N°7810 - renable test in ci

N°7810 - code hardening
Security hardening
2026-02-15 00:14:10 +01:00 · 2024-12-19 16:43:08 +01:00 · 2024-12-19 15:12:26 +01:00 · 2024-12-13 16:48:13 +01:00 · 2024-12-13 15:09:18 +01:00 · 2024-11-27 09:40:22 +01:00
6 changed files with 57 additions and 58 deletions
--- a/application/dashboard.class.inc.php
+++ b/application/dashboard.class.inc.php
@@ -1193,12 +1193,12 @@ EOF
 		$sOkButtonLabel = Dict::S('UI:Button:Save');
 		$sCancelButtonLabel = Dict::S('UI:Button:Cancel');
 		
-		$sId = utils::HtmlEntities($this->sId);
-		$sLayoutClass = utils::HtmlEntities($this->sLayoutClass);
+		$sId = json_encode($this->sId);
+		$sLayoutClass = json_encode($this->sLayoutClass);
 		$sAutoReload = $this->bAutoReload ? 'true' : 'false';
 		$sAutoReloadSec = (string) $this->iAutoReloadSec;
-		$sTitle = utils::HtmlEntities($this->sTitle);
-		$sFile = utils::HtmlEntities($this->GetDefinitionFile());
+		$sTitle = json_encode($this->sTitle);
+		$sFile = json_encode($this->GetDefinitionFile());
 		$sUrl = utils::GetAbsoluteUrlAppRoot().'pages/ajax.render.php';
 		$sReloadURL = $this->GetReloadURL();

@@ -1250,15 +1250,15 @@ $('#dashboard_editor').dialog({
 });

 $('#dashboard_editor .ui-layout-center').runtimedashboard({
-	dashboard_id: '$sId', 
-	layout_class: '$sLayoutClass', 
-	title: '$sTitle',
+	dashboard_id: $sId, 
+	layout_class: $sLayoutClass, 
+	title: $sTitle,
 	auto_reload: $sAutoReload, 
 	auto_reload_sec: $sAutoReloadSec,
 	submit_to: '$sUrl', 
-	submit_parameters: {operation: 'save_dashboard', file: '$sFile', extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
+	submit_parameters: {operation: 'save_dashboard', file: $sFile, extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
 	render_to: '$sUrl', 
-	render_parameters: {operation: 'render_dashboard', file: '$sFile', extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
+	render_parameters: {operation: 'render_dashboard', file: $sFile, extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
 	new_dashlet_parameters: {operation: 'new_dashlet'}
 });

--- a/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
@@ -1246,7 +1246,12 @@ class ObjectController extends BrickController
 		$bIgnoreSilos = $oScopeValidator->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass);
 		$aParams = array('objects_id' => $aObjectIds);
 		$oSearch = DBObjectSearch::FromOQL("SELECT $sObjectClass WHERE id IN (:objects_id)");
-		if ($bIgnoreSilos === true)
+        if (!$oScopeValidator->AddScopeToQuery($oSearch, $sObjectClass)
+        ) {
+            IssueLog::Warning(__METHOD__ . ' at line ' . __LINE__ . ' : User #' . UserRights::GetUserId() . ' not allowed to read ' . $sObjectClass . ' object.');
+            throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist'));
+        }
+        if ($bIgnoreSilos === true)
 		{
 			$oSearch->AllowAllData();
 		}
--- a/tests/php-unit-tests/phpunit.xml.dist
+++ b/tests/php-unit-tests/phpunit.xml.dist
@@ -41,7 +41,9 @@
    <testsuite name="Setup">
      <directory>unitary-tests/setup</directory>
    </testsuite>
-    <!-- Note: The unitary-tests/sources/application/TwigBase is omitted for now as the test is not working -->
+    <testsuite name="SourcesApplicationTwigBase">
+      <directory>unitary-tests/sources/application/TwigBase</directory>
+    </testsuite>
    <testsuite name="SourcesApplicationSearch">
      <directory>unitary-tests/sources/application/search</directory>
    </testsuite>
--- a/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/TwigTest.php
+++ b/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/TwigTest.php
@@ -1,58 +1,44 @@
 <?php
-namespace Combodo\iTop\Test\UnitTest;
+
+namespace Combodo\iTop\Test\UnitTest\Application\TwigBase;

 use Combodo\iTop\Portal\Twig\AppExtension;
-use Twig_Environment;
-use Twig_Loader_Array;
+use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
+use Twig\Environment;
+use Twig\Loader\FilesystemLoader;

-/**
- * @runTestsInSeparateProcesses
- * @preserveGlobalState disabled
- * @backupGlobals disabled
- */
 class TwigTest extends ItopDataTestCase
 {
-	protected function setUp(): void
-	{
-		parent::setUp();
-		$this->RequireOnceItopFile('core/config.class.inc.php');
-	}
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->RequireOnceItopFile('core/config.class.inc.php');
+    }

-	/**
-	 * Test the fix for ticket N°4384
-	 *
-	 * @dataProvider TemplateProvider
-	 *
-	 */
-	public function testTemplate($sFileName, $sExpected)
-	{
-		$sId = 'TestTwig';
-		$oAppExtension = new AppExtension();
+    /**
+     * @covers N°4384 N°7810
+     *
+     */
+    public function testTemplate()
+    {
+        // Creating sandbox twig env. to load and test the custom form template
+        $oTwig = new Environment(new FilesystemLoader(__DIR__.'/'));

-		// Creating sandbox twig env. to load and test the custom form template
-		$oTwig = new Twig_Environment(new Twig_Loader_Array([$sId => $sFileName]));
+        // Manually registering filters and functions as we didn't find how to do it automatically
+        $oAppExtension = new AppExtension();
+        $aFilters = $oAppExtension->getFilters();
+        foreach ($aFilters as $oFilter)
+        {
+            $oTwig->addFilter($oFilter);
+        }
+        $aFunctions = $oAppExtension->getFunctions();
+        foreach ($aFunctions as $oFunction)
+        {
+            $oTwig->addFunction($oFunction);
+        }

-		// Manually registering filters and functions as we didn't find how to do it automatically
-		$aFilters = $oAppExtension->getFilters();
-		foreach ($aFilters as $oFilter)
-		{
-			$oTwig->addFilter($oFilter);
-		}
-		$aFunctions = $oAppExtension->getFunctions();
-		foreach ($aFunctions as $oFunction)
-		{
-			$oTwig->addFunction($oFunction);
-		}
-	}
+        $sOutput = $oTwig->render('test.html.twig');

-	public static function testTemplateProvider()
-	{
-		$aReturn = array();
-		$aReturn['filter_system'] = [
-				'sFileName' => 'test.html',
-				'expected' =>file_get_contents(dirname(__FILE__).'/test.html'),
-			];
-
-		return $aReturn;
-	}
+        $this->assertEquals(file_get_contents(__DIR__.'/test.html'), $sOutput);
+    }
 }
--- a/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html
+++ b/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html
@@ -42,5 +42,8 @@ Smith, Dupond
 <div>['echo',1]|sort('system')|join</div>
 echo1

+<div>[['id','']|sort('system')</div>
+id
+
 POST /subscribe?0=cat+/etc/passwd HTTP/1.1
 email=""@attacker.tld
--- a/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html.twig
+++ b/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html.twig
@@ -47,5 +47,8 @@
 <div>['echo',1]|sort('system')|join</div>
 {{ ['echo',1]|sort('system')|join }}

+<div>[['id','']|sort('system')</div>
+{{['id','']|sort('system')|join}}
+
 POST /subscribe?0=cat+/etc/passwd HTTP/1.1
 email="{{ app.request.query.filter(0,0,1024,{'options':'system'}) }}"@attacker.tld
Author	SHA1	Message	Date
odain	a14bc3a31a	N°7810 - renable test in ci	2024-12-19 16:43:08 +01:00
Eric Espie	927a77b905	N°7810 - code hardening	2024-12-19 15:12:26 +01:00
jf-cbd	95aa444ee6	Security hardening	2024-12-13 16:48:13 +01:00
jf-cbd	f5de808c7c	Security hardening (#685 ) * security hardening	2024-12-13 15:09:18 +01:00
Benjamin Dalsass	e03033ce52	N°7219 - Fatal error following dashboard modification when dashboard title contains an é	2024-11-27 09:40:22 +01:00