From 0898caa7ae07616ea6bd7ce0830a732994394745 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Anne?= Date: Mon, 24 Oct 2022 14:30:48 +0200 Subject: [PATCH] Prevent XSS on Inventory --- src/Inventory/Asset/Antivirus.php | 9 +++-- src/Inventory/Asset/Camera.php | 15 ++++++--- src/Inventory/Asset/Cartridge.php | 14 ++++---- src/Inventory/Asset/DatabaseInstance.php | 10 +++--- src/Inventory/Asset/Device.php | 19 ++++++----- src/Inventory/Asset/InventoryAsset.php | 8 ++--- src/Inventory/Asset/InventoryNetworkPort.php | 28 +++++++--------- src/Inventory/Asset/MainAsset.php | 15 ++++----- src/Inventory/Asset/Monitor.php | 6 ++-- src/Inventory/Asset/NetworkEquipment.php | 7 ++-- src/Inventory/Asset/NetworkPort.php | 12 +++---- src/Inventory/Asset/OperatingSystem.php | 6 ++-- src/Inventory/Asset/Peripheral.php | 6 ++-- src/Inventory/Asset/Printer.php | 10 +++--- src/Inventory/Asset/RemoteManagement.php | 6 ++-- src/Inventory/Asset/Software.php | 35 +++++++++++++------- src/Inventory/Asset/VirtualMachine.php | 10 +++--- src/Inventory/Asset/Volume.php | 6 ++-- 18 files changed, 116 insertions(+), 106 deletions(-) diff --git a/src/Inventory/Asset/Antivirus.php b/src/Inventory/Asset/Antivirus.php index 59b7e2af6d5..c5275971533 100644 --- a/src/Inventory/Asset/Antivirus.php +++ b/src/Inventory/Asset/Antivirus.php @@ -37,7 +37,7 @@ use ComputerAntivirus; use Glpi\Inventory\Conf; -use Toolbox; +use Glpi\Toolbox\Sanitizer; class Antivirus extends InventoryAsset { @@ -109,8 +109,6 @@ protected function getExisting(): array public function handle() { - global $DB; - $db_antivirus = $this->getExisting(); $value = $this->data; $computerAntivirus = new ComputerAntivirus(); @@ -126,7 +124,7 @@ public function handle() $input = $this->handleInput($val, $computerAntivirus) + [ 'id' => $keydb ]; - $computerAntivirus->update(Toolbox::addslashes_deep($input)); + $computerAntivirus->update(Sanitizer::sanitize($input)); unset($value[$k]); unset($db_antivirus[$keydb]); break; @@ -146,7 +144,8 @@ public function handle() foreach ($value as $val) { $val->computers_id = $this->item->fields['id']; $val->is_dynamic = 1; - $computerAntivirus->add(Toolbox::addslashes_deep($this->handleInput($val, $computerAntivirus))); + $input = $this->handleInput($val, $computerAntivirus); + $computerAntivirus->add(Sanitizer::sanitize($input)); } } } diff --git a/src/Inventory/Asset/Camera.php b/src/Inventory/Asset/Camera.php index 56a19d53599..bb67a15d092 100644 --- a/src/Inventory/Asset/Camera.php +++ b/src/Inventory/Asset/Camera.php @@ -35,8 +35,8 @@ namespace Glpi\Inventory\Asset; -use CommonDBTM; use Glpi\Inventory\Conf; +use Glpi\Toolbox\Sanitizer; use Item_Devices; class Camera extends Device @@ -95,10 +95,12 @@ private function handleResolution($itemdevice, $val, $is_video = false) continue; } + $rsl = Sanitizer::sanitize($rsl); + $resolution = new \ImageResolution(); - if (!$resolution->getFromDBByCrit(['name' => addslashes($rsl)])) { + if (!$resolution->getFromDBByCrit(['name' => $rsl])) { $resolution->add([ - 'name' => addslashes($rsl), + 'name' => $rsl, 'is_video' => $is_video, 'is_dynamic' => 1 ]); @@ -128,9 +130,12 @@ private function handleFormats($itemdevice, $val) if (empty($fmt)) { continue; } - if (!$format->getFromDBByCrit(['name' => addslashes($fmt)])) { + + $fmt = Sanitizer::sanitize($fmt); + + if (!$format->getFromDBByCrit(['name' => $fmt])) { $format->add([ - 'name' => addslashes($fmt), + 'name' => $fmt, 'is_dynamic' => 1 ]); } diff --git a/src/Inventory/Asset/Cartridge.php b/src/Inventory/Asset/Cartridge.php index 8b1dd442666..de3050d305b 100644 --- a/src/Inventory/Asset/Cartridge.php +++ b/src/Inventory/Asset/Cartridge.php @@ -36,8 +36,8 @@ namespace Glpi\Inventory\Asset; use Glpi\Inventory\Conf; +use Glpi\Toolbox\Sanitizer; use Printer_CartridgeInfo; -use Toolbox; class Cartridge extends InventoryAsset { @@ -230,8 +230,6 @@ protected function getExisting(): array public function handle() { - global $DB; - $cartinfo = new Printer_CartridgeInfo(); $db_cartridges = $this->getExisting(); @@ -243,7 +241,7 @@ public function handle() 'value' => $val, 'id' => $keydb ]; - $cartinfo->update(Toolbox::addslashes_deep($input), false); + $cartinfo->update(Sanitizer::sanitize($input), false); unset($value->$k); unset($db_cartridges[$keydb]); break; @@ -259,11 +257,11 @@ public function handle() foreach ($value as $property => $val) { $cartinfo->add( - [ + Sanitizer::sanitize([ 'printers_id' => $this->item->fields['id'], - 'property' => addslashes($property), - 'value' => addslashes($val) - ], + 'property' => $property, + 'value' => $val + ]), [], false ); diff --git a/src/Inventory/Asset/DatabaseInstance.php b/src/Inventory/Asset/DatabaseInstance.php index e735c8f1307..2f02a696add 100644 --- a/src/Inventory/Asset/DatabaseInstance.php +++ b/src/Inventory/Asset/DatabaseInstance.php @@ -37,9 +37,9 @@ use DatabaseInstance as GDatabaseInstance; use Glpi\Inventory\Conf; +use Glpi\Toolbox\Sanitizer; use RuleImportAssetCollection; use RuleMatchedLog; -use Toolbox; class DatabaseInstance extends InventoryAsset { @@ -137,7 +137,7 @@ public function handle() 'itemtype' => $this->item->getType(), 'items_id' => $this->item->fields['id'] ]; - $items_id = $instance->add(Toolbox::addslashes_deep($input)); + $items_id = $instance->add(Sanitizer::sanitize($input)); } else { $items_id = $data['found_inventories'][0]; $databases = $val->databases ?? []; @@ -145,7 +145,7 @@ public function handle() $instance->getFromDB($items_id); $input = $this->handleInput($val, $instance); $input += ['id' => $instance->fields['id']]; - $instance->update(Toolbox::addslashes_deep($input)); + $instance->update(Sanitizer::sanitize($input)); $existing_databases = $instance->getDatabases(); //update databases, relying on name @@ -154,7 +154,7 @@ public function handle() if ($existing_database['name'] == $database->name) { $dbinput = (array)$database; $dbinput += ['id' => $dbkey, 'is_deleted' => 0, 'is_dynamic' => 1]; - $odatabase->update(Toolbox::addslashes_deep($dbinput)); + $odatabase->update(Sanitizer::sanitize($dbinput)); unset( $existing_databases[$dbkey], $databases[$key] @@ -179,7 +179,7 @@ public function handle() 'databaseinstances_id' => $instance->fields['id'], 'is_dynamic' => 1 ]; - $odatabase->add(Toolbox::addslashes_deep($dbinput)); + $odatabase->add(Sanitizer::sanitize($dbinput)); } $instances[$items_id] = $items_id; diff --git a/src/Inventory/Asset/Device.php b/src/Inventory/Asset/Device.php index 79af40263d6..0b4940f9c21 100644 --- a/src/Inventory/Asset/Device.php +++ b/src/Inventory/Asset/Device.php @@ -35,7 +35,7 @@ namespace Glpi\Inventory\Asset; -use CommonDBTM; +use Glpi\Toolbox\Sanitizer; use Item_Devices; abstract class Device extends InventoryAsset @@ -99,7 +99,8 @@ public function handle() //create device or get existing device ID $raw_input = $this->handleInput($val, $device); - $device_id = $device->import(\Toolbox::addslashes_deep($raw_input) + ['with_history' => false]); + $device_input = Sanitizer::dbEscapeRecursive($raw_input); // `handleInput` may copy unescaped values + $device_id = $device->import($device_input + ['with_history' => false]); $i_criteria = $itemdevice->getImportCriteria(); $fk_input = [ @@ -150,14 +151,14 @@ public function handle() if ($equals === true) { $itemdevice->getFromDB($existing_item['id']); - $itemdevice_data = \Toolbox::addslashes_deep([ + $itemdevice_data = [ 'id' => $existing_item['id'], $fk => $device_id, 'itemtype' => $this->item->getType(), 'items_id' => $this->item->fields['id'], 'is_dynamic' => 1 - ] + $this->handleInput($val, $itemdevice)); - $itemdevice->update($itemdevice_data, false); + ] + $this->handleInput($val, $itemdevice); + $itemdevice->update(Sanitizer::sanitize($itemdevice_data), false); unset($existing[$device_id][$key]); break; } @@ -165,13 +166,13 @@ public function handle() if (($equals ?? false) !== true) { $itemdevice->getEmpty(); - $itemdevice_data = \Toolbox::addslashes_deep([ + $itemdevice_data = [ $fk => $device_id, 'itemtype' => $this->item->getType(), 'items_id' => $this->item->fields['id'], 'is_dynamic' => 1 - ] + $this->handleInput($val, $itemdevice)); - $itemdevice->add($itemdevice_data, [], false); + ] + $this->handleInput($val, $itemdevice); + $itemdevice->add(Sanitizer::sanitize($itemdevice_data), [], false); $this->itemdeviceAdded($itemdevice, $val); } @@ -181,7 +182,7 @@ public function handle() } //remove remaining devices instances - foreach ($existing as $deviceid => $data) { + foreach ($existing as $data) { foreach ($data as $itemdevice_data) { if ($itemdevice_data['is_dynamic'] == 1) { $DB->delete( diff --git a/src/Inventory/Asset/InventoryAsset.php b/src/Inventory/Asset/InventoryAsset.php index 5e45dc5abee..17d9850230c 100644 --- a/src/Inventory/Asset/InventoryAsset.php +++ b/src/Inventory/Asset/InventoryAsset.php @@ -232,24 +232,24 @@ public function handleLinks() if (!isset($this->known_links[$known_key])) { $entities_id = $this->entities_id; if ($key == "locations_id") { - $this->known_links[$known_key] = Dropdown::importExternal('Location', addslashes($value->$key), $entities_id); + $this->known_links[$known_key] = Dropdown::importExternal('Location', $value->$key, $entities_id); } else if (preg_match('/^.+models_id/', $key)) { // models that need manufacturer relation for dictionary import // see CommonDCModelDropdown::$additional_fields_for_dictionnary $this->known_links[$known_key] = Dropdown::importExternal( getItemtypeForForeignKeyField($key), - addslashes($value->$key), + $value->$key, $entities_id, ['manufacturer' => $manufacturer_name] ); } else if (isset($foreignkey_itemtype[$key])) { - $this->known_links[$known_key] = Dropdown::importExternal($foreignkey_itemtype[$key], addslashes($value->$key), $entities_id); + $this->known_links[$known_key] = Dropdown::importExternal($foreignkey_itemtype[$key], $value->$key, $entities_id); } else if ($key !== 'entities_id' && $key !== 'states_id' && isForeignKeyField($key) && is_a($itemtype = getItemtypeForForeignKeyField($key), CommonDropdown::class, true)) { $foreignkey_itemtype[$key] = $itemtype; $this->known_links[$known_key] = Dropdown::importExternal( $foreignkey_itemtype[$key], - addslashes($value->$key), + $value->$key, $entities_id ); diff --git a/src/Inventory/Asset/InventoryNetworkPort.php b/src/Inventory/Asset/InventoryNetworkPort.php index 911f8f6b2d7..08b2cc3b4a7 100644 --- a/src/Inventory/Asset/InventoryNetworkPort.php +++ b/src/Inventory/Asset/InventoryNetworkPort.php @@ -38,6 +38,7 @@ use DBmysqlIterator; use Glpi\Inventory\Conf; +use Glpi\Toolbox\Sanitizer; use IPAddress; use IPNetwork; use Item_DeviceNetworkCard; @@ -45,7 +46,6 @@ use NetworkPort; use NetworkPortAggregate; use QueryParam; -use Toolbox; use Unmanaged; trait InventoryNetworkPort @@ -169,10 +169,10 @@ private function cleanUnmanageds() 'itemtype' => $this->itemtype, 'items_id' => $this->items_id, 'is_dynamic' => 1, - 'name' => addslashes($port->name) + 'name' => $port->name, ]; - $networkport->update($input); + $networkport->update(Sanitizer::sanitize($input)); $unmanaged->delete(['id' => $unmanageds_id], true); } } @@ -238,7 +238,7 @@ private function handleIpNetworks() 'gateway' => $port->gateway, 'entities_id' => $this->entities_id ]; - $ipnetwork->add(Toolbox::addslashes_deep($input)); + $ipnetwork->add(Sanitizer::sanitize($input)); } } } @@ -260,7 +260,6 @@ private function addNetworkPort(\stdClass $port) unset($input[$key]); } } - $input = Toolbox::addslashes_deep($input); $input = array_merge( $input, [ @@ -275,7 +274,7 @@ private function addNetworkPort(\stdClass $port) $input['trunk'] = 0; } - $netports_id = $networkport->add($input); + $netports_id = $networkport->add(Sanitizer::sanitize($input)); return $netports_id; } @@ -302,7 +301,7 @@ protected function addNetworkName($items_id, $name = null) $input['name'] = $name; } - $netname_id = $networkname->add($input); + $netname_id = $networkname->add(Sanitizer::sanitize($input)); return $netname_id; } @@ -321,10 +320,10 @@ private function addIPAddresses(array $ips, $items_id) $input = [ 'items_id' => $items_id, 'itemtype' => 'NetworkName', - 'name' => addslashes($ip), + 'name' => $ip, 'is_dynamic' => 1 ]; - $ipaddress->add($input); + $ipaddress->add(Sanitizer::sanitize($input)); } } @@ -355,9 +354,6 @@ private function handleUpdates() if (is_null($row['mac'])) { $row['mac'] = ''; } - if (preg_match("/[^a-zA-Z0-9 \-_\(\)]+/", $row['name'])) { - $row['name'] = Toolbox::addslashes_deep($row['name']); - } foreach (['name', 'mac'] as $field) { if ($row[$field] !== null) { $row[$field] = strtolower($row[$field]); @@ -398,10 +394,10 @@ private function handleUpdates() if (property_exists($data, 'logical_number') && $data->logical_number != $db_lnumber) { $networkport->update( - [ + Sanitizer::sanitize([ 'id' => $keydb, 'logical_number' => $data->logical_number - ] + ]) ); } @@ -588,9 +584,9 @@ private function handleInstantiation($type, $data, $ports_id, $load) //store instance if ($instance->isNewItem()) { - $instance->add(Toolbox::addslashes_deep($input)); + $instance->add(Sanitizer::sanitize($input)); } else { - $instance->update(Toolbox::addslashes_deep($input)); + $instance->update(Sanitizer::sanitize($input)); } } diff --git a/src/Inventory/Asset/MainAsset.php b/src/Inventory/Asset/MainAsset.php index c4297194562..be776d49fcd 100644 --- a/src/Inventory/Asset/MainAsset.php +++ b/src/Inventory/Asset/MainAsset.php @@ -44,7 +44,7 @@ use Glpi\Inventory\Asset\Printer as AssetPrinter; use Glpi\Inventory\Conf; use Glpi\Inventory\Request; -use Lockedfield; +use Glpi\Toolbox\Sanitizer; use NetworkEquipment; use Printer; use RefusedEquipment; @@ -53,7 +53,6 @@ use RuleLocationCollection; use RuleMatchedLog; use stdClass; -use Toolbox; use Transfer; abstract class MainAsset extends InventoryAsset @@ -600,7 +599,7 @@ protected function addRefused(array $input) } if (!is_numeric($input['autoupdatesystems_id'])) { - $system_name = addslashes($input['autoupdatesystems_id']); + $system_name = Sanitizer::sanitize($input['autoupdatesystems_id']); $auto_update_system = new AutoUpdateSystem(); if ($auto_update_system->getFromDBByCrit(['name' => $system_name])) { // Load from DB @@ -617,7 +616,7 @@ protected function addRefused(array $input) $refused_input['autoupdatesystems_id'] = $input['autoupdatesystems_id']; $refused = new \RefusedEquipment(); - $refused->add(Toolbox::addslashes_deep($refused_input)); + $refused->add(Sanitizer::sanitize($refused_input)); $this->refused[] = $refused; } @@ -684,7 +683,7 @@ public function rulepassed($items_id, $itemtype, $rules_id, $ports_id = 0) $input = $this->handleInput($val, $this->item); unset($input['ap_port']); unset($input['firmware']); - $items_id = $this->item->add(Toolbox::addslashes_deep($input)); + $items_id = $this->item->add(Sanitizer::sanitize($input)); $this->setNew(); } @@ -743,12 +742,12 @@ public function rulepassed($items_id, $itemtype, $rules_id, $ports_id = 0) ) { //only update autoupdatesystems_id, last_inventory_update, snmpcredentials_id $input = $this->handleInput($val, $this->item); - $this->item->update(['id' => $input['id'], + $this->item->update(Sanitizer::sanitize(['id' => $input['id'], 'autoupdatesystems_id' => $input['autoupdatesystems_id'], 'last_inventory_update' => $input['last_inventory_update'], 'snmpcredentials_id' => $input['snmpcredentials_id'], 'is_dynamic' => true - ]); + ])); return; } } @@ -777,7 +776,7 @@ public function rulepassed($items_id, $itemtype, $rules_id, $ports_id = 0) } $input = $this->handleInput($val, $this->item); - $this->item->update(Toolbox::addslashes_deep($input)); + $this->item->update(Sanitizer::sanitize($input)); if (!($this->item instanceof RefusedEquipment)) { $this->handleAssets(); diff --git a/src/Inventory/Asset/Monitor.php b/src/Inventory/Asset/Monitor.php index 1b300f651d0..b5dd61defb9 100644 --- a/src/Inventory/Asset/Monitor.php +++ b/src/Inventory/Asset/Monitor.php @@ -38,9 +38,9 @@ use Computer_Item; use Glpi\Inventory\Conf; +use Glpi\Toolbox\Sanitizer; use Monitor as GMonitor; use RuleImportAssetCollection; -use Toolbox; class Monitor extends InventoryAsset { @@ -162,11 +162,11 @@ public function handle() // add monitor $val->entities_id = $entities_id; $val->is_dynamic = 1; - $items_id = $monitor->add(Toolbox::addslashes_deep($this->handleInput($val, $monitor))); + $items_id = $monitor->add(Sanitizer::sanitize($this->handleInput($val, $monitor))); } else { $items_id = $data['found_inventories'][0]; $monitor->getFromDB($items_id); - $monitor->update(Toolbox::addslashes_deep($this->handleInput($val, $monitor) + ['id' => $items_id])); + $monitor->update(Sanitizer::sanitize($this->handleInput($val, $monitor) + ['id' => $items_id])); } $monitors[] = $items_id; diff --git a/src/Inventory/Asset/NetworkEquipment.php b/src/Inventory/Asset/NetworkEquipment.php index 9694350a53d..c8c4c0f3ec6 100644 --- a/src/Inventory/Asset/NetworkEquipment.php +++ b/src/Inventory/Asset/NetworkEquipment.php @@ -36,6 +36,7 @@ namespace Glpi\Inventory\Asset; +use Glpi\Toolbox\Sanitizer; use NetworkEquipmentModel; use NetworkEquipmentType; use NetworkName; @@ -245,10 +246,10 @@ protected function portCreated(\stdClass $port, int $netports_id) $netname = new NetworkName(); if ($netname->getFromDBByCrit(['itemtype' => 'NetworkPort', 'items_id' => $netports_id])) { if ($netname->fields['name'] != $port->name) { - $netname->update([ + $netname->update(Sanitizer::sanitize([ 'id' => $netname->getID(), - 'name' => addslashes($port->netname ?? $port->name) - ]); + 'name' => $port->netname ?? $port->name + ])); } } else { $netname->add([ diff --git a/src/Inventory/Asset/NetworkPort.php b/src/Inventory/Asset/NetworkPort.php index 3abfa489fce..6c607234269 100644 --- a/src/Inventory/Asset/NetworkPort.php +++ b/src/Inventory/Asset/NetworkPort.php @@ -38,11 +38,11 @@ use Glpi\Inventory\Conf; use Glpi\Inventory\FilesToJSON; +use Glpi\Toolbox\Sanitizer; use NetworkPort as GlobalNetworkPort; use NetworkPortType; use QueryParam; use RuleImportAssetCollection; -use Toolbox; use Unmanaged; class NetworkPort extends InventoryAsset @@ -405,7 +405,7 @@ private function handleVlans(\stdClass $port, int $netports_id) } } - $stmt_values = array_values($stmt_columns); + $stmt_values = Sanitizer::encodeHtmlSpecialCharsRecursive(array_values($stmt_columns)); $this->vlan_stmt->bind_param($stmt_types, ...$stmt_values); $DB->executeStatement($this->vlan_stmt); $vlans_id = $DB->insertId(); @@ -435,7 +435,7 @@ private function handleVlans(\stdClass $port, int $netports_id) } } - $pvlan_stmt_values = array_values($pvlan_stmt_columns); + $pvlan_stmt_values = Sanitizer::encodeHtmlSpecialCharsRecursive(array_values($pvlan_stmt_columns)); $this->pvlan_stmt->bind_param($pvlan_stmt_types, ...$pvlan_stmt_values); $DB->executeStatement($this->pvlan_stmt); } @@ -504,7 +504,7 @@ private function handleAggregations() } $input['networkports_id_list'] = array_values($aggregates); - $netport_aggregate->update($input, false); + $netport_aggregate->update(Sanitizer::sanitize($input), false); } } @@ -566,7 +566,7 @@ public function rulepassed($items_id, $itemtype, $rules_id, $ports_id = 0) $input['name'] = $name; } } - $items_id = $item->add(Toolbox::addslashes_deep($input)); + $items_id = $item->add(Sanitizer::sanitize($input)); $rulesmatched = new \RuleMatchedLog(); $agents_id = $this->agent->fields['id']; @@ -616,7 +616,7 @@ public function rulepassed($items_id, $itemtype, $rules_id, $ports_id = 0) if (property_exists($port, 'mac') && !empty($port->mac)) { $input['mac'] = $port->mac; } - $ports_id = $netport->add(Toolbox::addslashes_deep($input)); + $ports_id = $netport->add(Sanitizer::sanitize($input)); } if (!isset($this->connection_ports[$itemtype])) { diff --git a/src/Inventory/Asset/OperatingSystem.php b/src/Inventory/Asset/OperatingSystem.php index b0382237a43..349379de45d 100644 --- a/src/Inventory/Asset/OperatingSystem.php +++ b/src/Inventory/Asset/OperatingSystem.php @@ -37,9 +37,9 @@ namespace Glpi\Inventory\Asset; use Glpi\Inventory\Conf; +use Glpi\Toolbox\Sanitizer; use Item_OperatingSystem; use RuleDictionnaryOperatingSystemArchitectureCollection; -use Toolbox; class OperatingSystem extends InventoryAsset { @@ -133,10 +133,10 @@ public function handle() } } if ($same === false) { - $ios->update(['id' => $ios->getID()] + Toolbox::addslashes_deep($input_os)); + $ios->update(Sanitizer::sanitize(['id' => $ios->getID()] + $input_os)); } } else { - $ios->add(Toolbox::addslashes_deep($input_os)); + $ios->add(Sanitizer::sanitize($input_os)); } $ioskey = 'operatingsystems_id' . $val->operatingsystems_id; diff --git a/src/Inventory/Asset/Peripheral.php b/src/Inventory/Asset/Peripheral.php index 36e56f8ef11..f4f3d91d928 100644 --- a/src/Inventory/Asset/Peripheral.php +++ b/src/Inventory/Asset/Peripheral.php @@ -38,10 +38,10 @@ use Computer_Item; use Glpi\Inventory\Conf; +use Glpi\Toolbox\Sanitizer; use Peripheral as GPeripheral; use RuleImportAssetCollection; use RuleMatchedLog; -use Toolbox; class Peripheral extends InventoryAsset { @@ -163,12 +163,12 @@ public function handle() if ($data['found_inventories'][0] == 0) { // add peripheral $handled_input = $this->handleInput($val, $peripheral) + ['entities_id' => $this->entities_id]; - $items_id = $peripheral->add(Toolbox::addslashes_deep($handled_input), [], false); + $items_id = $peripheral->add(Sanitizer::sanitize($handled_input), [], false); } else { $items_id = $data['found_inventories'][0]; $peripheral->getFromDB($items_id); $handled_input = $this->handleInput($val, $peripheral); - $peripheral->update(Toolbox::addslashes_deep(['id' => $items_id] + $handled_input), false); + $peripheral->update(Sanitizer::sanitize(['id' => $items_id] + $handled_input), false); } $peripherals[] = $items_id; diff --git a/src/Inventory/Asset/Printer.php b/src/Inventory/Asset/Printer.php index 9290ecca3ed..e997a07c75e 100644 --- a/src/Inventory/Asset/Printer.php +++ b/src/Inventory/Asset/Printer.php @@ -37,6 +37,7 @@ namespace Glpi\Inventory\Asset; use CommonDBTM; +use Glpi\Toolbox\Sanitizer; use IPAddress; use Printer as GPrinter; use PrinterLog; @@ -44,7 +45,6 @@ use PrinterType; use RuleDictionnaryPrinterCollection; use RuleImportAssetCollection; -use Toolbox; class Printer extends NetworkEquipment { @@ -240,7 +240,7 @@ protected function handleConnectedPrinter() // add printer $val->entities_id = $entities_id; $val->is_dynamic = 1; - $items_id = $printer->add(Toolbox::addslashes_deep($this->handleInput($val, $printer))); + $items_id = $printer->add(Sanitizer::sanitize($this->handleInput($val, $printer))); } else { $items_id = $data['found_inventories'][0]; } @@ -352,9 +352,9 @@ public function handleMetrics() $metrics = new PrinterLog(); if ($metrics->getFromDBByCrit($unicity_input)) { $input['id'] = $metrics->fields['id']; - $metrics->update($input, false); + $metrics->update(Sanitizer::sanitize($input), false); } else { - $metrics->add($input, [], false); + $metrics->add(Sanitizer::sanitize($input), [], false); } } @@ -375,7 +375,7 @@ public static function needToBeUpdatedFromDiscovery(CommonDBTM $item, $val) $tmp['mainitemtype'] = $item::getType(); $tmp['is_dynamic'] = 1; $tmp['name'] = $ipadress->getTextual(); - if ($ipadress->getFromDBByCrit($tmp)) { + if ($ipadress->getFromDBByCrit(Sanitizer::sanitize($tmp))) { return false; } return true; diff --git a/src/Inventory/Asset/RemoteManagement.php b/src/Inventory/Asset/RemoteManagement.php index b6cab4a0d2e..2b1908de142 100644 --- a/src/Inventory/Asset/RemoteManagement.php +++ b/src/Inventory/Asset/RemoteManagement.php @@ -36,8 +36,8 @@ namespace Glpi\Inventory\Asset; use Glpi\Inventory\Conf; +use Glpi\Toolbox\Sanitizer; use Item_RemoteManagement; -use Toolbox; class RemoteManagement extends InventoryAsset { @@ -114,7 +114,7 @@ public function handle() $input = (array)$val + [ 'id' => $keydb ]; - $mgmt->update(Toolbox::addslashes_deep($input)); + $mgmt->update(Sanitizer::sanitize($input)); unset($value[$k]); unset($db_mgmt[$keydb]); break; @@ -134,7 +134,7 @@ public function handle() $val->itemtype = $this->item->getType(); $val->items_id = $this->item->fields['id']; $val->is_dynamic = 1; - $mgmt->add(Toolbox::addslashes_deep((array)$val)); + $mgmt->add(Sanitizer::sanitize((array)$val)); } } diff --git a/src/Inventory/Asset/Software.php b/src/Inventory/Asset/Software.php index 0440cbd6880..06cddc0c958 100644 --- a/src/Inventory/Asset/Software.php +++ b/src/Inventory/Asset/Software.php @@ -40,6 +40,7 @@ use Dropdown; use Entity; use Glpi\Inventory\Conf; +use Glpi\Toolbox\Sanitizer; use QueryParam; use RuleDictionnarySoftwareCollection; use Software as GSoftware; @@ -556,10 +557,15 @@ private function populateSoftware() continue; } + $input = Sanitizer::encodeHtmlSpecialCharsRecursive([ + 'name' => $val->name, + 'manufacturers_id' => $val->manufacturers_id, + ]); + $stmt->bind_param( 'ss', - $val->name, - $val->manufacturers_id + $input['name'], + $input['manufacturers_id'], ); $DB->executeStatement($stmt); $results = $stmt->get_result(); @@ -624,14 +630,19 @@ private function populateVersions() continue; } - $osid = $this->getOsForKey($val); - $arch = $val->arch ?? ''; + $input = Sanitizer::encodeHtmlSpecialCharsRecursive([ + 'version' => $val->version, + 'arch' => $val->arch ?? '', + 'softwares_id' => $softwares_id, + 'osid' => $this->getOsForKey($val), + ]); + $stmt->bind_param( 'ssss', - $val->version, - $arch, - $softwares_id, - $osid + $input['version'], + $input['arch'], + $input['softwares_id'], + $input['osid'] ); $DB->executeStatement($stmt); $results = $stmt->get_result(); @@ -676,7 +687,7 @@ private function storeSoftware() $stmt = $DB->prepare($insert_query); } - $stmt_values = array_values($stmt_columns); + $stmt_values = Sanitizer::encodeHtmlSpecialCharsRecursive(array_values($stmt_columns)); $stmt->bind_param($stmt_types, ...$stmt_values); $DB->executeStatement($stmt); $softwares_id = $DB->insertId(); @@ -741,7 +752,7 @@ private function storeVersions() $stmt = $DB->prepare($insert_query); } - $stmt_values = array_values($stmt_columns); + $stmt_values = Sanitizer::encodeHtmlSpecialCharsRecursive(array_values($stmt_columns)); $stmt->bind_param($stmt_types, ...$stmt_values); $DB->executeStatement($stmt); $versions_id = $DB->insertId(); @@ -819,12 +830,12 @@ private function storeAssetLink() $stmt = $DB->prepare($insert_query); } - $input = [ + $input = Sanitizer::encodeHtmlSpecialCharsRecursive([ 'softwareversions_id' => $versions_id, 'is_dynamic' => 1, 'entities_id' => $this->item->fields['entities_id'], 'date_install' => $val->date_install ?? null - ]; + ]); $stmt->bind_param( 'ssss', diff --git a/src/Inventory/Asset/VirtualMachine.php b/src/Inventory/Asset/VirtualMachine.php index 19e4ab54f05..6d5db78b081 100644 --- a/src/Inventory/Asset/VirtualMachine.php +++ b/src/Inventory/Asset/VirtualMachine.php @@ -40,8 +40,8 @@ use Computer; use ComputerVirtualMachine; use Glpi\Inventory\Conf; +use Glpi\Toolbox\Sanitizer; use RuleImportAssetCollection; -use Toolbox; class VirtualMachine extends InventoryAsset { @@ -236,7 +236,7 @@ public function handle() $input[$prop] = $handled_input[$prop]; } } - $computerVirtualmachine->update(Toolbox::addslashes_deep($input)); + $computerVirtualmachine->update(Sanitizer::sanitize($input)); unset($value[$key]); unset($db_vms[$keydb]); break; @@ -256,7 +256,7 @@ public function handle() $input = $this->handleInput($val, $computerVirtualmachine); $input['computers_id'] = $this->item->fields['id']; $input['is_dynamic'] = 1; - $computerVirtualmachine->add(Toolbox::addslashes_deep($input)); + $computerVirtualmachine->add(Sanitizer::sanitize($input)); } } @@ -310,7 +310,7 @@ protected function createVmComputer() $input = (array)$vm; $input['itemtype'] = \Computer::class; $input['entities_id'] = $this->main_asset->getEntityID(); - $input = \Toolbox::addslashes_deep($input); + $input = Sanitizer::sanitize($input); $datarules = $rule->processAllRules($input); if (isset($datarules['_no_rule_matches']) && ($datarules['_no_rule_matches'] == '1') || isset($datarules['found_inventories'])) { @@ -326,7 +326,7 @@ protected function createVmComputer() $computervm->getFromDB($computers_vm_id); $input = (array)$vm; $input['id'] = $computers_vm_id; - $computervm->update(Toolbox::addslashes_deep($input)); + $computervm->update(Sanitizer::sanitize($input)); } //load if new, reload if not. diff --git a/src/Inventory/Asset/Volume.php b/src/Inventory/Asset/Volume.php index aa78f96998a..a9bb5c39168 100644 --- a/src/Inventory/Asset/Volume.php +++ b/src/Inventory/Asset/Volume.php @@ -37,8 +37,8 @@ namespace Glpi\Inventory\Asset; use Glpi\Inventory\Conf; +use Glpi\Toolbox\Sanitizer; use Item_Disk; -use Toolbox; class Volume extends InventoryAsset { @@ -163,7 +163,7 @@ public function handle() $input = $this->handleInput($val, $itemDisk) + [ 'id' => $keydb, ]; - $itemDisk->update(Toolbox::addslashes_deep($input)); + $itemDisk->update(Sanitizer::sanitize($input)); unset($value[$key]); unset($db_itemdisk[$keydb]); break; @@ -187,7 +187,7 @@ public function handle() 'itemtype' => $this->item->getType() ]; - $itemDisk->add(Toolbox::addslashes_deep($input)); + $itemDisk->add(Sanitizer::sanitize($input)); } } }