From 594da940fa4051bbdc6a507ff7c0e0506df354bb Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 2 Apr 2024 11:57:30 +0200 Subject: [PATCH] Sanitize input --- htdocs/api/class/api.class.php | 36 ++++++++++++++++--- .../template/class/api_mymodule.class.php | 13 +++++-- 2 files changed, 42 insertions(+), 7 deletions(-) diff --git a/htdocs/api/class/api.class.php b/htdocs/api/class/api.class.php index 63d504b14cb..9c884b69b66 100644 --- a/htdocs/api/class/api.class.php +++ b/htdocs/api/class/api.class.php @@ -73,8 +73,6 @@ class DolibarrApi /** * Check and convert a string depending on its type/name. * - * Display a short message an return a http code 200 - * * @param string $field Field name * @param string|array $value Value to check/clean * @param Object $object Object @@ -84,16 +82,44 @@ class DolibarrApi { // phpcs:enable if (!is_array($value)) { - // TODO Use type detected in $object->fields if $object known and we can + // Sanitize the value using its type declared into ->fields of $object + if (!empty($object->fields) && !empty($object->fields[$field]) && !empty($object->fields[$field]['type'])) { + if (strpos($object->fields[$field]['type'], 'int') || strpos($object->fields[$field]['type'], 'double') || in_array($object->fields[$field]['type'], array('real', 'price', 'stock'))) { + return sanitizeVal($value, 'int'); + } + if ($object->fields[$field]['type'] == 'html') { + return sanitizeVal($value, 'restricthtml'); + } + if ($object->fields[$field]['type'] == 'select') { + // Check values are in the list of possible 'options' + // TODO + } + if ($object->fields[$field]['type'] == 'sellist' || $object->fields[$field]['type'] == 'checkbox') { + // TODO + } + if ($object->fields[$field]['type'] == 'boolean' || $object->fields[$field]['type'] == 'radio') { + // TODO + } + if ($object->fields[$field]['type'] == 'email') { + return sanitizeVal($value, 'email'); + } + if ($object->fields[$field]['type'] == 'password') { + return sanitizeVal($value, 'none'); + } + // Others will use 'alphanohtml' + } if (in_array($field, array('note', 'note_private', 'note_public', 'desc', 'description'))) { return sanitizeVal($value, 'restricthtml'); } else { return sanitizeVal($value, 'alphanohtml'); } } else { - // TODO Recall _checkValForAPI for each element of array + $newarrayvalue = array(); + foreach ($value as $tmpkey => $tmpvalue) { + $newarrayvalue[$tmpkey] = $this->_checkValForAPI($tmpkey, $tmpvalue, $object); + } - return $value; + return $newarrayvalue; } } diff --git a/htdocs/modulebuilder/template/class/api_mymodule.class.php b/htdocs/modulebuilder/template/class/api_mymodule.class.php index d716869cfcc..a29c8ced6cc 100644 --- a/htdocs/modulebuilder/template/class/api_mymodule.class.php +++ b/htdocs/modulebuilder/template/class/api_mymodule.class.php @@ -76,7 +76,7 @@ class MyModuleApi extends DolibarrApi throw new RestException(403); } if (!DolibarrApi::_checkAccessToResource('myobject', $id, 'mymodule_myobject')) { - throw new RestException(403, 'Access to instance id='.$this->myobject->id.' of object not allowed for login '.DolibarrApiAccess::$user->login); + throw new RestException(403, 'Access to instance id='.$id.' of object not allowed for login '.DolibarrApiAccess::$user->login); } $result = $this->myobject->fetch($id); @@ -255,7 +255,16 @@ class MyModuleApi extends DolibarrApi } if ($field === 'caller') { // Add a mention of caller so on trigger called after action, we can filter to avoid a loop if we try to sync back again with the caller - $this->myobject->context['caller'] = $request_data['caller']; + $this->myobject->context['caller'] = sanitizeVal($request_data['caller'], 'aZ09'); + continue; + } + + if ($field == 'array_options' && is_array($value)) { + foreach ($value as $index => $val) { + $this->myobject->array_options[$index] = $val; + } + $this->myobject->array_options = $this->_checkValForAPI('extrafields', $this->myobject->array_options, $this->myobject); + continue; }