From 3d7dc9bba667941cc974b520d6606a6295c212a1 Mon Sep 17 00:00:00 2001
From: Charles Gautier <33026375+chgautier@users.noreply.github.com>
Date: Fri, 26 Aug 2022 17:44:29 +0200
Subject: [PATCH] chore(release): merge release 21.10.9 into 21.10.x (#11628)
 (#11629)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(git): resync 21.10.x to dev-21.10.x (#11499)

* fix(test): wait 8s before checking downtime is active in rest api v1 test (#11498) (#11505)

Refs: MON-14585

* fix(UI): Include host_id when selecting ServiceGroups on dashreports (#11428) (#11520)

Co-authored-by: VHS <listas.vhs@gmail.com>

Co-authored-by: VHS <listas.vhs@gmail.com>

* [SNYK] Sanitize and bind centreonGraph class queries (#11409) (#11518)

1122

1153

1134

* [Snyk] Sanitize and bind ACL action access queries (#11385) (#11515)

* Sanitize and bind ACL action access queries

_ sanitize if possible each variables inserted in a query

_ use PDO prepared statement and bind() method

_ Do not use $pearDB->escape on which is for examples useless on integers and on non closed HTML tags (svg, img, etc)

* fix line length

* fix failed checks

* fix(cron): Escape database name in CentACL 21.10.x (#11509)

* fix(pendo): correctly set locale when language is detection by browser (#11484) (#11529)

* fix(test): fix random fails on virtual metric test (#11524)

Refs: MON-14359

* enh(platform): Use API to select metrics in virtual metrics configuration form 21.10.x (#11508)

Refs: MON-14359

* doc(ack): acknowledge Hakaï security (#11539)

* fix(web): fix the comment deletion for host monitored by poller (#11138) (#11557)

Refs: MON-12828

Co-authored-by: Stéphane Duret <sduret@centreon.com>

* SNYK: Sanitize and bind Broker listing queries (#11551)

* Sanitizing and binding broker listing queries

* applying suggested changes

* fix(conf) fix encoding in template service listing (#11558) (#11565)

* fix encoding

* remove useless function

* SNYK: Sanitize and bind generateImage queries (#11562)

* sanitize and bind generate image queries

* adding throw exception

* applying suggested changes

* Update www/include/views/graphs/generateGraphs/generateImage.php

Co-authored-by: Kevin Duret <kduret@centreon.com>

Co-authored-by: Kevin Duret <kduret@centreon.com>

* SNYK: Sanitize and bind ACL actions queries (#11548)

* sanitizing and binding acl actions queries

* fix missing bind

* MON-14501 - sanitize query in centreonXmlbgRequest class  (#11571)

* sanitize query in centreonXmlbgRequest class

* add closeCursor func to resolve conv

* SNYK: Sanitize and bind Meta-Services dependency queries  (#11568)

* sanityze 2 insert queries

* spaces removed in a query

* chore(install): Update version to 21.10.9

* fix(sql): fix query to select contact during ldap import (#11579)

Refs: MON-14263

* (fix)MON-14742 Escape database name in CentACL (#11602)

* fixed issue of using special chars in db names

* fix escape database name

* fixed security issue on sql requests

* fix(platform) : Issue with cross databases query when the name contains some characters (#11279) (#11619)

Co-authored-by: Kevin Duret <kduret@centreon.com>
Co-authored-by: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com>
Co-authored-by: VHS <listas.vhs@gmail.com>
Co-authored-by: hyahiaoui-ext <97593234+hyahiaoui-ext@users.noreply.github.com>
Co-authored-by: jeremyjaouen <61694165+jeremyjaouen@users.noreply.github.com>
Co-authored-by: Stéphane Chapron <34628915+sc979@users.noreply.github.com>
Co-authored-by: Stéphane Duret <sduret@centreon.com>
Co-authored-by: alaunois <alaunois@centreon.com>
Co-authored-by: Dmytro Iosypenko <108675430+dmyios@users.noreply.github.com>

Co-authored-by: Kevin Duret <kduret@centreon.com>
Co-authored-by: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com>
Co-authored-by: VHS <listas.vhs@gmail.com>
Co-authored-by: hyahiaoui-ext <97593234+hyahiaoui-ext@users.noreply.github.com>
Co-authored-by: jeremyjaouen <61694165+jeremyjaouen@users.noreply.github.com>
Co-authored-by: Stéphane Chapron <34628915+sc979@users.noreply.github.com>
Co-authored-by: Stéphane Duret <sduret@centreon.com>
Co-authored-by: alaunois <alaunois@centreon.com>
Co-authored-by: Dmytro Iosypenko <108675430+dmyios@users.noreply.github.com>
---
 .../centreon_performance_service.class.php    |  3 ++-
 www/api/class/centreon_topcounter.class.php   | 17 ++++++++--------
 .../centreon-partition/mysqlTable.class.php   |  2 +-
 .../centreon-partition/partEngine.class.php   | 16 +++++++--------
 www/class/centreonAuth.class.php              |  2 +-
 .../configuration/configServers/DB-Func.php   | 16 +++++++--------
 www/install/insertBaseConf.sql                |  2 +-
 www/install/php/Update-21.10.9.php            | 20 +++++++++++++++++++
 www/install/steps/process/createDbUser.php    |  2 +-
 www/install/steps/process/insertBaseConf.php  |  2 +-
 .../steps/process/installConfigurationDb.php  |  4 ++--
 .../steps/process/installStorageDb.php        |  4 ++--
 12 files changed, 56 insertions(+), 34 deletions(-)
 create mode 100644 www/install/php/Update-21.10.9.php

diff --git a/www/api/class/centreon_performance_service.class.php b/www/api/class/centreon_performance_service.class.php
index 15446f21782..5a4728a5617 100644
--- a/www/api/class/centreon_performance_service.class.php
+++ b/www/api/class/centreon_performance_service.class.php
@@ -114,7 +114,8 @@ public function getList()
         }
 
         if ($excludeAnomalyDetection) {
-            $additionalCondition .= 'AND s.service_id NOT IN (SELECT service_id FROM ' . $conf_centreon['db'] . '.mod_anomaly_service) ';
+            $additionalCondition .= 'AND s.service_id NOT IN (SELECT service_id 
+            FROM `' . $conf_centreon['db'] . '`.mod_anomaly_service) ';
         }
         if (isset($this->arguments['hostgroup'])) {
             $additionalCondition .= 'AND (hg.host_id = i.host_id ' .
diff --git a/www/api/class/centreon_topcounter.class.php b/www/api/class/centreon_topcounter.class.php
index 263b5589ec3..a276098b4e2 100644
--- a/www/api/class/centreon_topcounter.class.php
+++ b/www/api/class/centreon_topcounter.class.php
@@ -847,19 +847,20 @@ protected function checkChangeState($pollerId, $lastRestart)
 
         $query = "SELECT * FROM log_action WHERE action_log_date > $lastRestart " .
             "AND ((object_type = 'host' AND ((action_type = 'd' AND object_id IN (SELECT host_id FROM hosts)) " .
-            "OR object_id IN (SELECT host_host_id FROM " .
-            $conf_centreon['db'] . ".ns_host_relation WHERE nagios_server_id = '$pollerId'))) " .
+            "OR object_id IN (SELECT host_host_id FROM `" .
+            $conf_centreon['db'] . "`.ns_host_relation WHERE nagios_server_id = '$pollerId'))) " .
             "OR (object_type = 'service' AND ((action_type = 'd' AND object_id IN (SELECT service_id FROM services)) OR " .
-            "object_id IN (SELECT service_service_id FROM " .
-            $conf_centreon['db'] . ".ns_host_relation nhr, " . $conf_centreon['db'] . ".host_service_relation hsr " .
+            "object_id IN (SELECT service_service_id FROM `" .
+            $conf_centreon['db'] . "`.ns_host_relation nhr, `" . $conf_centreon['db'] . "`.host_service_relation hsr " .
             "WHERE nagios_server_id = '$pollerId' AND hsr.host_host_id = nhr.host_host_id)))" .
             "OR (object_type = 'servicegroup' AND ((action_type = 'd' AND object_id IN (SELECT DISTINCT servicegroup_id " .
-            "FROM services_servicegroups)) OR object_id IN (SELECT DISTINCT servicegroup_sg_id FROM " .
-            $conf_centreon['db'] . ".servicegroup_relation sgr, " . $conf_centreon['db'] . ".ns_host_relation nhr " .
+            "FROM services_servicegroups)) OR object_id IN (SELECT DISTINCT servicegroup_sg_id FROM `" .
+            $conf_centreon['db'] . "`.servicegroup_relation sgr, 
+            `" . $conf_centreon['db'] . "`.ns_host_relation nhr " .
             "WHERE sgr.host_host_id = nhr.host_host_id AND nhr.nagios_server_id = '$pollerId')))" .
             "OR (object_type = 'hostgroup' AND ((action_type = 'd' AND object_id IN (SELECT DISTINCT hostgroup_id " .
-            "FROM hosts_hostgroups)) OR object_id IN (SELECT DISTINCT hr.hostgroup_hg_id FROM " .
-            $conf_centreon['db'] . ".hostgroup_relation hr, " . $conf_centreon['db'] . ".ns_host_relation nhr " .
+            "FROM hosts_hostgroups)) OR object_id IN (SELECT DISTINCT hr.hostgroup_hg_id FROM `" .
+            $conf_centreon['db'] . "`.hostgroup_relation hr, `" . $conf_centreon['db'] . "`.ns_host_relation nhr " .
             "WHERE hr.host_host_id = nhr.host_host_id AND nhr.nagios_server_id = '$pollerId'))))";
 
         try {
diff --git a/www/class/centreon-partition/mysqlTable.class.php b/www/class/centreon-partition/mysqlTable.class.php
index 5a88b7cd916..9568ba23ca2 100644
--- a/www/class/centreon-partition/mysqlTable.class.php
+++ b/www/class/centreon-partition/mysqlTable.class.php
@@ -423,7 +423,7 @@ public function isValid()
     public function exists()
     {
         try {
-            $DBRESULT = $this->db->query("use " . $this->schema);
+            $DBRESULT = $this->db->query("use `" . $this->schema . "`");
         } catch (\PDOException $e) {
             throw new Exception(
                 "SQL Error: Cannot use database "
diff --git a/www/class/centreon-partition/partEngine.class.php b/www/class/centreon-partition/partEngine.class.php
index 900c889d870..bf488a95e58 100644
--- a/www/class/centreon-partition/partEngine.class.php
+++ b/www/class/centreon-partition/partEngine.class.php
@@ -236,7 +236,7 @@ private function createDailyPartitions($table, $createPastPartitions): string
      */
     public function createParts($table, $db, $createPastPartitions): void
     {
-        $tableName = $table->getSchema() . "." . $table->getName();
+        $tableName = "`" . $table->getSchema() . "`." . $table->getName();
         if ($table->exists()) {
             throw new Exception("Warning: Table " . $tableName . " already exists\n");
         }
@@ -253,7 +253,7 @@ public function createParts($table, $db, $createPastPartitions): void
         }
 
         try {
-            $dbResult = $db->query("use " . $table->getSchema());
+            $dbResult = $db->query("use `" . $table->getSchema() . "`");
         } catch (\PDOException $e) {
             throw new Exception(
                 "SQL Error: Cannot use database "
@@ -325,7 +325,7 @@ public function purgeParts($table, $db)
             $condition = $this->purgeDailyPartitionCondition($table);
         }
 
-        $tableName = $table->getSchema() . "." . $table->getName();
+        $tableName = "`" . $table->getSchema() . "`." . $table->getName();
         if (!$table->exists()) {
             throw new Exception("Error: Table " . $tableName . " does not exists\n");
         }
@@ -364,7 +364,7 @@ public function purgeParts($table, $db)
      */
     public function migrate($table, $db)
     {
-        $tableName = $table->getSchema() . "." . $table->getName();
+        $tableName = "`" . $table->getSchema() . "`." . $table->getName();
 
         $db->query("SET bulk_insert_buffer_size= 1024 * 1024 * 256");
 
@@ -411,7 +411,7 @@ public function migrate($table, $db)
      */
     public function updateParts($table, $db)
     {
-        $tableName = $table->getSchema() . "." . $table->getName();
+        $tableName = "`" . $table->getSchema() . "`." . $table->getName();
 
         //verifying if table is partitioned
         if ($this->isPartitioned($table, $db) === false) {
@@ -433,7 +433,7 @@ public function updateParts($table, $db)
      */
     public function optimizeTablePartitions($table, $db)
     {
-        $tableName = $table->getSchema() . "." . $table->getName();
+        $tableName = "`" . $table->getSchema() . "`." . $table->getName();
         if (!$table->exists()) {
             throw new Exception("Optimize error: Table " . $tableName . " does not exists\n");
         }
@@ -472,7 +472,7 @@ public function optimizeTablePartitions($table, $db)
      */
     public function listParts($table, $db, $throwException = true)
     {
-        $tableName = $table->getSchema() . "." . $table->getName();
+        $tableName = "`" . $table->getSchema() . "`." . $table->getName();
         if (!$table->exists()) {
             throw new Exception("Parts list error: Table " . $tableName . " does not exists\n");
         }
@@ -521,7 +521,7 @@ public function listParts($table, $db, $throwException = true)
      */
     public function backupParts($table, $db)
     {
-        $tableName = $table->getSchema() . "." . $table->getName();
+        $tableName = "`" . $table->getSchema() . "`." . $table->getName();
         if (!$table->exists()) {
             throw new Exception("Error: Table " . $tableName . " does not exists\n");
         }
diff --git a/www/class/centreonAuth.class.php b/www/class/centreonAuth.class.php
index 4b02e192e74..09f9c92af1b 100644
--- a/www/class/centreonAuth.class.php
+++ b/www/class/centreonAuth.class.php
@@ -349,7 +349,7 @@ protected function checkUser($username, $password, $token)
              */
             $statement = $this->pearDB->prepare(
                 "SELECT * FROM `contact` " .
-                "WHERE `contact_alias` = :contact_alias" .
+                "WHERE `contact_alias` = :contact_alias " .
                 "AND `contact_activate` = '1' AND `contact_register` = '1' LIMIT 1"
             );
             $statement->bindValue(':contact_alias', $this->pearDB->escape($username, true), \PDO::PARAM_STR);
diff --git a/www/include/configuration/configServers/DB-Func.php b/www/include/configuration/configServers/DB-Func.php
index 4ab87047a30..83b150d1c7f 100644
--- a/www/include/configuration/configServers/DB-Func.php
+++ b/www/include/configuration/configServers/DB-Func.php
@@ -1066,7 +1066,7 @@ function getChangeState(array $pollers): array
 UNION
 SELECT instance_id, COUNT(*) as num_logs, MAX(action_log_date) as action_log_date FROM log_action
     INNER JOIN (
-        SELECT nagios_server_id as instance_id, host_host_id as host_id FROM {$conf_centreon['db']}.ns_host_relation
+        SELECT nagios_server_id as instance_id, host_host_id as host_id FROM `{$conf_centreon['db']}`.ns_host_relation
          WHERE nagios_server_id IN ($pollersSearch)
     ) AS subtable ON log_action.object_id = subtable.host_id
 WHERE log_action.object_type = 'host' AND action_log_date > $lastRestart GROUP BY subtable.instance_id
@@ -1082,7 +1082,7 @@ function getChangeState(array $pollers): array
 SELECT instance_id, COUNT(*) as num_logs, MAX(action_log_date) as action_log_date FROM log_action
     INNER JOIN (
         SELECT nagios_server_id as instance_id, service_service_id as service_id
-        FROM {$conf_centreon['db']}.ns_host_relation nhr, {$conf_centreon['db']}.host_service_relation hsr
+        FROM `{$conf_centreon['db']}`.ns_host_relation nhr, `{$conf_centreon['db']}`.host_service_relation hsr
         WHERE nagios_server_id IN ($pollersSearch)
             AND hsr.host_host_id = nhr.host_host_id
     ) AS subtable ON log_action.object_id = subtable.service_id
@@ -1099,7 +1099,7 @@ function getChangeState(array $pollers): array
 SELECT instance_id, COUNT(*) as num_logs, MAX(action_log_date) as action_log_date FROM log_action
     INNER JOIN (
         SELECT nhr.nagios_server_id as instance_id, servicegroup_sg_id as servicegroup_id
-        FROM {$conf_centreon['db']}.servicegroup_relation sgr, {$conf_centreon['db']}.ns_host_relation nhr
+        FROM `{$conf_centreon['db']}`.servicegroup_relation sgr, `{$conf_centreon['db']}`.ns_host_relation nhr
         WHERE nhr.nagios_server_id IN ($pollersSearch)
             AND sgr.host_host_id = nhr.host_host_id
     ) AS subtable ON log_action.object_id = subtable.servicegroup_id
@@ -1116,7 +1116,7 @@ function getChangeState(array $pollers): array
 SELECT instance_id, COUNT(*) as num_logs, MAX(action_log_date) as action_log_date FROM log_action
     INNER JOIN (
         SELECT nhr.nagios_server_id as instance_id, hostgroup_hg_id as hostgroup_id
-        FROM {$conf_centreon['db']}.hostgroup_relation hr, {$conf_centreon['db']}.ns_host_relation nhr
+        FROM `{$conf_centreon['db']}`.hostgroup_relation hr, `{$conf_centreon['db']}`.ns_host_relation nhr
         WHERE nhr.nagios_server_id IN ($pollersSearch)
             AND hr.host_host_id = nhr.host_host_id
     ) AS subtable ON log_action.object_id = subtable.hostgroup_id
@@ -1176,7 +1176,7 @@ function checkChangeState(int $poller_id, int $last_restart): bool
       )
       OR object_id IN (
         SELECT host_host_id
-        FROM {$conf_centreon['db']}.ns_host_relation
+        FROM `{$conf_centreon['db']}`.ns_host_relation`
         WHERE nagios_server_id = $poller_id
       )
     )
@@ -1194,7 +1194,7 @@ function checkChangeState(int $poller_id, int $last_restart): bool
       )
       OR object_id IN (
         SELECT service_service_id
-        FROM {$conf_centreon['db']}.ns_host_relation nhr, {$conf_centreon['db']}.host_service_relation hsr
+        FROM `{$conf_centreon['db']}`.ns_host_relation nhr, `{$conf_centreon['db']}`.host_service_relation hsr
         WHERE nagios_server_id = $poller_id
         AND hsr.host_host_id = nhr.host_host_id
       )
@@ -1214,7 +1214,7 @@ function checkChangeState(int $poller_id, int $last_restart): bool
       )
       OR object_id IN (
         SELECT DISTINCT servicegroup_sg_id
-        FROM {$conf_centreon['db']}.servicegroup_relation sgr, {$conf_centreon['db']}.ns_host_relation nhr
+        FROM `{$conf_centreon['db']}`.servicegroup_relation sgr, `{$conf_centreon['db']}`.ns_host_relation nhr
         WHERE sgr.host_host_id = nhr.host_host_id
         AND nhr.nagios_server_id = $poller_id
       )
@@ -1234,7 +1234,7 @@ function checkChangeState(int $poller_id, int $last_restart): bool
       )
       OR object_id IN (
         SELECT DISTINCT hr.hostgroup_hg_id
-        FROM {$conf_centreon['db']}.hostgroup_relation hr, {$conf_centreon['db']}.ns_host_relation nhr
+        FROM `{$conf_centreon['db']}`.hostgroup_relation hr, `{$conf_centreon['db']}`.ns_host_relation nhr
         WHERE hr.host_host_id = nhr.host_host_id
         AND nhr.nagios_server_id = $poller_id
       )
diff --git a/www/install/insertBaseConf.sql b/www/install/insertBaseConf.sql
index de0f1927ef6..e594a988e0f 100644
--- a/www/install/insertBaseConf.sql
+++ b/www/install/insertBaseConf.sql
@@ -2,7 +2,7 @@
 -- Insert version
 --
 
-INSERT INTO `informations` (`key` ,`value`) VALUES ('version', '21.10.8');
+INSERT INTO `informations` (`key` ,`value`) VALUES ('version', '21.10.9');
 
 --
 -- Contenu de la table `contact`
diff --git a/www/install/php/Update-21.10.9.php b/www/install/php/Update-21.10.9.php
new file mode 100644
index 00000000000..8572f2a05df
--- /dev/null
+++ b/www/install/php/Update-21.10.9.php
@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * Copyright 2005 - 2022 Centreon (https://www.centreon.com/)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * For more information : contact@centreon.com
+ *
+ */
diff --git a/www/install/steps/process/createDbUser.php b/www/install/steps/process/createDbUser.php
index 5a707389695..466180c3454 100644
--- a/www/install/steps/process/createDbUser.php
+++ b/www/install/steps/process/createDbUser.php
@@ -82,7 +82,7 @@
 
 // creating the user - mandatory for MySQL DB
 $alterQuery = "ALTER USER :dbUser@:host IDENTIFIED WITH mysql_native_password BY :dbPass";
-$query = "GRANT ALL PRIVILEGES ON %s.* TO '" . $parameters['db_user'] . "'@'" . $host . "'";
+$query = "GRANT ALL PRIVILEGES ON `%s`.* TO '" . $parameters['db_user'] . "'@'" . $host . "'";
 $flushQuery = "FLUSH PRIVILEGES";
 
 try {
diff --git a/www/install/steps/process/insertBaseConf.php b/www/install/steps/process/insertBaseConf.php
index 9f9d9fbe922..6a39d15aec4 100644
--- a/www/install/steps/process/insertBaseConf.php
+++ b/www/install/steps/process/insertBaseConf.php
@@ -65,7 +65,7 @@
  * Create tables
  */
 try {
-    $result = $link->query('use ' . $parameters['db_configuration']);
+    $result = $link->query(sprintf('use `%s`', $parameters['db_configuration']));
     if (!$result) {
         throw new \Exception('Cannot access to "' . $parameters['db_configuration'] . '" database');
     }
diff --git a/www/install/steps/process/installConfigurationDb.php b/www/install/steps/process/installConfigurationDb.php
index c04a9e0da3d..f22d963b82f 100644
--- a/www/install/steps/process/installConfigurationDb.php
+++ b/www/install/steps/process/installConfigurationDb.php
@@ -82,7 +82,7 @@
 }
 
 try {
-    $link->exec("CREATE DATABASE " . $parameters['db_configuration']);
+    $link->exec(sprintf('CREATE DATABASE `%s`', $parameters['db_configuration']));
 } catch (\PDOException $e) {
     if (!is_file('../../tmp/createTables')) {
         $return['msg'] = $e->getMessage();
@@ -94,7 +94,7 @@
 /**
  * Create tables
  */
-$link->exec('use ' . $parameters['db_configuration']);
+$link->exec(sprintf('use `%s`', $parameters['db_configuration']));
 $result = splitQueries('../../createTables.sql', ';', $link, '../../tmp/createTables');
 if ("0" != $result) {
     $return['msg'] = $result;
diff --git a/www/install/steps/process/installStorageDb.php b/www/install/steps/process/installStorageDb.php
index 7a4326764a5..0b4d844fb26 100644
--- a/www/install/steps/process/installStorageDb.php
+++ b/www/install/steps/process/installStorageDb.php
@@ -61,7 +61,7 @@
 }
 
 try {
-    $link->exec("CREATE DATABASE " . $parameters['db_storage']);
+    $link->exec(sprintf('CREATE DATABASE `%s`', $parameters['db_storage']));
 } catch (\PDOException $e) {
     if (!is_file('../../tmp/createTablesCentstorage')) {
         $return['msg'] = $e->getMessage();
@@ -79,7 +79,7 @@
 );
 
 try {
-    $result = $link->query('use ' . $parameters['db_storage']);
+    $result = $link->query(sprintf('use `%s`', $parameters['db_storage']));
     if (!$result) {
         throw new \Exception('Cannot access to "' . $parameters['db_storage'] . '" database');
     }