fix(secu): Avoid SQL injections in multiple monitoring pages - for master #8063

sc979 · 2019-10-28T09:58:08Z

Pull Request Template

Description

This PR concatenate multiples reviewed PR for PHP 7 branches

This concerns, security fixes to avoid SQL injections on unused http params (eg : $_GET) or inadequately protected variables in SQL requests.

Type of change

Patch fixing an issue (non-breaking change)
New functionality (non-breaking change)
Breaking change (patch or feature) that might cause side effects breaking part of the Software
Updating documentation (missing information, typo...)

Target serie

How this pull request can be tested ?

please contact me.

Checklist

Community contributors & Centreon team

I followed the coding style guidelines provided by Centreon
I have commented my code, especially new classes, functions or any legacy code modified. (docblock)
I have commented my code, especially hard-to-understand areas of the PR.
I have made corresponding changes to the documentation.
I have rebased my development branch on the base branch (master, maintenance).

Centreon team only

I have made sure that the unit tests related to the story are successful.
I have made sure that unit tests cover 80% of the code written for the story.
I have made sure that acceptance tests related to the story are successful (local and CI)

www/include/monitoring/status/Services/xml/makeXMLForOneService.php

…ummary XML (#8064) * fix(secu): remove or sanitize unused https arguments in service by servicegroup summary * Update www/include/monitoring/status/ServicesServiceGroups/xml/serviceSummaryBySGXML.php

* fix(secu): avoid SQL injection in serviceByServicegroupGridXML.php file * fix(secu): avoid SQL injection in serviceByServicegroupSummaryXML.php file * fix(secu): remove or sanitize unused https arguments in service by servicegroup GRID (#8066)

…es (#8074) * fix(secu): sanitize or remove unused params in serviceSummaryBYHGXML file * fix(secu): sanitize or remove unused params in serviceGridBYHGXML file

* style * fix(secu): remove unused http parameters in hostgroupXML.php file

* fix(secu): sanitize makeXMLForOneHost.php * fix(secu): sanitize makeXMLForOneService.php * fix(secu): better hadling session check * fix(secu): sanitize or remove unused params in serviceXML file * fix(secu): sanitize serviceGridXML.php * fix(secu): sanitize serviceSummaryXML.php

* style * fix(secu): sanitize or remove unused params in hostXML file

* prevent sql injection in hostXML.php * replace uppercase table alias by lowercase * delete case duplicating the default case * style * replace array() with []

* www/include/monitoring/status/Common/xml/modelXML.php * correct variable

* prevent sql injection in makeXMLForOneHostXML.php * prevent sql injection in makeXMLForOneServiceXML.php * prevent sql injection in serviceXML.php * prevent sql injection in serviceGridXML.php * prevent sql injection in serviceXML.php * prevent sql injection in serviceSummaryXML.php * remove debug and prepare second query * style

* fix(secu): avoid sql injections in hostgroupXML file * fix(UI): add the order param to the request * remove useless declarations

Co-Authored-By: Laurent Calvet <lcalvet@centreon.com>

…ster (#8063) * fix(secu): remove unused topCounter files and folders (#8007) * fix(secu): remove unused http parameters in service by servicegroup summary XML (#8064) * fix(secu): remove or sanitize unused https arguments in service by servicegroup summary * fix(secu): Avoid SQL injections in service by servicegroup pages (#8065) * fix(secu): avoid SQL injection in serviceByServicegroupGridXML.php file * fix(secu): avoid SQL injection in serviceByServicegroupSummaryXML.php file * fix(secu): remove or sanitize unused https arguments in service by servicegroup GRID (#8066) * fix(secu): remove unused http parameters in services by hostgroup files (#8074) * fix(secu): sanitize or remove unused params in serviceSummaryBYHGXML file * fix(secu): sanitize or remove unused params in serviceGridBYHGXML file * fix(secu): remove unused http parameters in hostgroup xml.php (#8073) * fix(secu): remove unused http parameters in hostgroupXML.php file * fix(secu): remove unused http parameters in services files (#8078) * fix(secu): sanitize makeXMLForOneHost.php * fix(secu): sanitize makeXMLForOneService.php * fix(secu): better hadling session check * fix(secu): sanitize or remove unused params in serviceXML file * fix(secu): sanitize serviceGridXML.php * fix(secu): sanitize serviceSummaryXML.php * fix(secu): remove unused http parameters in hostXML file (#8079) * fix(secu): sanitize or remove unused params in hostXML file * fix(secu): prevent from sql injections in host page (#8087) * prevent sql injection in hostXML.php * replace uppercase table alias by lowercase * delete case duplicating the default case * replace array() with [] * fix(secu): prevent from sql injections from common xml model (#8083) * fix(secu): prevent from sql injections in services pages (#8082) * prevent sql injection in makeXMLForOneHostXML.php * prevent sql injection in makeXMLForOneServiceXML.php * prevent sql injection in serviceXML.php * prevent sql injection in serviceGridXML.php * prevent sql injection in serviceXML.php * prevent sql injection in serviceSummaryXML.php * remove debug and prepare second query * fix(secu): prevent from sql injections in hostgroupXML file (#8081) * fix(secu): avoid sql injections in hostgroupXML file * fix(UI): add the order param to the request * remove useless declarations * replace regexp with whitelist * add missing array declaration * fix(CI): sonar coding style issue

lbrossault · 2022-08-25T07:48:16Z

CVE Id assigned about this security fix is CVE-2019-17647

sc979 added kind/security area/security labels Oct 28, 2019

sc979 self-assigned this Oct 28, 2019

sc979 mentioned this pull request Oct 28, 2019

fix(secu): Avoid SQL injections in multiple monitoring pages - for master #8045

Closed

16 tasks

sc979 force-pushed the MON-4422-fix-master-sql-injections-in-monitoring-pages branch 6 times, most recently from e567a41 to c53e78e Compare November 4, 2019 08:10

sc979 force-pushed the MON-4422-fix-master-sql-injections-in-monitoring-pages branch from c53e78e to 9f431db Compare November 6, 2019 10:14

sc979 marked this pull request as ready for review November 6, 2019 10:59

callapa suggested changes Nov 6, 2019

View reviewed changes

www/include/monitoring/status/Services/xml/makeXMLForOneService.php Outdated Show resolved Hide resolved

callapa approved these changes Nov 7, 2019

View reviewed changes

jdelpierre approved these changes Nov 8, 2019

View reviewed changes

sc979 force-pushed the MON-4422-fix-master-sql-injections-in-monitoring-pages branch from c022ce8 to 5b76133 Compare November 8, 2019 12:32

sc979 and others added 14 commits November 12, 2019 09:47

fix(secu): remove unused topCounter files and folders (#8007)

a5a084f

fix(secu): remove unused http parameters in service by servicegroup s…

3fa6e29

…ummary XML (#8064) * fix(secu): remove or sanitize unused https arguments in service by servicegroup summary * Update www/include/monitoring/status/ServicesServiceGroups/xml/serviceSummaryBySGXML.php

fix(secu): remove unused http parameters in services by hostgroup fil…

da77ed8

…es (#8074) * fix(secu): sanitize or remove unused params in serviceSummaryBYHGXML file * fix(secu): sanitize or remove unused params in serviceGridBYHGXML file

fix(secu): remove unused http parameters in hostgroup xml.php (#8073)

0826c38

* style * fix(secu): remove unused http parameters in hostgroupXML.php file

fix(secu): remove unused http parameters in hostXML file (#8079)

51de910

* style * fix(secu): sanitize or remove unused params in hostXML file

fix(secu): prevent from sql injections in host page (#8087)

305203a

* prevent sql injection in hostXML.php * replace uppercase table alias by lowercase * delete case duplicating the default case * style * replace array() with []

fix(secu): prevent from sql injections from common xml model (#8083)

8c20669

* www/include/monitoring/status/Common/xml/modelXML.php * correct variable

fix(secu): prevent from sql injections in hostgroupXML file (#8081)

4ac3b11

* fix(secu): avoid sql injections in hostgroupXML file * fix(UI): add the order param to the request * remove useless declarations

replace LIKE with equal

94e1c3c

replace regexp with whitelist

7d41699

replace array() with []

42793f5

sc979 and others added 6 commits November 12, 2019 09:47

multiple queries enh or fix

ffe10d7

multiple queries enh or fix

64df83c

add missing array declaration

e91e514

Co-Authored-By: Laurent Calvet <lcalvet@centreon.com>

fix(CI): sonar coding style issue

c5efc6c

style

7585972

style

aa4bda8

sc979 force-pushed the MON-4422-fix-master-sql-injections-in-monitoring-pages branch from 5779c17 to aa4bda8 Compare November 12, 2019 08:48

sc979 merged commit 9738668 into master Nov 12, 2019

sc979 deleted the MON-4422-fix-master-sql-injections-in-monitoring-pages branch November 12, 2019 12:01

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(secu): Avoid SQL injections in multiple monitoring pages - for master #8063

fix(secu): Avoid SQL injections in multiple monitoring pages - for master #8063

sc979 commented Oct 28, 2019 •

edited

Loading

lbrossault commented Aug 25, 2022

fix(secu): Avoid SQL injections in multiple monitoring pages - for master #8063

fix(secu): Avoid SQL injections in multiple monitoring pages - for master #8063

Conversation

sc979 commented Oct 28, 2019 • edited Loading

Pull Request Template

Description

Type of change

Target serie

How this pull request can be tested ?

Checklist

Community contributors & Centreon team

Centreon team only

lbrossault commented Aug 25, 2022

sc979 commented Oct 28, 2019 •

edited

Loading