chore(release): merge release-21.04.next into 21.04.x (#11909)

* query sanitized in listServiceCategoriesÃ (#11597) (#11634) * sanitize and bind in centreon connector queriy (#11637) * Sanitize and bind listVirtualMetrics queries (#11649) * sanitize and bind host categories queryÃ (#11591) (#11646) * sanitize insrert queries in db-func (#11652) MON-14667 * Sanitized and bound queries in service argumentsXml file (#11655) MON-14669 * (fix) service status : encoding issue on status page (#11583) * fix(git): sync dev-21.04.x with 21.04.x (#11526) * [SNYK] Sanitize and bind ACL host dependency queries (#11389) (#11521) * Sanitize and bind ACL host dependency queries * fix issues * [SNYK] Sanitize and bind centreonGraph class queries (#11409) (#11517) 1122 1153 1134 * removed old variable userCrypted and the use of it (#11334) (#11516) * fix(test): wait 8s before checking downtime is active in rest api v1 test (#11498) (#11506) Refs: MON-14585 * [Snyk] Sanitize and bind ACL action access queries (#11385) (#11514) * Sanitize and bind ACL action access queries _ sanitize if possible each variables inserted in a query _ use PDO prepared statement and bind() method _ Do not use $pearDB->escape on which is for examples useless on integers and on non closed HTML tags (svg, img, etc) * fix line length * fix failed checks * [SNYK] Sanitize and bind ACL class queries (#11392) (#11513) * Sanitize and bind ACL class queries Queries sanitized and bound using PDO statement * fix spaces spaces between (int) cast and variables * update file delete spaces after comma * change variables names due to a review * Line exceeds 120 characters; contains 123 characters * fix(pendo): correctly set locale when language is detection by browser (#11484) (#11530) Refs: MON-14039 * doc(ack): acknowledge Hakaï security (#11538) * SNYK: Sanitize and bind ACL actions queries (#11549) * sanitizing and binding acl actions queries * fix missing bind * SNYK: Sanitize and bind Broker listing queries (#11553) * Sanitizing and binding broker listing queries * applying suggested changes * fix(conf) fix encoding in template service listing (#11558) (#11566) * fix encoding * remove useless function * SNYK: Sanitize and bind generateImage queries (#11563) * sanitize and bind generate image queries * adding throw exception * applying suggested changes * Update www/include/views/graphs/generateGraphs/generateImage.php Co-authored-by: Kevin Duret <[email protected]> Co-authored-by: Kevin Duret <[email protected]> * MON-14501 - sanitize query in centreonXmlbgRequest class (#11572) * sanitize query in centreonXmlbgRequest class * add closeCursor func to resolve conv * SNYK: Sanitize and bind Meta-Services dependency queries (#11554) (#11569) * sanityze 2 insert queries * spaces removed in a query * Fix encoding issue on status serviceXML Co-authored-by: Kevin Duret <[email protected]> Co-authored-by: Elmahdi ABBASSI <[email protected]> Co-authored-by: jeremyjaouen <[email protected]> Co-authored-by: Stéphane Chapron <[email protected]> Co-authored-by: hyahiaoui-ext <[email protected]> Co-authored-by: alaunois <[email protected]> * Sanitize and bind service group dependecies queries (#11667) * fix(conf) fix parent template display in service template listing (#11671) (#11678) * fix(details): remove dead code (#11672) (#11684) * fix(clapi): Check that user is admin to use clapi (#11631) (#11638) * fix(widgets): retrieve possibility to not select poller in pref (#11696) (#11700) Refs: MON-14919 * fix(details): second part of code cleanup for "tools" (#11725) * fix(resource): Fix bad SQL request (#11702) (#11751) * chore(release): merge release-21.04.next into 21.04.x (#11819) (#11826) * query sanitized in listServiceCategoriesÃ (#11597) (#11634) * sanitize and bind in centreon connector queriy (#11637) * Sanitize and bind listVirtualMetrics queries (#11649) * sanitize and bind host categories queryÃ (#11591) (#11646) * sanitize insrert queries in db-func (#11652) MON-14667 * Sanitized and bound queries in service argumentsXml file (#11655) MON-14669 * (fix) service status : encoding issue on status page (#11583) * fix(git): sync dev-21.04.x with 21.04.x (#11526) * [SNYK] Sanitize and bind ACL host dependency queries (#11389) (#11521) * Sanitize and bind ACL host dependency queries * fix issues * [SNYK] Sanitize and bind centreonGraph class queries (#11409) (#11517) 1122 1153 1134 * removed old variable userCrypted and the use of it (#11334) (#11516) * fix(test): wait 8s before checking downtime is active in rest api v1 test (#11498) (#11506) Refs: MON-14585 * [Snyk] Sanitize and bind ACL action access queries (#11385) (#11514) * Sanitize and bind ACL action access queries _ sanitize if possible each variables inserted in a query _ use PDO prepared statement and bind() method _ Do not use $pearDB->escape on which is for examples useless on integers and on non closed HTML tags (svg, img, etc) * fix line length * fix failed checks * [SNYK] Sanitize and bind ACL class queries (#11392) (#11513) * Sanitize and bind ACL class queries Queries sanitized and bound using PDO statement * fix spaces spaces between (int) cast and variables * update file delete spaces after comma * change variables names due to a review * Line exceeds 120 characters; contains 123 characters * fix(pendo): correctly set locale when language is detection by browser (#11484) (#11530) Refs: MON-14039 * doc(ack): acknowledge Hakaï security (#11538) * SNYK: Sanitize and bind ACL actions queries (#11549) * sanitizing and binding acl actions queries * fix missing bind * SNYK: Sanitize and bind Broker listing queries (#11553) * Sanitizing and binding broker listing queries * applying suggested changes * fix(conf) fix encoding in template service listing (#11558) (#11566) * fix encoding * remove useless function * SNYK: Sanitize and bind generateImage queries (#11563) * sanitize and bind generate image queries * adding throw exception * applying suggested changes * Update www/include/views/graphs/generateGraphs/generateImage.php Co-authored-by: Kevin Duret <[email protected]> Co-authored-by: Kevin Duret <[email protected]> * MON-14501 - sanitize query in centreonXmlbgRequest class (#11572) * sanitize query in centreonXmlbgRequest class * add closeCursor func to resolve conv * SNYK: Sanitize and bind Meta-Services dependency queries (#11554) (#11569) * sanityze 2 insert queries * spaces removed in a query * Fix encoding issue on status serviceXML Co-authored-by: Kevin Duret <[email protected]> Co-authored-by: Elmahdi ABBASSI <[email protected]> Co-authored-by: jeremyjaouen <[email protected]> Co-authored-by: Stéphane Chapron <[email protected]> Co-authored-by: hyahiaoui-ext <[email protected]> Co-authored-by: alaunois <[email protected]> * Sanitize and bind service group dependecies queries (#11667) * fix(conf) fix parent template display in service template listing (#11671) (#11678) * fix(details): remove dead code (#11672) (#11684) * fix(clapi): Check that user is admin to use clapi (#11631) (#11638) * fix(widgets): retrieve possibility to not select poller in pref (#11696) (#11700) Refs: MON-14919 * fix(details): second part of code cleanup for "tools" (#11725) * fix(resource): Fix bad SQL request (#11702) (#11751) * chore(install): update version to 21.04.18 Co-authored-by: Elmahdi ABBASSI <[email protected]> Co-authored-by: TamazC <[email protected]> Co-authored-by: Kevin Duret <[email protected]> Co-authored-by: jeremyjaouen <[email protected]> Co-authored-by: Stéphane Chapron <[email protected]> Co-authored-by: hyahiaoui-ext <[email protected]> Co-authored-by: alaunois <[email protected]> Co-authored-by: Adrien Morais-Mestre <[email protected]> Co-authored-by: Laurent Calvet <[email protected]> Co-authored-by: Elmahdi ABBASSI <[email protected]> Co-authored-by: TamazC <[email protected]> Co-authored-by: Kevin Duret <[email protected]> Co-authored-by: jeremyjaouen <[email protected]> Co-authored-by: Stéphane Chapron <[email protected]> Co-authored-by: hyahiaoui-ext <[email protected]> Co-authored-by: alaunois <[email protected]> Co-authored-by: Adrien Morais-Mestre <[email protected]> Co-authored-by: Laurent Calvet <[email protected]> * FIX: SQLi in poller's broker configuration 21.04.x (#11779) * sanitize and bind pollers broker config queries * applying suggested changes * chore(release): update version to 21.04.19 Co-authored-by: Elmahdi ABBASSI <[email protected]> Co-authored-by: TamazC <[email protected]> Co-authored-by: Kevin Duret <[email protected]> Co-authored-by: jeremyjaouen <[email protected]> Co-authored-by: Stéphane Chapron <[email protected]> Co-authored-by: hyahiaoui-ext <[email protected]> Co-authored-by: alaunois <[email protected]> Co-authored-by: Adrien Morais-Mestre <[email protected]> Co-authored-by: Laurent Calvet <[email protected]>
centreon · Oct 3, 2022 · 3002339 · 3002339
1 parent 6cbd3ee
commit 3002339
Show file tree

Hide file tree

Showing 4 changed files with 97 additions and 25 deletions.
diff --git a/www/class/centreonConfigCentreonBroker.php b/www/class/centreonConfigCentreonBroker.php
@@ -730,13 +730,15 @@ public function insertConfig($values)
         /*
          * Get the ID
          */
-        $query = "SELECT config_id FROM cfg_centreonbroker WHERE config_name = '" . $values['name'] . "'";
+        $query = "SELECT config_id FROM cfg_centreonbroker WHERE config_name = :config_name";
         try {
-            $res = $this->db->query($query);
+            $statement = $this->db->prepare($query);
+            $statement->bindValue(':config_name', $values['name'], \PDO::PARAM_STR);
+            $statement->execute();
         } catch (\PDOException $e) {
             return false;
         }
-        $row = $res->fetch();
+        $row = $statement->fetch(\PDO::FETCH_ASSOC);
         $id = $row['config_id'];
 
         /*

diff --git a/www/include/configuration/configCentreonBroker/DB-Func.php b/www/include/configuration/configCentreonBroker/DB-Func.php
@@ -74,8 +74,10 @@ function enableCentreonBrokerInDB($id)
         return;
     }
 
-    $query = "UPDATE cfg_centreonbroker SET config_activate = '1' WHERE config_id = " . $id;
-    $pearDB->query($query);
+    $query = "UPDATE cfg_centreonbroker SET config_activate = '1' WHERE config_id = :config_id";
+    $statement = $pearDB->prepare($query);
+    $statement->bindValue(':config_id', (int) $id, \PDO::PARAM_INT);
+    $statement->execute();
 }
 
 /**
@@ -91,8 +93,10 @@ function disablCentreonBrokerInDB($id)
         return;
     }
 
-    $query = "UPDATE cfg_centreonbroker SET config_activate = '0' WHERE config_id = " . $id;
-    $pearDB->query($query);
+    $query = "UPDATE cfg_centreonbroker SET config_activate = '0' WHERE config_id = :config_id";
+    $statement = $pearDB->prepare($query);
+    $statement->bindValue(':config_id', (int) $id, \PDO::PARAM_INT);
+    $statement->execute();
 }
 
 /**
@@ -104,8 +108,10 @@ function deleteCentreonBrokerInDB($ids = array())
 {
     global $pearDB;
 
+    $statement = $pearDB->prepare("DELETE FROM cfg_centreonbroker WHERE config_id = :config_id");
     foreach ($ids as $key => $value) {
-        $pearDB->query("DELETE FROM cfg_centreonbroker WHERE config_id = " . $key);
+        $statement->bindValue(':config_id', (int) $key, \PDO::PARAM_INT);
+        $statement->execute();
     }
 }
 
@@ -194,13 +200,7 @@ function multipleCentreonBrokerInDB($ids, $nbrDup)
     foreach ($ids as $id => $value) {
         $cbObj = new CentreonConfigCentreonBroker($pearDB);
 
-        $query = "SELECT config_name, config_filename, config_activate, ns_nagios_server,
-            event_queue_max_size, cache_directory, daemon "
-            . "FROM cfg_centreonbroker "
-            . "WHERE config_id = " . $id . " ";
-        $dbResult = $pearDB->query($query);
-        $row = $dbResult->fetch();
-        $dbResult->closeCursor();
+        $row = getCfgBrokerData((int) $id);
 
         # Prepare values
         $values = array();
@@ -210,14 +210,11 @@ function multipleCentreonBrokerInDB($ids, $nbrDup)
         $values['event_queue_max_size'] = $row['event_queue_max_size'];
         $values['cache_directory'] = $row['cache_directory'];
         $values['activate_watchdog']['activate_watchdog'] = $row['daemon'];
-        $query = "SELECT config_key, config_value, config_group, config_group_id "
-            . "FROM cfg_centreonbroker_info "
-            . "WHERE config_id = " . $id . " ";
-        $dbResult = $pearDB->query($query);
         $values['output'] = array();
         $values['input'] = array();
         $values['logger'] = array();
-        while ($rowOpt = $dbResult->fetch()) {
+        $brokerCfgInfoData = getCfgBrokerInfoData((int) $id);
+        foreach ($brokerCfgInfoData as $rowOpt) {
             if ($rowOpt['config_key'] == 'filters') {
                 continue;
             } elseif ($rowOpt['config_key'] == 'category') {
@@ -228,7 +225,6 @@ function multipleCentreonBrokerInDB($ids, $nbrDup)
                     $rowOpt['config_value'];
             }
         }
-        $dbResult->closeCursor();
 
         # Convert values radio button
         foreach ($values as $group => $groups) {
@@ -254,16 +250,18 @@ function multipleCentreonBrokerInDB($ids, $nbrDup)
 
         # Copy the configuration
         $j = 1;
+        $query = "SELECT COUNT(*) as nb FROM cfg_centreonbroker WHERE config_name = :config_name";
+        $statement = $pearDB->prepare($query);
         for ($i = 1; $i <= $nbrDup[$id]; $i++) {
             $nameNOk = true;
 
             # Find the name
             while ($nameNOk) {
                 $newname = $row['config_name'] . '_' . $j;
                 $newfilename = $j . '_' . $row['config_filename'];
-                $query = "SELECT COUNT(*) as nb FROM cfg_centreonbroker WHERE config_name = '" . $newname . "'";
-                $res = $pearDB->query($query);
-                $rowNb = $res->fetch();
+                $statement->bindValue(':config_name', $newname, \PDO::PARAM_STR);
+                $statement->execute();
+                $rowNb = $statement->fetch(\PDO::FETCH_ASSOC);
                 if ($rowNb['nb'] == 0) {
                     $nameNOk = false;
                 }
@@ -293,3 +291,54 @@ function isPositiveNumeric($size): bool
     }
     return $isPositive;
 }
+
+/**
+ * Getting Centreon CFG broker data
+ *
+ * @param int $configId
+ * @return array
+ */
+function getCfgBrokerData(int $configId): array
+{
+    global $pearDB;
+
+    $query = "SELECT config_name, config_filename, config_activate, ns_nagios_server,
+            event_queue_max_size, cache_directory, daemon "
+             . "FROM cfg_centreonbroker "
+             . "WHERE config_id = :config_id ";
+    try {
+        $statement = $pearDB->prepare($query);
+        $statement->bindValue(':config_id', $configId, \PDO::PARAM_INT);
+        $statement->execute();
+        $cfgBrokerData = $statement->fetch(\PDO::FETCH_ASSOC);
+    } catch (PDOException $exception) {
+        throw new \Exception("Cannot fetch Broker config data");
+    }
+    $statement->closeCursor();
+    return $cfgBrokerData;
+}
+
+/**
+ * Getting Centreon CFG broker Info data
+ *
+ * @param int $configId
+ * @return array
+ */
+function getCfgBrokerInfoData(int $configId): array
+{
+    global $pearDB;
+
+    $query = "SELECT config_key, config_value, config_group, config_group_id "
+             . "FROM cfg_centreonbroker_info "
+             . "WHERE config_id = :config_id";
+    try {
+        $statement = $pearDB->prepare($query);
+        $statement->bindValue(':config_id', $configId, \PDO::PARAM_INT);
+        $statement->execute();
+        $cfgBrokerInfoData = $statement->fetchAll(\PDO::FETCH_ASSOC);
+    } catch (\PDOException $exception) {
+        throw new \Exception("Cannot fetch Broker info config data");
+    }
+    $statement->closeCursor();
+    return $cfgBrokerInfoData;
+}
diff --git a/www/install/insertBaseConf.sql b/www/install/insertBaseConf.sql
@@ -2,7 +2,7 @@
 -- Insert version
 --
 
-INSERT INTO `informations` (`key` ,`value`) VALUES ('version', '21.04.18');
+INSERT INTO `informations` (`key` ,`value`) VALUES ('version', '21.04.19');
 
 --
 -- Contenu de la table `contact`

diff --git a/www/install/php/Update-21.04.19.php b/www/install/php/Update-21.04.19.php
@@ -0,0 +1,21 @@
+<?php
+
+/*
+ * Copyright 2005 - 2022 Centreon (https://www.centreon.com/)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * For more information : [email protected]
+ *
+ */
+