Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

Commit

Permalink
chore(release): merge release-21.04.next into 21.04.x (#11819)
Browse files Browse the repository at this point in the history
* query sanitized in listServiceCategoriesà (#11597) (#11634)

* sanitize and bind in centreon connector queriy  (#11637)

* Sanitize and bind listVirtualMetrics queries (#11649)

* sanitize and bind host categories queryà (#11591) (#11646)

* sanitize insrert queries in db-func  (#11652)

MON-14667

* Sanitized and bound queries in service argumentsXml file (#11655)

MON-14669

* (fix) service status : encoding issue on status page (#11583)

* fix(git): sync dev-21.04.x with 21.04.x (#11526)

* [SNYK] Sanitize and bind ACL host dependency queries (#11389) (#11521)

* Sanitize and bind ACL host dependency queries

* fix issues

* [SNYK] Sanitize and bind centreonGraph class queries (#11409) (#11517)

1122

1153

1134

* removed old variable userCrypted and the use of it (#11334) (#11516)

* fix(test): wait 8s before checking downtime is active in rest api v1 test (#11498) (#11506)

Refs: MON-14585

* [Snyk] Sanitize and bind ACL action access queries (#11385) (#11514)

* Sanitize and bind ACL action access queries

_ sanitize if possible each variables inserted in a query

_ use PDO prepared statement and bind() method

_ Do not use $pearDB->escape on which is for examples useless on integers and on non closed HTML tags (svg, img, etc)

* fix line length

* fix failed checks

* [SNYK] Sanitize and bind ACL class queries (#11392) (#11513)

* Sanitize and bind ACL class queries

Queries   sanitized  and bound using PDO statement

* fix spaces

spaces between (int) cast and variables

* update file delete spaces after comma

* change variables names due to a review

* Line exceeds 120 characters; contains 123 characters

* fix(pendo): correctly set locale when language is detection by browser (#11484) (#11530)

Refs: MON-14039

* doc(ack): acknowledge Hakaï security (#11538)

* SNYK: Sanitize and bind ACL actions queries (#11549)

* sanitizing and binding acl actions queries

* fix missing bind

* SNYK: Sanitize and bind Broker listing queries (#11553)

* Sanitizing and binding broker listing queries

* applying suggested changes

* fix(conf) fix encoding in template service listing (#11558) (#11566)

* fix encoding

* remove useless function

* SNYK: Sanitize and bind generateImage queries (#11563)

* sanitize and bind generate image queries

* adding throw exception

* applying suggested changes

* Update www/include/views/graphs/generateGraphs/generateImage.php

Co-authored-by: Kevin Duret <kduret@centreon.com>

Co-authored-by: Kevin Duret <kduret@centreon.com>

* MON-14501 - sanitize query in centreonXmlbgRequest class (#11572)

* sanitize query in centreonXmlbgRequest class

* add closeCursor func to resolve conv

* SNYK: Sanitize and bind Meta-Services dependency queries (#11554) (#11569)

* sanityze 2 insert queries

* spaces removed in a query

* Fix encoding issue on status serviceXML

Co-authored-by: Kevin Duret <kduret@centreon.com>
Co-authored-by: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com>
Co-authored-by: jeremyjaouen <61694165+jeremyjaouen@users.noreply.github.com>
Co-authored-by: Stéphane Chapron <34628915+sc979@users.noreply.github.com>
Co-authored-by: hyahiaoui-ext <97593234+hyahiaoui-ext@users.noreply.github.com>
Co-authored-by: alaunois <alaunois@centreon.com>

* Sanitize and bind service group dependecies queries (#11667)

* fix(conf) fix parent template display in service template listing (#11671) (#11678)

* fix(details): remove dead code (#11672) (#11684)

* fix(clapi): Check that user is admin to use clapi (#11631) (#11638)

* fix(widgets): retrieve possibility to not select poller in pref (#11696) (#11700)

Refs: MON-14919

* fix(details): second part of code cleanup for "tools" (#11725)

* fix(resource): Fix bad SQL request (#11702) (#11751)

* chore(install): update version to 21.04.18

Co-authored-by: Elmahdi ABBASSI <108519266+emabassi-ext@users.noreply.github.com>
Co-authored-by: TamazC <103252125+TamazC@users.noreply.github.com>
Co-authored-by: Kevin Duret <kduret@centreon.com>
Co-authored-by: jeremyjaouen <61694165+jeremyjaouen@users.noreply.github.com>
Co-authored-by: Stéphane Chapron <34628915+sc979@users.noreply.github.com>
Co-authored-by: hyahiaoui-ext <97593234+hyahiaoui-ext@users.noreply.github.com>
Co-authored-by: alaunois <alaunois@centreon.com>
Co-authored-by: Adrien Morais-Mestre <31647811+adr-mo@users.noreply.github.com>
Co-authored-by: Laurent Calvet <lcalvet@centreon.com>
  • Loading branch information
10 people authored Sep 21, 2022
1 parent 16d8eee commit 6cbd3ee
Show file tree
Hide file tree
Showing 19 changed files with 154 additions and 195 deletions.
2 changes: 1 addition & 1 deletion www/api/class/centreon_clapi.class.php
Original file line number Diff line number Diff line change
Expand Up @@ -231,7 +231,7 @@ public function authorize($action, $user, $isInternal = false)
{
if (
parent::authorize($action, $user, $isInternal)
|| ($user && $user->hasAccessRestApiConfiguration())
|| ($user && $user->is_admin())
) {
return true;
}
Expand Down
30 changes: 16 additions & 14 deletions www/class/centreonConnector.class.php
Original file line number Diff line number Diff line change
Expand Up @@ -35,40 +35,40 @@

/*
* Class that contains various methods for managing connectors
*
*
* Usage example:
*
*
* <?php
* require_once realpath(dirname(__FILE__) . "/../../config/centreon.config.php");
* require_once _CENTREON_PATH_ . 'www/class/centreonConnector.class.php';
* require_once _CENTREON_PATH_ . 'www/class/centreonDB.class.php';
*
*
* $connector = new CentreonConnector(new CentreonDB);
*
*
* //$connector->create(array(
* // 'name' => 'jackyse',
* // 'description' => 'some jacky',
* // 'command_line' => 'ls -la',
* // 'enabled' => true
* // ), true);
*
*
* //$connector->update(10, array(
* // 'name' => 'soapy',
* // 'description' => 'Lorem ipsum',
* // 'enabled' => true,
* // 'command_line' => 'ls -laph --color'
* //));
*
*
* //$connector->getList(false, 20, false);
*
*
* //$connector->delete(10);
*
*
* //$connector->read(7);
*
*
* //$connector->copy(1, 5, true);
*
*
* //$connector->count(false);
*
*
* //$connector->isNameAvailable('norExists');
*/

Expand Down Expand Up @@ -165,11 +165,13 @@ public function create(array $connector, $returnId = false)
throw new RuntimeException('Field id for connector not selected in query or connector not inserted');
} else {
if (isset($connector["command_id"])) {
$statement = $this->dbConnection->prepare("UPDATE `command` " .
"SET connector_id = :conId WHERE `command_id` = :value");
foreach ($connector["command_id"] as $key => $value) {
try {
$query = "UPDATE `command` SET connector_id = '" . $lastId['id'] . "' " .
"WHERE `command_id` = '" . $value . "'";
$this->dbConnection->query($query);
$statement->bindValue(':conId', (int) $lastId['id'], \PDO::PARAM_INT);
$statement->bindValue(':value', (int) $value, \PDO::PARAM_INT);
$statement->execute();
} catch (\PDOException $e) {
throw new RuntimeException('Cannot update connector');
}
Expand Down
1 change: 1 addition & 0 deletions www/class/centreonWidget/Params/Connector/Poller.class.php
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ public function getListValues($paramId)
static $tab;

if (! isset($tab)) {
$tab = [null => null];
$userACL = new CentreonACL($this->userId);
$isContactAdmin = $userACL->admin;
$request = 'SELECT SQL_CALC_FOUND_ROWS id, name FROM nagios_server ns';
Expand Down
16 changes: 10 additions & 6 deletions www/include/configuration/configObject/contactgroup/DB-Func.php
Original file line number Diff line number Diff line change
Expand Up @@ -144,20 +144,24 @@ function multipleContactGroupInDB($contactGroups = array(), $nbrDup = array())
"WHERE `cg_cg_id` = " . (int)$key;
$dbResult = $pearDB->query($query);
$fields["cg_aclRelation"] = "";
$aclContactStatement = $pearDB->prepare("INSERT INTO `acl_group_contactgroups_relations` " .
"VALUES (:maxId, :cgAcl)");
while ($cgAcl = $dbResult->fetch()) {
$query = "INSERT INTO `acl_group_contactgroups_relations` VALUES ('" .
$maxId["MAX(cg_id)"] . "', '" . $cgAcl['acl_group_id'] . "')";
$pearDB->query($query);
$aclContactStatement->bindValue(":maxId", (int) $maxId["MAX(cg_id)"], PDO::PARAM_INT);
$aclContactStatement->bindValue(":cgAcl", (int) $cgAcl['acl_group_id'], PDO::PARAM_INT);
$aclContactStatement->execute();
$fields["cg_aclRelation"] .= $cgAcl["acl_group_id"] . ",";
}
$query = "SELECT DISTINCT `cgcr`.`contact_contact_id` FROM `contactgroup_contact_relation` `cgcr`" .
" WHERE `cgcr`.`contactgroup_cg_id` = '" . (int)$key . "'";
$dbResult = $pearDB->query($query);
$fields["cg_contacts"] = "";
$contactStatement = $pearDB->prepare("INSERT INTO `contactgroup_contact_relation` " .
"VALUES (:cct, :maxId)");
while ($cct = $dbResult->fetch()) {
$query = "INSERT INTO `contactgroup_contact_relation` " .
"VALUES ('" . $cct["contact_contact_id"] . "', '" . $maxId["MAX(cg_id)"] . "')";
$pearDB->query($query);
$contactStatement->bindValue(":cct", (int) $cct["contact_contact_id"], \PDO::PARAM_INT);
$contactStatement->bindValue(":maxId", (int) $maxId["MAX(cg_id)"], \PDO::PARAM_INT);
$contactStatement->execute();
$fields["cg_contacts"] .= $cct["contact_contact_id"] . ",";
}
$fields["cg_contacts"] = trim($fields["cg_contacts"], ",");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -249,10 +249,11 @@ function multipleHostCategoriesInDB($hostCategories = [], $nbrDup = [])
$statement3->bindValue(':hc_id', $hcId, \PDO::PARAM_INT);
$statement3->execute();
$fields["hc_hosts"] = "";
$hrstatement = $pearDB->prepare("INSERT INTO hostcategories_relation VALUES (:maxId, :hostId)");
while ($host = $statement3->fetch()) {
$query = "INSERT INTO hostcategories_relation VALUES ('" . $maxId["MAX(hc_id)"] .
"', '" . $host["host_host_id"] . "')";
$pearDB->query($query);
$hrstatement->bindValue(':maxId', (int) $maxId["MAX(hc_id)"], \PDO::PARAM_INT);
$hrstatement->bindValue(':hostId', (int) $host["host_host_id"], \PDO::PARAM_INT);
$hrstatement->execute();
$fields["hc_hosts"] .= $host["host_host_id"] . ",";
}
$fields["hc_hosts"] = trim($fields["hc_hosts"], ",");
Expand Down
22 changes: 12 additions & 10 deletions www/include/configuration/configObject/service/xml/argumentsXml.php
Original file line number Diff line number Diff line change
Expand Up @@ -131,12 +131,13 @@
$exampleTab = array();
}

$query3 = "SELECT command_command_id_arg " .
$cmdStatement = $db->prepare("SELECT command_command_id_arg " .
"FROM service " .
"WHERE service_id = '" . $svcId . "' LIMIT 1";
$res3 = $db->query($query3);
if ($res3->rowCount()) {
$row3 = $res3->fetchRow();
"WHERE service_id = :svcId LIMIT 1");
$cmdStatement->bindValue(':svcId', (int) $svcId, PDO::PARAM_INT);
$cmdStatement->execute();
if ($cmdStatement->rowCount()) {
$row3 = $cmdStatement->fetchRow();
$valueTab = preg_split('/(?<!\\\)\!/', $row3['command_command_id_arg']);
if (is_array($valueTab)) {
foreach ($valueTab as $key => $value) {
Expand All @@ -149,14 +150,15 @@
}
}

$query = "SELECT macro_name, macro_description " .
$macroStatement = $db->prepare("SELECT macro_name, macro_description " .
"FROM command_arg_description " .
"WHERE cmd_id = '" . $cmdId . "' ORDER BY macro_name";
$res = $db->query($query);
while ($row = $res->fetchRow()) {
"WHERE cmd_id = :cmdId ORDER BY macro_name");
$macroStatement->bindValue(':cmdId', (int) $cmdId, \PDO::PARAM_INT);
$macroStatement->execute();
while ($row = $macroStatement->fetchRow()) {
$argTab[$row['macro_name']] = $row['macro_description'];
}
$res->closeCursor();
$macroStatement->closeCursor();

/*
* Write XML
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -119,12 +119,12 @@
$elemArr = array();
$centreonToken = createCSRFToken();

$statement = $pearDB->prepare("SELECT COUNT(*) FROM `service_categories_relation` WHERE `sc_id` = :sc_id");
for ($i = 0; $sc = $dbResult->fetch(); $i++) {
$moptions = "";
$dbResult2 = $pearDB->query(
"SELECT COUNT(*) FROM `service_categories_relation` WHERE `sc_id` = '" . $sc['sc_id'] . "'"
);
$nb_svc = $dbResult2->fetch();
$statement->bindValue(':sc_id', (int) $sc['sc_id'], \PDO::PARAM_INT);
$statement->execute();
$nb_svc = $statement->fetch();

$selectedElements = $form->addElement('checkbox', "select[" . $sc['sc_id'] . "]");

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@
<td class="ListColLeft resizeTitle"><a
href="{$elemArr[elem].RowMenu_link}">{$elemArr[elem].RowMenu_alias}</a></td>
<td class="ListColCenter">{$elemArr[elem].RowMenu_retry}</td>
<td class="ListColRight">{$elemArr[elem].RowMenu_parent}</td>
<td class="ListColLeft">{$elemArr[elem].RowMenu_parent}</td>
<td class="ListColCenter"><span
class="badge {$elemArr[elem].RowMenu_badge}">{$elemArr[elem].RowMenu_status}</span></td>
<td class="ListColRight" align="right">{if $mode_access == 'w' }{$elemArr[elem].RowMenu_options}{else}&nbsp;{/if}</td>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,8 @@
foreach ($tplArr as $key => $value) {
$value = str_replace('#S#', "/", $value);
$value = str_replace('#BS#', "\\", $value);
$tplStr .= "&nbsp;->&nbsp;<a href='main.php?p=60206&o=c&service_id=" . $key . "'>" . $value . "</a>";
$tplStr .= "&nbsp;->&nbsp;<a href='main.php?p=60206&o=c&service_id=" . $key . "'>"
. htmlentities($value) . "</a>";
}
}

Expand Down Expand Up @@ -228,7 +229,7 @@
"RowMenu_select" => $selectedElements->toHtml(),
"RowMenu_desc" => htmlentities($service["service_description"]),
"RowMenu_alias" => htmlentities($service["service_alias"]),
"RowMenu_parent" => htmlentities($tplStr),
"RowMenu_parent" => $tplStr,
"RowMenu_icon" => $svc_icon,
"RowMenu_retry" => htmlentities(
"$normal_check_interval $normal_units / $retry_check_interval $retry_units"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -128,10 +128,13 @@ function multipleServiceGroupDependencyInDB($dependencies = array(), $nbrDup = a
"WHERE dependency_dep_id = '" . $key . "'";
$dbResult = $pearDB->query($query);
$fields["dep_sgParents"] = "";
$query = "INSERT INTO dependency_servicegroupParent_relation " .
"VALUES (:dep_id, :servicegroup_sg_id)";
$statement = $pearDB->prepare($query);
while ($sg = $dbResult->fetch()) {
$query = "INSERT INTO dependency_servicegroupParent_relation " .
"VALUES ('" . $maxId["MAX(dep_id)"] . "', '" . $sg["servicegroup_sg_id"] . "')";
$pearDB->query($query);
$statement->bindValue(':dep_id', (int) $maxId["MAX(dep_id)"], \PDO::PARAM_INT);
$statement->bindValue(':servicegroup_sg_id', (int) $sg["servicegroup_sg_id"], \PDO::PARAM_INT);
$statement->execute();
$fields["dep_sgParents"] .= $sg["servicegroup_sg_id"] . ",";
}
$fields["dep_sgParents"] = trim($fields["dep_sgParents"], ",");
Expand All @@ -140,10 +143,13 @@ function multipleServiceGroupDependencyInDB($dependencies = array(), $nbrDup = a
"WHERE dependency_dep_id = '" . $key . "'";
$dbResult = $pearDB->query($query);
$fields["dep_sgChilds"] = "";
$query = "INSERT INTO dependency_servicegroupChild_relation " .
"VALUES (:dep_id, :servicegroup_sg_id)";
$statement = $pearDB->prepare($query);
while ($sg = $dbResult->fetch()) {
$query = "INSERT INTO dependency_servicegroupChild_relation " .
"VALUES ('" . $maxId["MAX(dep_id)"] . "', '" . $sg["servicegroup_sg_id"] . "')";
$pearDB->query($query);
$statement->bindValue(':dep_id', (int) $maxId["MAX(dep_id)"], \PDO::PARAM_INT);
$statement->bindValue(':servicegroup_sg_id', (int) $sg["servicegroup_sg_id"], \PDO::PARAM_INT);
$statement->execute();
$fields["dep_sgChilds"] .= $sg["servicegroup_sg_id"] . ",";
}
$fields["dep_sgChilds"] = trim($fields["dep_sgChilds"], ",");
Expand Down
45 changes: 28 additions & 17 deletions www/include/configuration/configResources/DB-Func.php
Original file line number Diff line number Diff line change
Expand Up @@ -294,23 +294,34 @@ function insertResource($ret = array())
if (!count($ret)) {
$ret = $form->getSubmitValues();
}
$rq = "INSERT INTO cfg_resource ";
$rq .= "(resource_name, resource_line, resource_comment, resource_activate) ";
$rq .= "VALUES (";
isset($ret["resource_name"]) && $ret["resource_name"] != null
? $rq .= "'" . $pearDB->escape($ret["resource_name"]) . "', "
: $rq .= "NULL, ";
isset($ret["resource_line"]) && $ret["resource_line"] != null
? $rq .= "'" . $pearDB->escape($ret["resource_line"]) . "', "
: $rq .= "NULL, ";
isset($ret["resource_comment"]) && $ret["resource_comment"] != null
? $rq .= "'" . $pearDB->escape($ret["resource_comment"]) . "', "
: $rq .= "NULL, ";
isset($ret["resource_activate"]["resource_activate"]) && $ret["resource_activate"]["resource_activate"] != null
? $rq .= "'" . $ret["resource_activate"]["resource_activate"] . "'"
: $rq .= "NULL";
$rq .= ")";
$pearDB->query($rq);
$statement = $pearDB->prepare(
"INSERT INTO cfg_resource
(resource_name, resource_line, resource_comment, resource_activate)
VALUES (:name, :line, :comment, :is_activated)"
);
$statement->bindValue(
':name',
! empty($ret["resource_name"])
? $ret["resource_name"]
: null
);
$statement->bindValue(
':line',
! empty($ret["resource_line"])
? $ret["resource_line"]
: null
);
$statement->bindValue(
':comment',
! empty($ret["resource_comment"])
? $ret["resource_comment"]
: null
);
$isActivated = isset($ret["resource_activate"]["resource_activate"])
&& (bool) (int) $ret["resource_activate"]["resource_activate"];
$statement->bindValue(':is_activated', (string) (int) $isActivated);
$statement->execute();

$dbResult = $pearDB->query("SELECT MAX(resource_id) FROM cfg_resource");
$resource_id = $dbResult->fetch();

Expand Down
34 changes: 0 additions & 34 deletions www/include/monitoring/objectDetails/hostDetails.php
Original file line number Diff line number Diff line change
Expand Up @@ -663,40 +663,6 @@
$tpl->assign("h_ext_icon_image_alt", getMyHostExtendedInfoField($hostDB["host_id"], "ehi_icon_image_alt"));
}

/*
* Dynamics tools
*/
$tools = array();
$DBRESULT = $pearDB->query("SELECT * FROM modules_informations");
while ($module = $DBRESULT->fetchrow()) {
if (
isset($module['host_tools']) && $module['host_tools'] == 1
&& file_exists('modules/' . $module['name'] . '/host_tools.php')
) {
include('modules/' . $module['name'] . '/host_tools.php');
}
}
$DBRESULT->closeCursor();

foreach ($tools as $key => $tab) {
$tools[$key]['url'] = str_replace("@host_id@", $host_id, $tools[$key]['url']);
$tools[$key]['url'] = str_replace("@host_name@", $host_name, $tools[$key]['url']);
$tools[$key]['url'] = str_replace(
"@current_state@",
$host_status[$host_name]["current_state"],
$tools[$key]['url']
);
$tools[$key]['url'] = str_replace(
"@plugin_output@",
$host_status[$host_name]["plugin_output"],
$tools[$key]['url']
);
}

if (count($tools) > 0) {
$tpl->assign("tools", $tools);
}

// Check if central or remote server
$DBRESULT = $pearDB->query("SELECT `value` FROM `informations` WHERE `key` = 'isRemote'");
$result = $DBRESULT->fetchRow();
Expand Down
29 changes: 0 additions & 29 deletions www/include/monitoring/objectDetails/serviceDetails.php
Original file line number Diff line number Diff line change
Expand Up @@ -799,35 +799,6 @@
$tpl->assign("index_data", $index_data);
$tpl->assign("options2", CentreonUtils::escapeSecure($optionsURL2));

/*
* Dynamics tools
*/
$tools = array();
$DBRESULT = $pearDB->query("SELECT * FROM modules_informations");
while ($module = $DBRESULT->fetchrow()) {
if (
isset($module['svc_tools'])
&& $module['svc_tools'] == 1
&& file_exists('modules/' . $module['name'] . '/svc_tools.php')
) {
include('modules/' . $module['name'] . '/svc_tools.php');
}
}
$DBRESULT->closeCursor();

foreach ($tools as $key => $tab) {
$tools[$key]['url'] = str_replace("@host_id@", $host_id, $tools[$key]['url']);
$tools[$key]['url'] = str_replace("@host_name@", $host_name, $tools[$key]['url']);
$tools[$key]['url'] = str_replace("@svc_description@", $svc_description, $tools[$key]['url']);
$tools[$key]['url'] = str_replace("@svc_id@", $service_id, $tools[$key]['url']);
$tools[$key]['url'] = str_replace("@current_state@", $service_status["current_state"], $tools[$key]['url']);
$tools[$key]['url'] = str_replace("@plugin_output@", $service_status["plugin_output"], $tools[$key]['url']);
}

if (count($tools) > 0) {
$tpl->assign("tools", CentreonUtils::escapeSecure($tools));
}

/**
* Build the service detail URI that will be used in the
* deprecated banner
Expand Down
11 changes: 0 additions & 11 deletions www/include/monitoring/objectDetails/template/hostDetails.ihtml
Original file line number Diff line number Diff line change
Expand Up @@ -473,17 +473,6 @@
</td>
</tr>
{/if}
{section name=tool loop=$tools}
<tr class='list_two'>
<td class="ListColLeft ColPopup">
{if $tools[tool].popup == ""}
<a href="{$tools[tool].url}" target="{$tools[tool].target}">
{else}
<a href="#tools" name="tools" onClick="window.open('{$tools[tool].url}','','toolbar=no,location=no,directories=no,status=no,scrollbars=yes,resizable=yes,copyhistory=no, width={$tools[tool].width}, height={$tools[tool].height}');">
{/if}
&#9679;&nbsp;{$tools[tool].name}</a></td>
</tr>
{/section}
</table>
</td>
</tr>
Expand Down
Loading

0 comments on commit 6cbd3ee

Please sign in to comment.