Skip to content

Commit

Permalink
mvc - replace Phalcon\Filter classes for simple SanitizeFilter wrappe…
Browse files Browse the repository at this point in the history 
…r implementing the filters we actually use.

for #6389
  • Loading branch information
@AdSchellevis
AdSchellevis committed May 1, 2024
1 parent 0dc6089 commit f7999a7
Show file tree
Hide file tree
Showing 10 changed files with 136 additions and 105 deletions.
1 change: 1 addition & 0 deletions plist
View file
Original file line number Diff line number Diff line change
Expand Up @@ -513,6 +513,7 @@
/usr/local/opnsense/mvc/app/library/OPNsense/Core/File.php
/usr/local/opnsense/mvc/app/library/OPNsense/Core/FileObject.php
/usr/local/opnsense/mvc/app/library/OPNsense/Core/Routing.php
/usr/local/opnsense/mvc/app/library/OPNsense/Core/SanitizeFilter.php
/usr/local/opnsense/mvc/app/library/OPNsense/Core/Shell.php
/usr/local/opnsense/mvc/app/library/OPNsense/Core/Singleton.php
/usr/local/opnsense/mvc/app/library/OPNsense/Core/Syslog.php
Expand Down
4 changes: 1 addition & 3 deletions src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/ServiceController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@
use OPNsense\CaptivePortal\CaptivePortal;
use OPNsense\Core\Config;
use OPNsense\Base\UIModelGrid;
use Phalcon\Filter\FilterFactory;

/**
* Class ServiceController
Expand Down Expand Up @@ -93,9 +92,8 @@ public function reconfigureAction()
public function getTemplateAction($fileid = null)
{
// get template name
$paramfilter = (new FilterFactory())->newInstance();
if ($fileid != null) {
$templateFileId = $paramfilter->sanitize($fileid, 'alnum');
$templateFileId = (new SanitizeFilter())->sanitize($fileid, 'alnum');
} else {
$templateFileId = 'default';
}
Expand Down
7 changes: 7 additions & 0 deletions src/opnsense/mvc/app/controllers/OPNsense/Core/Api/DashboardController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,13 @@ private function getTranslations()
'title' => gettext('Disk usage'),
'used' => gettext('Used'),
'free' => gettext('Free'),
],
'wireguard' => [
'title' => gettext('Wireguard'),
'instance' => gettext('Instance'),
'peer' => gettext('Peer'),
'pubkey' => gettext('Public Key'),
'handshake' => gettext('Latest handshake'),
]
];
}
Expand Down
61 changes: 9 additions & 52 deletions src/opnsense/mvc/app/controllers/OPNsense/Core/Api/FirmwareController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
namespace OPNsense\Core\Api;

use OPNsense\Base\ApiMutableModelControllerBase;
use OPNsense\Core\SanitizeFilter;
use OPNsense\Core\Backend;
use OPNsense\Core\Config;
use OPNsense\Core\Firmware;
Expand Down Expand Up @@ -356,13 +357,7 @@ public function changelogAction($version)
}

$this->sessionClose(); // long running action, close session

$filter = new \Phalcon\Filter\Filter([
'version' => function ($value) {
return preg_replace('/[^0-9a-zA-Z\.]/', '', $value);
}
]);
$version = $filter->sanitize($version, 'version');
$version = (new SanitizeFilter())->sanitize($version, 'version');

$backend = new Backend();
$html = trim($backend->configdRun(sprintf('firmware changelog html %s', $version)));
Expand Down Expand Up @@ -411,12 +406,7 @@ public function licenseAction($package)

if ($this->request->isPost()) {
// sanitize package name
$filter = new \Phalcon\Filter\Filter([
'scrub' => function ($value) {
return preg_replace('/[^0-9a-zA-Z._-]/', '', $value);
}
]);
$package = $filter->sanitize($package, 'scrub');
$package = (new SanitizeFilter())->sanitize($package, 'pkgname');
$text = trim($backend->configdRun(sprintf('firmware license %s', $package)));
if (!empty($text)) {
$response['license'] = $text;
Expand Down Expand Up @@ -589,13 +579,7 @@ public function reinstallAction($pkg_name)
sprintf("[Firmware] User %s executed a reinstall of package %s", $this->getUserName(), $pkg_name)
);
$response['status'] = 'ok';
// sanitize package name
$filter = new \Phalcon\Filter\Filter([
'pkgname' => function ($value) {
return preg_replace('/[^0-9a-zA-Z._-]/', '', $value);
}
]);
$pkg_name = $filter->sanitize($pkg_name, "pkgname");
$pkg_name = (new SanitizeFilter())->sanitize($pkg_name, "pkgname");
// execute action
$response['msg_uuid'] = trim($backend->configdpRun("firmware reinstall", array($pkg_name), true));
} else {
Expand Down Expand Up @@ -663,13 +647,7 @@ public function installAction($pkg_name)
sprintf("[Firmware] User %s executed an install of package %s", $this->getUserName(), $pkg_name)
);
$response['status'] = 'ok';
// sanitize package name
$filter = new \Phalcon\Filter\Filter([
'pkgname' => function ($value) {
return preg_replace('/[^0-9a-zA-Z._-]/', '', $value);
}
]);
$pkg_name = $filter->sanitize($pkg_name, "pkgname");
$pkg_name = (new SanitizeFilter())->sanitize($pkg_name, "pkgname");
// execute action
$response['msg_uuid'] = trim($backend->configdpRun("firmware install", array($pkg_name), true));
} else {
Expand Down Expand Up @@ -697,12 +675,7 @@ public function removeAction($pkg_name)
);
$response['status'] = 'ok';
// sanitize package name
$filter = new \Phalcon\Filter\Filter([
'pkgname' => function ($value) {
return preg_replace('/[^0-9a-zA-Z._-]/', '', $value);
}
]);
$pkg_name = $filter->sanitize($pkg_name, "pkgname");
$pkg_name = (new SanitizeFilter())->sanitize($pkg_name, "pkgname");
// execute action
$response['msg_uuid'] = trim($backend->configdpRun("firmware remove", array($pkg_name), true));
} else {
Expand All @@ -728,12 +701,7 @@ public function lockAction($pkg_name)
$this->getLogger('audit')->notice(
sprintf("[Firmware] User %s locked package %s", $this->getUserName(), $pkg_name)
);
$filter = new \Phalcon\Filter\Filter([
'pkgname' => function ($value) {
return preg_replace('/[^0-9a-zA-Z._-]/', '', $value);
}
]);
$pkg_name = $filter->sanitize($pkg_name, "pkgname");
$pkg_name = (new SanitizeFilter())->sanitize($pkg_name, "pkgname");
} else {
$pkg_name = null;
}
Expand Down Expand Up @@ -764,12 +732,7 @@ public function unlockAction($pkg_name)
$this->getLogger('audit')->notice(
sprintf("[Firmware] User %s unlocked package %s", $this->getUserName(), $pkg_name)
);
$filter = new \Phalcon\Filter\Filter([
'pkgname' => function ($value) {
return preg_replace('/[^0-9a-zA-Z._-]/', '', $value);
}
]);
$pkg_name = $filter->sanitize($pkg_name, "pkgname");
$pkg_name = (new SanitizeFilter())->sanitize($pkg_name, "pkgname");
} else {
$pkg_name = null;
}
Expand Down Expand Up @@ -834,13 +797,7 @@ public function detailsAction($package)
$response = array();

if ($this->request->isPost()) {
// sanitize package name
$filter = new \Phalcon\Filter\Filter([
'scrub' => function ($value) {
return preg_replace('/[^0-9a-zA-Z._-]/', '', $value);
}
]);
$package = $filter->sanitize($package, 'scrub');
$package = (new SanitizeFilter())->sanitize($package, 'scrub');
$text = trim($backend->configdRun(sprintf('firmware details %s', $package)));
if (!empty($text)) {
$response['details'] = $text;
Expand Down
29 changes: 5 additions & 24 deletions src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/FirewallController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,10 @@

namespace OPNsense\Diagnostics\Api;

use Phalcon\Filter\Filter;
use OPNsense\Base\ApiControllerBase;
use OPNsense\Core\Backend;
use OPNsense\Core\Config;
use OPNsense\Core\SanitizeFilter;

/**
* Class FirewallController
Expand Down Expand Up @@ -159,11 +159,7 @@ public function queryStatesAction()
}
}

$filter = new Filter([
'query' => function ($value) {
return preg_replace("/[^0-9,a-z,A-Z,\: ,\/,*,\-,_,.,\#]/", "", $value);
}
]);
$filter = new SanitizeFilter();
$searchPhrase = '';
$ruleId = '';
$sortBy = '';
Expand Down Expand Up @@ -217,11 +213,7 @@ public function queryPfTopAction()
{
if ($this->request->isPost()) {
$this->sessionClose();
$filter = new Filter([
'query' => function ($value) {
return preg_replace("/[^0-9,a-z,A-Z, ,\/,*,\-,_,.,\#]/", "", $value);
}
]);
$filter = new SanitizeFilter();
$searchPhrase = '';
$ruleId = '';
$sortBy = '';
Expand Down Expand Up @@ -269,11 +261,7 @@ public function queryPfTopAction()
public function delStateAction($stateid, $creatorid)
{
if ($this->request->isPost()) {
$filter = new Filter([
'hexval' => function ($value) {
return preg_replace("/[^0-9,a-f,A-F]/", "", $value);
}
]);
$filter = new SanitizeFilter();
$response = (new Backend())->configdpRun("filter kill state", [
$filter->sanitize($stateid, "hexval"),
$filter->sanitize($creatorid, "hexval")
Expand All @@ -291,14 +279,7 @@ public function delStateAction($stateid, $creatorid)
public function killStatesAction()
{
if ($this->request->isPost()) {
$filter = new Filter([
'query' => function ($value) {
return preg_replace("/[^0-9,a-z,A-Z, ,\/,*,\-,_,.,\#]/", "", $value);
},
'hexval' => function ($value) {
return preg_replace("/[^0-9,a-f,A-F]/", "", $value);
}
]);
$filter = new SanitizeFilter();
$ruleid = null;
$filterString = null;
if (!empty($this->request->getPost('filter'))) {
Expand Down
9 changes: 3 additions & 6 deletions src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/LogController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@

use OPNsense\Base\ApiControllerBase;
use OPNsense\Core\Backend;
use Phalcon\Filter\Filter;
use OPNsense\Core\SanitizeFilter;


/**
* @inherit
Expand All @@ -45,11 +46,7 @@ public function __call($name, $arguments)
$searchPhrase = '';
$severities = '';
// create filter to sanitize input data
$filter = new Filter([
'query' => function ($value) {
return preg_replace("/[^0-9,a-z,A-Z, ,*,\-,_,.,\#,\:]/", "", $value);
}
]);
$filter = new SanitizeFilter();

$backend = new Backend();
$this->sessionClose();
Expand Down
7 changes: 4 additions & 3 deletions src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/NetworkinsightController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@
use OPNsense\Diagnostics\Netflow;
use OPNsense\Core\Config;
use OPNsense\Core\Backend;
use Phalcon\Filter\FilterFactory;
use OPNsense\Core\SanitizeFilter;


/**
* Class NetworkinsightController
Expand Down Expand Up @@ -63,7 +64,7 @@ public function timeserieAction(
$emulation = null
) {
// cleanse input
$filter = (new FilterFactory())->newInstance();
$filter = new SanitizeFilter();
$provider = $filter->sanitize($provider, "alnum");
$measure = $filter->sanitize($measure, "string");
$from_date = $filter->sanitize($from_date, "int");
Expand Down Expand Up @@ -150,7 +151,7 @@ public function topAction(
$max_hits = null
) {
// cleanse input
$filter = (new FilterFactory())->newInstance();
$filter = new SanitizeFilter();
$provider = $filter->sanitize($provider, "alnum");
$from_date = $filter->sanitize($from_date, "int");
$to_date = $filter->sanitize($to_date, "int");
Expand Down
15 changes: 3 additions & 12 deletions src/opnsense/mvc/app/controllers/OPNsense/IDS/Api/ServiceController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,7 @@
use OPNsense\Core\Config;
use OPNsense\Cron\Cron;
use OPNsense\IDS\IDS;
use Phalcon\Filter\Filter;
use Phalcon\Filter\FilterFactory;
use OPNsense\Core\SanitizeFilter;

/**
* Class ServiceController
Expand Down Expand Up @@ -172,19 +171,12 @@ public function queryAlertsAction()
{
if ($this->request->isPost()) {
$this->sessionClose();
// create filter to sanitize input data
$filter = new Filter([
'query' => function ($value) {
return preg_replace("/[^0-9,a-z,A-Z, ,*,\-,_,.,\#]/", "", $value);
}
]);

// fetch query parameters (limit results to prevent out of memory issues)
$itemsPerPage = $this->request->getPost('rowCount', 'int', 9999);
$currentPage = $this->request->getPost('current', 'int', 1);

if ($this->request->getPost('searchPhrase', 'string', '') != "") {
$filterTag = $filter->sanitize($this->request->getPost('searchPhrase'), "query");
$filterTag = (new SanitizeFilter())->sanitize($this->request->getPost('searchPhrase'), "query");
$searchPhrase = 'alert,alert_action,src_ip,dest_ip/"*' . $filterTag . '*"';
} else {
$searchPhrase = '';
Expand Down Expand Up @@ -223,8 +215,7 @@ public function getAlertInfoAction($alertId, $fileid = "")
{
$this->sessionClose();
$backend = new Backend();
$filter = (new FilterFactory())->newInstance();
$id = $filter->sanitize($alertId, "int");
$id = (new SanitizeFilter())->sanitize($alertId, "int");
$response = $backend->configdpRun("ids query alerts", array(1, 0, "filepos/" . $id, $fileid));
$result = json_decode($response, true);
if ($result != null && count($result['rows']) > 0) {
Expand Down
7 changes: 2 additions & 5 deletions src/opnsense/mvc/app/controllers/OPNsense/IDS/Api/SettingsController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,10 @@

namespace OPNsense\IDS\Api;

use Phalcon\Filter\FilterFactory;
use OPNsense\Base\ApiMutableModelControllerBase;
use OPNsense\Core\Backend;
use OPNsense\Core\Config;
use OPNsense\Core\SanitizeFilter;
use OPNsense\Base\UIModelGrid;

/**
Expand Down Expand Up @@ -86,10 +86,7 @@ public function searchInstalledRulesAction()
if ($this->request->isPost()) {
$this->sessionClose();
// create filter to sanitize input data
$filter = (new FilterFactory())->newInstance();
$filter->set('query', function ($value) {
return preg_replace("/[^0-9,a-z,A-Z, ,*,\-,_,.,\#]/", "", $value);
});
$filter = new SanitizeFilter();

// fetch query parameters (limit results to prevent out of memory issues)
$itemsPerPage = $this->request->getPost('rowCount', 'int', 9999);
Expand Down
Loading

0 comments on commit f7999a7

Please sign in to comment.