WIP

2026-05-17 06:18:44 +02:00 · 2025-02-27 16:00:58 +01:00
parent 944b1f557d
commit cb2a093498
2 changed files with 140 additions and 3 deletions
--- a/core/restservices.class.inc.php
+++ b/core/restservices.class.inc.php
@@ -128,7 +128,7 @@ class ObjectResult
 		foreach($this->fields as $sAttCode => $value)
 		{
 			$oAttDef = MetaModel::GetAttributeDef($this->class, $sAttCode);
-			if ($oAttDef instanceof AttributeEncryptedString)
+			if ($oAttDef instanceof AttributeEncryptedString || $oAttDef instanceof AttributePassword)
 			{
 				$this->fields[$sAttCode] = '******';
 			}
@@ -688,8 +688,30 @@ class CoreServices implements iRestServiceProvider, iRestInputSanitizer
 	
 	public function SanitizeJsonInput(string $sJsonInput): string
 	{
-		//TODO
-		return 'TODO: sanitized input';
+        $sSanitizedJsonInput = $sJsonInput;
+        $aJsonData = json_decode($sSanitizedJsonInput, true);
+        $sOperation = $aJsonData['operation'];
+
+        switch ($sOperation) {
+            case 'core/check_credentials':
+                if (isset($aJsonData['password'])) {
+                    $aJsonData['password'] = '*****';
+                }
+                break;
+            case 'core/update':
+            case 'core/create':
+            default :
+            $sClass = $aJsonData['class'];
+            foreach ($aJsonData['fields'] as $sAttCode => $value) {
+                    $oAttDef = MetaModel::GetAttributeDef($sClass, $sAttCode);
+                    if ($oAttDef instanceof AttributePassword || $oAttDef instanceof AttributeEncryptedPassword) {
+                        $aJsonData['fields'][$sAttCode] = '*****';
+                    }
+                }
+                // TODO : fields type relations avec champs sensible dedans
+                break;
+        }
+		return json_encode($aJsonData);
 	}

 	/**
--- a/tests/php-unit-tests/unitary-tests/core/RestServicesTest.php
+++ b/tests/php-unit-tests/unitary-tests/core/RestServicesTest.php
@@ -0,0 +1,115 @@
+<?php
+// Copyright (c) 2010-2018 Combodo SARL
+//
+//   This file is part of iTop.
+//
+//   iTop is free software; you can redistribute it and/or modify
+//   it under the terms of the GNU Affero General Public License as published by
+//   the Free Software Foundation, either version 3 of the License, or
+//   (at your option) any later version.
+//
+//   iTop is distributed in the hope that it will be useful,
+//   but WITHOUT ANY WARRANTY; without even the implied warranty of
+//   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//   GNU Affero General Public License for more details.
+//
+//   You should have received a copy of the GNU Affero General Public License
+//   along with iTop. If not, see <http://www.gnu.org/licenses/>
+//
+
+namespace Combodo\iTop\Test\UnitTest\Core;
+
+use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
+use Combodo\iTop\Test\UnitTest\ItopTestCase;
+use CoreServices;
+use UserRights;
+
+
+class RestServicesTest extends ItopTestCase
+{
+    public function setUp(): void
+    {
+        parent::setUp();
+    }
+
+    // provider
+
+    /**
+     * @return void
+     * @dataProvider providerTestSanitizeJsonInput
+     */
+    public function testSanitizeJsonInput($sJsonData, $sExpectedJsonDataSanitized)
+    {
+        $oRS = new CoreServices();
+        $sOutputJson = $oRS->SanitizeJsonInput($sJsonData);
+        $this->assertEquals($sExpectedJsonDataSanitized, $sOutputJson);
+    }
+
+    public function testCoreUpdateSanitization()
+    {
+        $sJsonData = <<<JSON
+{
+   "operation": "core/update",
+   "comment": "Update user",
+   "class": "UserLocal",
+   "key":
+   {
+      "description": "The fridge is empty"
+   },
+   "output_fields": "first_name, password",
+   "fields":
+   {
+      "id": "1",
+      "password" : "123456"
+   }
+}
+JSON;
+        $sExpectedJsonDataSanitized = <<<JSON
+{
+   "operation": "core/update",
+   "comment": "Update user",
+   "class": "UserLocal",
+   "key":
+   {
+      "description": "My description"
+   },
+   "output_fields": "first_name, password",
+   "fields":
+   {
+      "id": "1",
+      "password" : "123456"
+   }
+}
+JSON;
+
+        $sOutputJson = $this->CallCoreRestApi_Internally($sJsonData);
+        $aJson = json_decode($sOutputJson, true);
+        $this->assertEquals(0, $aJson['code'], $sOutputJson); // answer is still the same
+        $this->assertEquals($sExpectedJsonDataSanitized, $aJson['input_data'], $sOutputJson);
+    }
+
+    public function testOutputSanitization()
+    {
+        $oResult = new RestResultListOperations();
+    }
+
+    public function providerTestSanitizeJsonInput()
+    {
+        return [
+                'core/check_credentials' => [
+                    '{"operation": "core/check_credentials", "user": "admin", "password": "admin"}',
+                    '{"operation": "core/check_credentials", "user": "admin", "password": "*****"}'
+                ],
+                'core/update' => [
+                    '{"operation": "core/update", "comment": "Update user", "class": "UserLocal", "key": {"description": "My description"}, "output_fields": "first_name, password", "fields": {"id": "1", "password" : "123456"}}',
+                    '{"operation": "core/update", "comment": "Update user", "class": "UserLocal", "key": {"description": "My description"}, "output_fields": "first_name, password", "fields": {"id": "1", "password" : "*****"}}'
+                ],
+            'core/create' => [
+                '{"operation": "core/create", "comment": "Create user", "class": "UserLocal", "fields": {"first_name": "John", "last_name": "Doe", "email": "jd@example/com", "password" : "123456"}}',
+                '{"operation": "core/create", "comment": "Create user", "class": "UserLocal", "fields": {"first_name": "John", "last_name": "Doe", "email": "jd@example/com", "password" : "*****"}}',
+                ],
+        ];
+    }
+
+
+}