mirror of
https://github.com/Combodo/iTop.git
synced 2026-02-13 07:24:13 +01:00
Security hardening
This commit is contained in:
jf-cbd
19
datamodels/2.x/itop-hub-connector/TokenValidation.php
Normal file
19
datamodels/2.x/itop-hub-connector/TokenValidation.php
Normal file
@@ -0,0 +1,19 @@
|
||||
<?php
|
||||
|
||||
class TokenValidation
|
||||
{
|
||||
// construct function
|
||||
public function __construct()
|
||||
{
|
||||
}
|
||||
public function isSetupTokenValid($sParamToken) : bool
|
||||
{
|
||||
if (!file_exists(APPROOT.'data/.setup')) {
|
||||
return false;
|
||||
}
|
||||
$sSetupToken = trim(file_get_contents(APPROOT.'data/.setup'));
|
||||
unlink(APPROOT.'data/.setup');
|
||||
return $sParamToken === $sSetupToken;
|
||||
}
|
||||
|
||||
}
|
||||
@@ -280,6 +280,7 @@ try
|
||||
require_once ('hubconnectorpage.class.inc.php');
|
||||
|
||||
require_once (APPROOT.'/application/startup.inc.php');
|
||||
require_once('TokenValidation.php');
|
||||
|
||||
$sTargetRoute = utils::ReadParam('target', ''); // ||browse_extensions|deploy_extensions|
|
||||
|
||||
@@ -299,11 +300,20 @@ try
|
||||
case 'inform_after_setup':
|
||||
// Hidden IFRAME at the end of the setup
|
||||
require_once (APPROOT.'/application/ajaxwebpage.class.inc.php');
|
||||
$oPage = new NiceWebPage('');
|
||||
$aDataToPost = MakeDataToPost($sTargetRoute);
|
||||
$oPage->add('<form id="hub_launch_form" action="'.$sHubUrlStateless.'" method="post">');
|
||||
$oPage->add('<input type="hidden" name="json" value="'.htmlentities(json_encode($aDataToPost), ENT_QUOTES, 'UTF-8').'">');
|
||||
$oPage->add_ready_script('$("#hub_launch_form").submit();');
|
||||
|
||||
$sParamToken = utils::ReadParam('setup_token');
|
||||
$oTokenValidation = new TokenValidation();
|
||||
$bIsTokenValid = $oTokenValidation->isSetupTokenValid($sParamToken);
|
||||
if (UserRights::IsAdministrator() || $bIsTokenValid) {
|
||||
$oPage = new NiceWebPage('');
|
||||
$aDataToPost = MakeDataToPost($sTargetRoute);
|
||||
$oPage->add('<form id="hub_launch_form" action="' . $sHubUrlStateless . '" method="post">');
|
||||
$oPage->add('<input type="hidden" name="json" value="' . htmlentities(json_encode($aDataToPost), ENT_QUOTES, 'UTF-8') . '">');
|
||||
$oPage->add_ready_script('$("#hub_launch_form").submit();');
|
||||
} else {
|
||||
IssueLog::Error('TokenValidation failed on inform_after_setup page');
|
||||
throw new Exception("Not allowed");
|
||||
}
|
||||
break;
|
||||
|
||||
default:
|
||||
|
||||
@@ -2607,6 +2607,11 @@ class WizStepDone extends WizardStep
|
||||
$oProductionEnv->InitDataModel($oConfig, true);
|
||||
$sIframeUrl = $oConfig->GetModuleSetting('itop-hub-connector', 'setup_url', '');
|
||||
|
||||
$sSetupTokenFile = APPROOT.'data/.setup';
|
||||
$sSetupToken = bin2hex(random_bytes(12));
|
||||
file_put_contents($sSetupTokenFile, $sSetupToken);
|
||||
$sIframeUrl.= "&setup_token=$sSetupToken";
|
||||
|
||||
if ($sIframeUrl != '')
|
||||
{
|
||||
$oPage->add('<iframe id="fresh_content" style="border:0; width:100%; display:none;" src="'.$sIframeUrl.'"></iframe>');
|
||||
|
||||
@@ -0,0 +1,43 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace Combodo\iTop\Test\UnitTest\Module\LaunchTest;
|
||||
|
||||
use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
|
||||
use TokenValidation;
|
||||
|
||||
class TokenValidationTest extends ItopDataTestCase
|
||||
{
|
||||
/**
|
||||
* @param string $sSetupToken
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function createSetupTokenFile(string $sSetupToken): string
|
||||
{
|
||||
$sSetupTokenFile = APPROOT.'data/.setup';
|
||||
file_put_contents($sSetupTokenFile, $sSetupToken);
|
||||
|
||||
return $sSetupTokenFile;
|
||||
}protected function setUp(): void
|
||||
{
|
||||
parent::setUp();
|
||||
$this->RequireOnceItopFile('datamodels/2.x/itop-hub-connector/TokenValidation.php');
|
||||
}
|
||||
|
||||
public function testLaunch()
|
||||
{
|
||||
$oTokenValidation = new TokenValidation();
|
||||
|
||||
$sSetupToken = bin2hex(random_bytes(12));
|
||||
$this->assertFalse($oTokenValidation->isSetupTokenValid('lol'));
|
||||
$this->assertFalse($oTokenValidation->isSetupTokenValid(''));
|
||||
$this->assertFalse($oTokenValidation->isSetupTokenValid($sSetupToken));
|
||||
$this->createSetupTokenFile($sSetupToken);
|
||||
$this->assertFalse($oTokenValidation->isSetupTokenValid('lol'));
|
||||
$this->createSetupTokenFile($sSetupToken);
|
||||
$this->assertFalse($oTokenValidation->isSetupTokenValid(''));
|
||||
$this->createSetupTokenFile($sSetupToken);
|
||||
$this->assertTrue($oTokenValidation->isSetupTokenValid($sSetupToken));
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user