && CentreonSession::checkSession($obj->session_id, $obj->DB)) {
     ;
 } else {
-    print "Bad Session ID";
+    print _("Bad Session ID");
     exit();
 }
 
@@ -83,6 +84,27 @@
 $disable = $obj->checkArgument("disable", $_GET, "disable");
 $dateFormat = $obj->checkArgument("date_time_format_status", $_GET, "Y/m/d H:i:s");
 
+$host_id = filter_var(
+    $host_id ?? null,
+    FILTER_VALIDATE_INT
+);
+
+if ($host_id === false) {
+    print _("Bad host ID");
+    exit();
+}
+
+// Check ACL if user is not admin
+$isAdmin = $centreon->user->admin;
+if (!$isAdmin) {
+    $userId = $centreon->user->user_id;
+    $acl = new CentreonACL($userId, $isAdmin);
+    if (!$acl->checkHost($host_id)) {
+        print _("You don't have access to this resource");
+        exit();
+    }
+}
+
 /** ***************************************************
  * Get Host status
  */

diff --git a/www/include/monitoring/status/Services/xml/makeXMLForOneService.php b/www/include/monitoring/status/Services/xml/makeXMLForOneService.php
@@ -40,6 +40,7 @@
 require_once realpath(__DIR__ . "/../../../../../../bootstrap.php");
 
 include_once $centreon_path . "www/class/centreonUtils.class.php";
+include_once $centreon_path . "www/class/centreonACL.class.php";
 
 /**
  * Include Monitoring Classes
@@ -65,7 +66,7 @@
 if (isset($obj->session_id) && CentreonSession::checkSession($obj->session_id, $obj->DB)) {
     ;
 } else {
-    print "Bad Session ID";
+    print _("Bad Session ID");
     exit();
 }
 
@@ -84,8 +85,31 @@
 $dateFormat = $obj->checkArgument("date_time_format_status", $_GET, "Y/m/d H:i:s");
 
 $tab = preg_split('/\_/', $svc_id);
-$host_id = $tab[0];
-$service_id = $tab[1];
+$host_id = filter_var(
+    $tab[0] ?? null,
+    FILTER_VALIDATE_INT
+);
+
+$service_id = filter_var(
+    $tab[1] ?? null,
+    FILTER_VALIDATE_INT
+);
+
+if ($host_id === false || $service_id === false) {
+    print _("Bad service ID");
+    exit();
+}
+
+// Get Check if user is not admin
+$isAdmin = $centreon->user->admin;
+if (!$isAdmin) {
+    $userId = $centreon->user->user_id;
+    $acl = new CentreonACL($userId, $isAdmin);
+    if (!$acl->checkService($service_id)) {
+        print _("You don't have access to this resource");
+        exit();
+    }
+}
 
 /** **************************************************
  * Get Service status