Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

Mon 3224 sql inj virtual metric #7061

Merged
merged 4 commits into from
Dec 28, 2018
Merged

Mon 3224 sql inj virtual metric #7061

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8d40841
fix(mon): prevent SQL injection in virtual metrics page
vhr Dec 6, 2018
5c8f592
Adds more filters and fix the duplication feature
callapa Dec 10, 2018
a4c78d6
test(mon): cover with acceptance test the case with SQL injection via…
vhr Dec 17, 2018
70e6459
fix(mon): compatibility with PHP 5.3
vhr Dec 19, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 20 additions & 3 deletions features/VirtualMetricHandle.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,34 @@ Feature: Virtual Metric Handle

Background:
Given I am logged in a Centreon server with configured metrics

Scenario: Create a virtual metric
When I add a virtual metric
Then all properties are saved

Scenario: Duplicate a virtual metric
Given an existing virtual metric
When I duplicate a virtual metric
Then all properties are copied except the name

Scenario: Delete a virtual metric
Given an existing virtual metric
When I delete a virtual metric
Then the virtual metric disappears from the Virtual metrics list

@listFilter
Scenario: Filter a virtual metric in the list page
Given an existing virtual metric
When I filter the list to find default entity
Then in the list must be default entity only

@security @listFilter
Scenario Outline: Try to inject SQL by the filter on the list page
Given an existing virtual metric
When I filter the list with <text>
Then the list must be empty

Examples:
| text |
| "' AND (SELECT 7076 FROM(SELECT COUNT(*),CONCAT(0x71707a6a71,(SELECT(ELT(7076=7076,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- edsY" |
| "' AND (SELECT * FROM (SELECT(SLEEP(5)))IBjx)-- gFbi" |
56 changes: 56 additions & 0 deletions features/bootstrap/VirtualMetricHandleContext.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,4 +98,60 @@ public function theVirtualMetricDisappearsFromTheVirtualMetricsList()
throw new \Exception($this->vmName . ' virtual Metric is still existing');
}
}

/**
* @When I filter the list to find default entity
*/
public function iFilterTheListToFindDefaultntity()
{
$this->iFilterTheListWith($this->vmName);
}

/**
* @Then in the list must be default entity only
*/
public function inTheListMustBeDefaultEntityOnly()
{
$objects = $this->page->getEntries();

$result = null;

foreach ($objects as $key => $data) {
if ($result === null && $key === $this->vmName) {
$result = true;
} else {
$result = false;
}
}

if ($result === false) {
throw new \Exception('It\'s not only a default Virtual Metrics in the list');
} elseif ($result === null) {
throw new \Exception('The default Virtual Metrics not in the list');
}
}

/**
* @When I filter the list with :virtualMetricsName
*
* @param string $virtualMetricsName Virtual metrics filter.
*/
public function iFilterTheListWith($virtualMetricsName)
{
$this->page = new MetricsConfigurationListingPage($this);
$this->page->setVirtualMetricsFilter($virtualMetricsName);
$this->page->search();
}

/**
* @Then the list must be empty
*/
public function theListMustBeEmpty()
{
$objects = $this->page->getEntries();

if ($objects) {
throw new \Exception('Virtual Metrics list is not empty');
}
}
}
Loading