From 3002339dcb3322fe0079c1f6e64e3628a25985f6 Mon Sep 17 00:00:00 2001 From: tuntoja <58987095+tuntoja@users.noreply.github.com> Date: Mon, 3 Oct 2022 09:44:13 +0200 Subject: [PATCH] chore(release): merge release-21.04.next into 21.04.x (#11909) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * query sanitized in listServiceCategoriesà (#11597) (#11634) * sanitize and bind in centreon connector queriy (#11637) * Sanitize and bind listVirtualMetrics queries (#11649) * sanitize and bind host categories queryà (#11591) (#11646) * sanitize insrert queries in db-func (#11652) MON-14667 * Sanitized and bound queries in service argumentsXml file (#11655) MON-14669 * (fix) service status : encoding issue on status page (#11583) * fix(git): sync dev-21.04.x with 21.04.x (#11526) * [SNYK] Sanitize and bind ACL host dependency queries (#11389) (#11521) * Sanitize and bind ACL host dependency queries * fix issues * [SNYK] Sanitize and bind centreonGraph class queries (#11409) (#11517) 1122 1153 1134 * removed old variable userCrypted and the use of it (#11334) (#11516) * fix(test): wait 8s before checking downtime is active in rest api v1 test (#11498) (#11506) Refs: MON-14585 * [Snyk] Sanitize and bind ACL action access queries (#11385) (#11514) * Sanitize and bind ACL action access queries _ sanitize if possible each variables inserted in a query _ use PDO prepared statement and bind() method _ Do not use $pearDB->escape on which is for examples useless on integers and on non closed HTML tags (svg, img, etc) * fix line length * fix failed checks * [SNYK] Sanitize and bind ACL class queries (#11392) (#11513) * Sanitize and bind ACL class queries Queries sanitized and bound using PDO statement * fix spaces spaces between (int) cast and variables * update file delete spaces after comma * change variables names due to a review * Line exceeds 120 characters; contains 123 characters * fix(pendo): correctly set locale when language is detection by browser (#11484) (#11530) Refs: MON-14039 * doc(ack): acknowledge Hakaï security (#11538) * SNYK: Sanitize and bind ACL actions queries (#11549) * sanitizing and binding acl actions queries * fix missing bind * SNYK: Sanitize and bind Broker listing queries (#11553) * Sanitizing and binding broker listing queries * applying suggested changes * fix(conf) fix encoding in template service listing (#11558) (#11566) * fix encoding * remove useless function * SNYK: Sanitize and bind generateImage queries (#11563) * sanitize and bind generate image queries * adding throw exception * applying suggested changes * Update www/include/views/graphs/generateGraphs/generateImage.php Co-authored-by: Kevin Duret Co-authored-by: Kevin Duret * MON-14501 - sanitize query in centreonXmlbgRequest class (#11572) * sanitize query in centreonXmlbgRequest class * add closeCursor func to resolve conv * SNYK: Sanitize and bind Meta-Services dependency queries (#11554) (#11569) * sanityze 2 insert queries * spaces removed in a query * Fix encoding issue on status serviceXML Co-authored-by: Kevin Duret Co-authored-by: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com> Co-authored-by: jeremyjaouen <61694165+jeremyjaouen@users.noreply.github.com> Co-authored-by: Stéphane Chapron <34628915+sc979@users.noreply.github.com> Co-authored-by: hyahiaoui-ext <97593234+hyahiaoui-ext@users.noreply.github.com> Co-authored-by: alaunois * Sanitize and bind service group dependecies queries (#11667) * fix(conf) fix parent template display in service template listing (#11671) (#11678) * fix(details): remove dead code (#11672) (#11684) * fix(clapi): Check that user is admin to use clapi (#11631) (#11638) * fix(widgets): retrieve possibility to not select poller in pref (#11696) (#11700) Refs: MON-14919 * fix(details): second part of code cleanup for "tools" (#11725) * fix(resource): Fix bad SQL request (#11702) (#11751) * chore(release): merge release-21.04.next into 21.04.x (#11819) (#11826) * query sanitized in listServiceCategoriesà (#11597) (#11634) * sanitize and bind in centreon connector queriy (#11637) * Sanitize and bind listVirtualMetrics queries (#11649) * sanitize and bind host categories queryà (#11591) (#11646) * sanitize insrert queries in db-func (#11652) MON-14667 * Sanitized and bound queries in service argumentsXml file (#11655) MON-14669 * (fix) service status : encoding issue on status page (#11583) * fix(git): sync dev-21.04.x with 21.04.x (#11526) * [SNYK] Sanitize and bind ACL host dependency queries (#11389) (#11521) * Sanitize and bind ACL host dependency queries * fix issues * [SNYK] Sanitize and bind centreonGraph class queries (#11409) (#11517) 1122 1153 1134 * removed old variable userCrypted and the use of it (#11334) (#11516) * fix(test): wait 8s before checking downtime is active in rest api v1 test (#11498) (#11506) Refs: MON-14585 * [Snyk] Sanitize and bind ACL action access queries (#11385) (#11514) * Sanitize and bind ACL action access queries _ sanitize if possible each variables inserted in a query _ use PDO prepared statement and bind() method _ Do not use $pearDB->escape on which is for examples useless on integers and on non closed HTML tags (svg, img, etc) * fix line length * fix failed checks * [SNYK] Sanitize and bind ACL class queries (#11392) (#11513) * Sanitize and bind ACL class queries Queries sanitized and bound using PDO statement * fix spaces spaces between (int) cast and variables * update file delete spaces after comma * change variables names due to a review * Line exceeds 120 characters; contains 123 characters * fix(pendo): correctly set locale when language is detection by browser (#11484) (#11530) Refs: MON-14039 * doc(ack): acknowledge Hakaï security (#11538) * SNYK: Sanitize and bind ACL actions queries (#11549) * sanitizing and binding acl actions queries * fix missing bind * SNYK: Sanitize and bind Broker listing queries (#11553) * Sanitizing and binding broker listing queries * applying suggested changes * fix(conf) fix encoding in template service listing (#11558) (#11566) * fix encoding * remove useless function * SNYK: Sanitize and bind generateImage queries (#11563) * sanitize and bind generate image queries * adding throw exception * applying suggested changes * Update www/include/views/graphs/generateGraphs/generateImage.php Co-authored-by: Kevin Duret Co-authored-by: Kevin Duret * MON-14501 - sanitize query in centreonXmlbgRequest class (#11572) * sanitize query in centreonXmlbgRequest class * add closeCursor func to resolve conv * SNYK: Sanitize and bind Meta-Services dependency queries (#11554) (#11569) * sanityze 2 insert queries * spaces removed in a query * Fix encoding issue on status serviceXML Co-authored-by: Kevin Duret Co-authored-by: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com> Co-authored-by: jeremyjaouen <61694165+jeremyjaouen@users.noreply.github.com> Co-authored-by: Stéphane Chapron <34628915+sc979@users.noreply.github.com> Co-authored-by: hyahiaoui-ext <97593234+hyahiaoui-ext@users.noreply.github.com> Co-authored-by: alaunois * Sanitize and bind service group dependecies queries (#11667) * fix(conf) fix parent template display in service template listing (#11671) (#11678) * fix(details): remove dead code (#11672) (#11684) * fix(clapi): Check that user is admin to use clapi (#11631) (#11638) * fix(widgets): retrieve possibility to not select poller in pref (#11696) (#11700) Refs: MON-14919 * fix(details): second part of code cleanup for "tools" (#11725) * fix(resource): Fix bad SQL request (#11702) (#11751) * chore(install): update version to 21.04.18 Co-authored-by: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com> Co-authored-by: TamazC <103252125+TamazC@users.noreply.github.com> Co-authored-by: Kevin Duret Co-authored-by: jeremyjaouen <61694165+jeremyjaouen@users.noreply.github.com> Co-authored-by: Stéphane Chapron <34628915+sc979@users.noreply.github.com> Co-authored-by: hyahiaoui-ext <97593234+hyahiaoui-ext@users.noreply.github.com> Co-authored-by: alaunois Co-authored-by: Adrien Morais-Mestre <31647811+adr-mo@users.noreply.github.com> Co-authored-by: Laurent Calvet Co-authored-by: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com> Co-authored-by: TamazC <103252125+TamazC@users.noreply.github.com> Co-authored-by: Kevin Duret Co-authored-by: jeremyjaouen <61694165+jeremyjaouen@users.noreply.github.com> Co-authored-by: Stéphane Chapron <34628915+sc979@users.noreply.github.com> Co-authored-by: hyahiaoui-ext <97593234+hyahiaoui-ext@users.noreply.github.com> Co-authored-by: alaunois Co-authored-by: Adrien Morais-Mestre <31647811+adr-mo@users.noreply.github.com> Co-authored-by: Laurent Calvet * FIX: SQLi in poller's broker configuration 21.04.x (#11779) * sanitize and bind pollers broker config queries * applying suggested changes * chore(release): update version to 21.04.19 Co-authored-by: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com> Co-authored-by: TamazC <103252125+TamazC@users.noreply.github.com> Co-authored-by: Kevin Duret Co-authored-by: jeremyjaouen <61694165+jeremyjaouen@users.noreply.github.com> Co-authored-by: Stéphane Chapron <34628915+sc979@users.noreply.github.com> Co-authored-by: hyahiaoui-ext <97593234+hyahiaoui-ext@users.noreply.github.com> Co-authored-by: alaunois Co-authored-by: Adrien Morais-Mestre <31647811+adr-mo@users.noreply.github.com> Co-authored-by: Laurent Calvet --- www/class/centreonConfigCentreonBroker.php | 8 +- .../configCentreonBroker/DB-Func.php | 91 ++++++++++++++----- www/install/insertBaseConf.sql | 2 +- www/install/php/Update-21.04.19.php | 21 +++++ 4 files changed, 97 insertions(+), 25 deletions(-) create mode 100644 www/install/php/Update-21.04.19.php diff --git a/www/class/centreonConfigCentreonBroker.php b/www/class/centreonConfigCentreonBroker.php index d661a1add03..6bc31640941 100644 --- a/www/class/centreonConfigCentreonBroker.php +++ b/www/class/centreonConfigCentreonBroker.php @@ -730,13 +730,15 @@ public function insertConfig($values) /* * Get the ID */ - $query = "SELECT config_id FROM cfg_centreonbroker WHERE config_name = '" . $values['name'] . "'"; + $query = "SELECT config_id FROM cfg_centreonbroker WHERE config_name = :config_name"; try { - $res = $this->db->query($query); + $statement = $this->db->prepare($query); + $statement->bindValue(':config_name', $values['name'], \PDO::PARAM_STR); + $statement->execute(); } catch (\PDOException $e) { return false; } - $row = $res->fetch(); + $row = $statement->fetch(\PDO::FETCH_ASSOC); $id = $row['config_id']; /* diff --git a/www/include/configuration/configCentreonBroker/DB-Func.php b/www/include/configuration/configCentreonBroker/DB-Func.php index ef6b18e3f7a..e76b4384db9 100644 --- a/www/include/configuration/configCentreonBroker/DB-Func.php +++ b/www/include/configuration/configCentreonBroker/DB-Func.php @@ -74,8 +74,10 @@ function enableCentreonBrokerInDB($id) return; } - $query = "UPDATE cfg_centreonbroker SET config_activate = '1' WHERE config_id = " . $id; - $pearDB->query($query); + $query = "UPDATE cfg_centreonbroker SET config_activate = '1' WHERE config_id = :config_id"; + $statement = $pearDB->prepare($query); + $statement->bindValue(':config_id', (int) $id, \PDO::PARAM_INT); + $statement->execute(); } /** @@ -91,8 +93,10 @@ function disablCentreonBrokerInDB($id) return; } - $query = "UPDATE cfg_centreonbroker SET config_activate = '0' WHERE config_id = " . $id; - $pearDB->query($query); + $query = "UPDATE cfg_centreonbroker SET config_activate = '0' WHERE config_id = :config_id"; + $statement = $pearDB->prepare($query); + $statement->bindValue(':config_id', (int) $id, \PDO::PARAM_INT); + $statement->execute(); } /** @@ -104,8 +108,10 @@ function deleteCentreonBrokerInDB($ids = array()) { global $pearDB; + $statement = $pearDB->prepare("DELETE FROM cfg_centreonbroker WHERE config_id = :config_id"); foreach ($ids as $key => $value) { - $pearDB->query("DELETE FROM cfg_centreonbroker WHERE config_id = " . $key); + $statement->bindValue(':config_id', (int) $key, \PDO::PARAM_INT); + $statement->execute(); } } @@ -194,13 +200,7 @@ function multipleCentreonBrokerInDB($ids, $nbrDup) foreach ($ids as $id => $value) { $cbObj = new CentreonConfigCentreonBroker($pearDB); - $query = "SELECT config_name, config_filename, config_activate, ns_nagios_server, - event_queue_max_size, cache_directory, daemon " - . "FROM cfg_centreonbroker " - . "WHERE config_id = " . $id . " "; - $dbResult = $pearDB->query($query); - $row = $dbResult->fetch(); - $dbResult->closeCursor(); + $row = getCfgBrokerData((int) $id); # Prepare values $values = array(); @@ -210,14 +210,11 @@ function multipleCentreonBrokerInDB($ids, $nbrDup) $values['event_queue_max_size'] = $row['event_queue_max_size']; $values['cache_directory'] = $row['cache_directory']; $values['activate_watchdog']['activate_watchdog'] = $row['daemon']; - $query = "SELECT config_key, config_value, config_group, config_group_id " - . "FROM cfg_centreonbroker_info " - . "WHERE config_id = " . $id . " "; - $dbResult = $pearDB->query($query); $values['output'] = array(); $values['input'] = array(); $values['logger'] = array(); - while ($rowOpt = $dbResult->fetch()) { + $brokerCfgInfoData = getCfgBrokerInfoData((int) $id); + foreach ($brokerCfgInfoData as $rowOpt) { if ($rowOpt['config_key'] == 'filters') { continue; } elseif ($rowOpt['config_key'] == 'category') { @@ -228,7 +225,6 @@ function multipleCentreonBrokerInDB($ids, $nbrDup) $rowOpt['config_value']; } } - $dbResult->closeCursor(); # Convert values radio button foreach ($values as $group => $groups) { @@ -254,6 +250,8 @@ function multipleCentreonBrokerInDB($ids, $nbrDup) # Copy the configuration $j = 1; + $query = "SELECT COUNT(*) as nb FROM cfg_centreonbroker WHERE config_name = :config_name"; + $statement = $pearDB->prepare($query); for ($i = 1; $i <= $nbrDup[$id]; $i++) { $nameNOk = true; @@ -261,9 +259,9 @@ function multipleCentreonBrokerInDB($ids, $nbrDup) while ($nameNOk) { $newname = $row['config_name'] . '_' . $j; $newfilename = $j . '_' . $row['config_filename']; - $query = "SELECT COUNT(*) as nb FROM cfg_centreonbroker WHERE config_name = '" . $newname . "'"; - $res = $pearDB->query($query); - $rowNb = $res->fetch(); + $statement->bindValue(':config_name', $newname, \PDO::PARAM_STR); + $statement->execute(); + $rowNb = $statement->fetch(\PDO::FETCH_ASSOC); if ($rowNb['nb'] == 0) { $nameNOk = false; } @@ -293,3 +291,54 @@ function isPositiveNumeric($size): bool } return $isPositive; } + +/** + * Getting Centreon CFG broker data + * + * @param int $configId + * @return array + */ +function getCfgBrokerData(int $configId): array +{ + global $pearDB; + + $query = "SELECT config_name, config_filename, config_activate, ns_nagios_server, + event_queue_max_size, cache_directory, daemon " + . "FROM cfg_centreonbroker " + . "WHERE config_id = :config_id "; + try { + $statement = $pearDB->prepare($query); + $statement->bindValue(':config_id', $configId, \PDO::PARAM_INT); + $statement->execute(); + $cfgBrokerData = $statement->fetch(\PDO::FETCH_ASSOC); + } catch (PDOException $exception) { + throw new \Exception("Cannot fetch Broker config data"); + } + $statement->closeCursor(); + return $cfgBrokerData; +} + +/** + * Getting Centreon CFG broker Info data + * + * @param int $configId + * @return array + */ +function getCfgBrokerInfoData(int $configId): array +{ + global $pearDB; + + $query = "SELECT config_key, config_value, config_group, config_group_id " + . "FROM cfg_centreonbroker_info " + . "WHERE config_id = :config_id"; + try { + $statement = $pearDB->prepare($query); + $statement->bindValue(':config_id', $configId, \PDO::PARAM_INT); + $statement->execute(); + $cfgBrokerInfoData = $statement->fetchAll(\PDO::FETCH_ASSOC); + } catch (\PDOException $exception) { + throw new \Exception("Cannot fetch Broker info config data"); + } + $statement->closeCursor(); + return $cfgBrokerInfoData; +} diff --git a/www/install/insertBaseConf.sql b/www/install/insertBaseConf.sql index 5a254f8d162..401de4e056f 100644 --- a/www/install/insertBaseConf.sql +++ b/www/install/insertBaseConf.sql @@ -2,7 +2,7 @@ -- Insert version -- -INSERT INTO `informations` (`key` ,`value`) VALUES ('version', '21.04.18'); +INSERT INTO `informations` (`key` ,`value`) VALUES ('version', '21.04.19'); -- -- Contenu de la table `contact` diff --git a/www/install/php/Update-21.04.19.php b/www/install/php/Update-21.04.19.php new file mode 100644 index 00000000000..9c56be77fd8 --- /dev/null +++ b/www/install/php/Update-21.04.19.php @@ -0,0 +1,21 @@ +