N°1932: Security hardening

2026-04-24 02:58:43 +02:00 · 2019-01-16 14:49:57 +01:00
parent 08543287e8
commit c8c4b072b1
6 changed files with 33 additions and 6 deletions
--- a/datamodels/2.x/itop-hub-connector/ajax.php
+++ b/datamodels/2.x/itop-hub-connector/ajax.php
@@ -256,7 +256,11 @@ try
 		
 		case 'compile':
 		SetupPage::log_info('Deployment starts...');
-		    
+		$sAuthent = utils::ReadParam('authent', '', false, 'raw_data');
+		if (!file_exists(APPROOT.'data/hub/compile_authent') || $sAuthent !== file_get_contents(APPROOT.'data/hub/compile_authent'))
+		{
+				throw new SecurityException(Dict::S('iTopHub:FailAuthent'));
+		}
 		// First step: prepare the datamodel, if it fails, roll-back
 		$aSelectedExtensionCodes = utils::ReadParam('extension_codes', array());
 		$aSelectedExtensionDirs = utils::ReadParam('extension_dirs', array());
@@ -295,7 +299,13 @@ try
 		try
 		{
 		    SetupPage::log_info('Move to production starts...');
-		    // Load the "production" config file to clone & update it
+		    $sAuthent = utils::ReadParam('authent', '', false, 'raw_data');
+			if (!file_exists(APPROOT.'data/hub/compile_authent') || $sAuthent !== file_get_contents(APPROOT.'data/hub/compile_authent'))
+			{
+				throw new SecurityException(Dict::S('iTopHub:FailAuthent'));
+			}
+			unlink(APPROOT.'data/hub/compile_authent');
+			// Load the "production" config file to clone & update it
 			$oConfig = new Config(APPCONF.'production/'.ITOP_CONFIG_FILE);
 			
 			$oRuntimeEnv->InitDataModel($oConfig, true /* model only */);
@@ -357,6 +367,10 @@ try
 		}
 		catch (Exception $e)
 		{
+			if(file_exists(APPROOT.'data/hub/compile_authent'))
+			{
+				unlink(APPROOT.'data/hub/compile_authent');
+			}
 			// Note: at this point, the dictionnary is not necessarily loaded
 			SetupPage::log_error(get_class($e).': '.Dict::S('iTopHub:ConfigurationSafelyReverted')."\n".$e->getMessage());
 			SetupPage::log_error('Debug trace: '.$e->getTraceAsString());
--- a/datamodels/2.x/itop-hub-connector/en.dict.itop-hub-connector.php
+++ b/datamodels/2.x/itop-hub-connector/en.dict.itop-hub-connector.php
@@ -33,7 +33,9 @@ Dict::Add('EN US', 'English', 'English', array(
 	'iTopHub:Landing:Install' => 'Deploying extensions...',
 	'iTopHub:CompiledOK' => 'Compilation successful.',
 	'iTopHub:ConfigurationSafelyReverted' => 'Error detected during deployment!<br/>iTop configuration has NOT been modified.',
-	
+	'iTopHub:FailAuthent' => 'Authentication failed for this action.',
+
+
 	'iTopHub:InstalledExtensions' => 'Extensions deployed on this instance',
 	'iTopHub:ExtensionCategory:Manual' => 'Extensions deployed manually',
 	'iTopHub:ExtensionCategory:Manual+' => 'The following extensions have been deployed by copying them manually in the %1$s directory of iTop:',
--- a/datamodels/2.x/itop-hub-connector/fr.dict.itop-hub-connector.php
+++ b/datamodels/2.x/itop-hub-connector/fr.dict.itop-hub-connector.php
@@ -33,6 +33,7 @@ Dict::Add('FR FR', 'French', 'Français', array(
 	'iTopHub:Landing:Install' => 'Déploiement des extensions...',
 	'iTopHub:CompiledOK' => 'Compilation réussie.',
 	'iTopHub:ConfigurationSafelyReverted' => 'Une erreur a été détectée durant le déploiement!<br/>La configuration d\'iTop n\'a PAS été modifiée.',
+	'iTopHub:FailAuthent' => 'Échec d\'authentification pour cette action',
 	
 	'iTopHub:InstalledExtensions' => 'Extensions déployées sur cette instance',
 	'iTopHub:ExtensionCategory:Manual' => 'Extensions déployées manuellement',
--- a/datamodels/2.x/itop-hub-connector/js/hub.js
+++ b/datamodels/2.x/itop-hub-connector/js/hub.js
@@ -18,7 +18,8 @@ $(function()
 				extensions_installation: 'Installation of the extensions...',
 				installation_successful: 'Installation successful!',
 				rollback: 'iTop configuration has NOT been modified.'
-			}
+			},
+			authent : ''
 		},
 	
 		// the constructor
@@ -106,7 +107,7 @@ $(function()
 			var aExtensionCodes = [];
 			var aExtensionDirs = [];
 			$('.choice :input:checked').each(function() { aExtensionCodes.push($(this).attr('data-extension-code'));  aExtensionDirs.push($(this).attr('data-extension-dir')); });
-			$.post(this.options.self_url, {operation: 'compile', extension_codes: aExtensionCodes, extension_dirs: aExtensionDirs}, function(data) { me._on_compile(data) }, 'json');			
+			$.post(this.options.self_url, {operation: 'compile', extension_codes: aExtensionCodes, extension_dirs: aExtensionDirs, authent: this.options.authent}, function(data) { me._on_compile(data) }, 'json');			
 		},
 		_on_compile: function(data)
 		{
@@ -125,7 +126,7 @@ $(function()
 		{
 			$('#hub-installation-progress-text').html('<i class="fa fa-cogs"></i> '+this.options.labels.extensions_installation);
 			var me = this;
-			$.post(this.options.self_url, {operation: 'move_to_production'}, function(data) { me._on_move_to_prod(data) }, 'json');			
+			$.post(this.options.self_url, {operation: 'move_to_production', authent: this.options.authent}, function(data) { me._on_move_to_prod(data) }, 'json');
 		},
 		_on_move_to_prod: function(data)
 		{
--- a/datamodels/2.x/itop-hub-connector/land.php
+++ b/datamodels/2.x/itop-hub-connector/land.php
@@ -146,6 +146,9 @@ function DoLanding(WebPage $oPage)

 function DoInstall(WebPage $oPage)
 {
+	$sUID = hash('sha256', rand());
+	file_put_contents(APPROOT.'data/hub/compile_authent', $sUID);
+	
    $oPage->add_linked_stylesheet(utils::GetAbsoluteUrlModulesRoot().'itop-hub-connector/css/hub.css');
    $oPage->add('<table class="module-selection-banner"><tr>');
    $sBannerUrl = utils::GetAbsoluteUrlModulesRoot().'/itop-hub-connector/images/landing-extension.png';
@@ -259,6 +262,7 @@ function DoInstall(WebPage $oPage)
    		'installation_successful' => Dict::S('iTopHub:InstallationProgress:InstallationSuccessful'),
    		'rollback' => Dict::S('iTopHub:ConfigurationSafelyReverted'),
    	),
+	    'authent' => $sUID,
    );
    
    $sWidgetParams = json_encode($aWidgetParams);
@@ -301,6 +305,10 @@ try
        break;
        
        case 'install':
+        if (!file_exists(APPROOT.'data/hub'))
+        {
+	        mkdir(APPROOT.'data/hub');
+        }
        DoInstall($oPage);
        break;
            
--- a/datamodels/2.x/itop-hub-connector/zh_cn.dict.itop-hub-connector.php
+++ b/datamodels/2.x/itop-hub-connector/zh_cn.dict.itop-hub-connector.php
@@ -33,6 +33,7 @@ Dict::Add('ZH CN', 'Chinese', '简体中文', array(
 	'iTopHub:Landing:Install' => '扩展安装进行中...',
 	'iTopHub:CompiledOK' => 'Compilation successful.',
 	'iTopHub:ConfigurationSafelyReverted' => '安装时发生错误!<br/>iTop 配置将不会改变.',
+	'iTopHub:FailAuthent' => 'Authentication failed for this action.~~',

 	'iTopHub:InstalledExtensions' => '本机已安装的扩展',
 	'iTopHub:ExtensionCategory:Manual' => '手动安装的扩展',