From eeec57536beddc73af8ab9c7c30eabdbac7bbf5f Mon Sep 17 00:00:00 2001
From: jf-cbd <jimmy.fayolle@combodo.com>
Date: Tue, 23 Apr 2024 11:55:39 +0200
Subject: [PATCH] Security hardening

---
 .../itop-hub-connector/TokenValidation.php    | 19 ++++++++
 datamodels/2.x/itop-hub-connector/launch.php  | 20 ++++++---
 setup/wizardsteps.class.inc.php               |  5 +++
 .../TokenValidationTest.php                   | 43 +++++++++++++++++++
 4 files changed, 82 insertions(+), 5 deletions(-)
 create mode 100644 datamodels/2.x/itop-hub-connector/TokenValidation.php
 create mode 100644 tests/php-unit-tests/unitary-tests/datamodels/2.x/itop-hub-connector/TokenValidationTest.php

diff --git a/datamodels/2.x/itop-hub-connector/TokenValidation.php b/datamodels/2.x/itop-hub-connector/TokenValidation.php
new file mode 100644
index 000000000..6a30079cf
--- /dev/null
+++ b/datamodels/2.x/itop-hub-connector/TokenValidation.php
@@ -0,0 +1,19 @@
+<?php
+
+class TokenValidation
+{
+	// construct function
+	public function __construct()
+	{
+	}
+	public function isSetupTokenValid($sParamToken) : bool
+	{
+		if (!file_exists(APPROOT.'data/.setup')) {
+			return false;
+		}
+		$sSetupToken = trim(file_get_contents(APPROOT.'data/.setup'));
+		unlink(APPROOT.'data/.setup');
+		return $sParamToken === $sSetupToken;
+	}
+
+}
\ No newline at end of file
diff --git a/datamodels/2.x/itop-hub-connector/launch.php b/datamodels/2.x/itop-hub-connector/launch.php
index 5e042c734..bda598223 100644
--- a/datamodels/2.x/itop-hub-connector/launch.php
+++ b/datamodels/2.x/itop-hub-connector/launch.php
@@ -280,6 +280,7 @@ try
 	require_once ('hubconnectorpage.class.inc.php');
 	
 	require_once (APPROOT.'/application/startup.inc.php');
+    require_once('TokenValidation.php');
 	
 	$sTargetRoute = utils::ReadParam('target', ''); // ||browse_extensions|deploy_extensions|
 	
@@ -299,11 +300,20 @@ try
 		case 'inform_after_setup':
 		// Hidden IFRAME at the end of the setup
 		require_once (APPROOT.'/application/ajaxwebpage.class.inc.php');
-		$oPage = new NiceWebPage('');
-		$aDataToPost = MakeDataToPost($sTargetRoute);
-		$oPage->add('<form id="hub_launch_form" action="'.$sHubUrlStateless.'" method="post">');
-		$oPage->add('<input type="hidden" name="json" value="'.htmlentities(json_encode($aDataToPost), ENT_QUOTES, 'UTF-8').'">');
-		$oPage->add_ready_script('$("#hub_launch_form").submit();');
+
+            $sParamToken = utils::ReadParam('setup_token');
+            $oTokenValidation = new TokenValidation();
+            $bIsTokenValid = $oTokenValidation->isSetupTokenValid($sParamToken);
+            if (UserRights::IsAdministrator() || $bIsTokenValid) {
+                $oPage = new NiceWebPage('');
+                $aDataToPost = MakeDataToPost($sTargetRoute);
+                $oPage->add('<form id="hub_launch_form" action="' . $sHubUrlStateless . '" method="post">');
+                $oPage->add('<input type="hidden" name="json" value="' . htmlentities(json_encode($aDataToPost), ENT_QUOTES, 'UTF-8') . '">');
+                $oPage->add_ready_script('$("#hub_launch_form").submit();');
+            } else {
+                IssueLog::Error('TokenValidation failed on inform_after_setup page');
+                throw new Exception("Not allowed");
+            }
 		break;
 		
 		default:
diff --git a/setup/wizardsteps.class.inc.php b/setup/wizardsteps.class.inc.php
index 097aa07cd..09f89509b 100644
--- a/setup/wizardsteps.class.inc.php
+++ b/setup/wizardsteps.class.inc.php
@@ -2607,6 +2607,11 @@ class WizStepDone extends WizardStep
 		$oProductionEnv->InitDataModel($oConfig, true);
 		$sIframeUrl = $oConfig->GetModuleSetting('itop-hub-connector', 'setup_url', '');
 
+        $sSetupTokenFile = APPROOT.'data/.setup';
+        $sSetupToken = bin2hex(random_bytes(12));
+        file_put_contents($sSetupTokenFile, $sSetupToken);
+        $sIframeUrl.= "&setup_token=$sSetupToken";
+
 		if ($sIframeUrl != '')
 		{
 			$oPage->add('<iframe id="fresh_content" style="border:0; width:100%; display:none;" src="'.$sIframeUrl.'"></iframe>');
diff --git a/tests/php-unit-tests/unitary-tests/datamodels/2.x/itop-hub-connector/TokenValidationTest.php b/tests/php-unit-tests/unitary-tests/datamodels/2.x/itop-hub-connector/TokenValidationTest.php
new file mode 100644
index 000000000..8ae6da01e
--- /dev/null
+++ b/tests/php-unit-tests/unitary-tests/datamodels/2.x/itop-hub-connector/TokenValidationTest.php
@@ -0,0 +1,43 @@
+<?php
+declare(strict_types=1);
+
+namespace Combodo\iTop\Test\UnitTest\Module\LaunchTest;
+
+use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
+use TokenValidation;
+
+class TokenValidationTest extends ItopDataTestCase
+{
+	/**
+	 * @param string $sSetupToken
+	 *
+	 * @return string
+	 */
+	public function createSetupTokenFile(string $sSetupToken): string
+	{
+		$sSetupTokenFile = APPROOT.'data/.setup';
+		file_put_contents($sSetupTokenFile, $sSetupToken);
+
+		return $sSetupTokenFile;
+	}protected function setUp(): void
+	{
+		parent::setUp();
+		$this->RequireOnceItopFile('datamodels/2.x/itop-hub-connector/TokenValidation.php');
+	}
+
+	public function testLaunch()
+	{
+		$oTokenValidation = new TokenValidation();
+
+		$sSetupToken = bin2hex(random_bytes(12));
+		$this->assertFalse($oTokenValidation->isSetupTokenValid('lol'));
+		$this->assertFalse($oTokenValidation->isSetupTokenValid(''));
+		$this->assertFalse($oTokenValidation->isSetupTokenValid($sSetupToken));
+		$this->createSetupTokenFile($sSetupToken);
+		$this->assertFalse($oTokenValidation->isSetupTokenValid('lol'));
+		$this->createSetupTokenFile($sSetupToken);
+		$this->assertFalse($oTokenValidation->isSetupTokenValid(''));
+		$this->createSetupTokenFile($sSetupToken);
+		$this->assertTrue($oTokenValidation->isSetupTokenValid($sSetupToken));
+	}
+}