From 5755b3bf979cd04caa6feee07e403a5be5ac320e Mon Sep 17 00:00:00 2001
From: Michael Larabel
Date: Sat, 15 Jan 2022 03:56:13 -0600
Subject: [PATCH] phoromatic: Additional input sanitization / validation
---
.../phoromatic/pages/phoromatic_benchmark.php | 8 ++++----
.../pages/phoromatic_r_add_test_details.php | 1 +
.../pages/phoromatic_r_basic_suite_details.php | 1 +
.../phoromatic/pages/phoromatic_schedules.php | 16 ++++++++--------
.../phoromatic/pages/phoromatic_system_claim.php | 14 +++++++-------
pts-core/phoromatic/pages/phoromatic_systems.php | 13 +++++++------
pts-core/phoromatic/phoromatic_functions.php | 4 ++--
7 files changed, 30 insertions(+), 27 deletions(-)
diff --git a/pts-core/phoromatic/pages/phoromatic_benchmark.php b/pts-core/phoromatic/pages/phoromatic_benchmark.php
index 809f081c46..5c64cf711c 100644
--- a/pts-core/phoromatic/pages/phoromatic_benchmark.php
+++ b/pts-core/phoromatic/pages/phoromatic_benchmark.php
@@ -79,7 +79,7 @@ public static function render_page_process($PATH)
if(!empty($row))
{
- if(isset($_GET['remove']))
+ if(isset($_GET['remove']) && verify_submission_token())
{
$stmt = phoromatic_server::$db->prepare('DELETE FROM phoromatic_benchmark_tickets WHERE AccountID = :account_id AND TicketID = :ticket_id');
$stmt->bindValue(':account_id', $_SESSION['AccountID']);
@@ -87,7 +87,7 @@ public static function render_page_process($PATH)
$result = $stmt->execute();
header('Location: /?benchmark');
}
- else if(isset($_GET['repeat']))
+ else if(isset($_GET['repeat']) && verify_submission_token())
{
$stmt = phoromatic_server::$db->prepare('UPDATE phoromatic_benchmark_tickets SET TicketIssueTime = :new_ticket_time, State = 1 WHERE AccountID = :account_id AND TicketID = :ticket_id');
$stmt->bindValue(':account_id', $_SESSION['AccountID']);
@@ -95,7 +95,7 @@ public static function render_page_process($PATH)
$stmt->bindValue(':new_ticket_time', time());
$result = $stmt->execute();
}
- else if(isset($_GET['disable']))
+ else if(isset($_GET['disable']) && verify_submission_token())
{
$stmt = phoromatic_server::$db->prepare('UPDATE phoromatic_benchmark_tickets SET State = 0 WHERE AccountID = :account_id AND TicketID = :ticket_id');
$stmt->bindValue(':account_id', $_SESSION['AccountID']);
@@ -107,7 +107,7 @@ public static function render_page_process($PATH)
$main .= '' . $row['Title'] . '
';
$main .= '' . $row['Description'] . '
';
$main .= 'This benchmark ticket was created on ' . date('j F Y \a\t H:i', strtotime($row['LastModifiedOn'])) . ' by ' . $row['LastModifiedBy'] . '. The ticket was last issued for testing at ' . date('j F Y \a\t H:i', $row['TicketIssueTime']) . '.';
- $main .= '
Repeat Ticket Remove Ticket' . (!isset($_GET['disable']) && $row['State'] > 0 ? ' End Ticket' : null) . '
';
+ $main .= ' Repeat Ticket Remove Ticket' . (!isset($_GET['disable']) && $row['State'] > 0 ? ' End Ticket' : null) . '
';
if(!empty($row['RunTargetSystems']))
{
diff --git a/pts-core/phoromatic/pages/phoromatic_r_add_test_details.php b/pts-core/phoromatic/pages/phoromatic_r_add_test_details.php
index 9edb5fa9c5..5cbc43ade5 100644
--- a/pts-core/phoromatic/pages/phoromatic_r_add_test_details.php
+++ b/pts-core/phoromatic/pages/phoromatic_r_add_test_details.php
@@ -37,6 +37,7 @@ public static function preload($PAGE)
}
public static function render_page_process($PATH)
{
+ phoromatic_quit_if_invalid_input_found(array('tp'));
$test_profile = new pts_test_profile($_GET['tp']);
$name = $test_profile->get_title();
$description = $test_profile->get_description();
diff --git a/pts-core/phoromatic/pages/phoromatic_r_basic_suite_details.php b/pts-core/phoromatic/pages/phoromatic_r_basic_suite_details.php
index 6a8323ca97..5ae916aca9 100644
--- a/pts-core/phoromatic/pages/phoromatic_r_basic_suite_details.php
+++ b/pts-core/phoromatic/pages/phoromatic_r_basic_suite_details.php
@@ -36,6 +36,7 @@ public static function preload($PAGE)
}
public static function render_page_process($PATH)
{
+ phoromatic_quit_if_invalid_input_found(array('ts'));
$ts = $_GET['ts'];
$ts_file = phoromatic_server::find_suite_file($_SESSION['AccountID'], $ts);
$test_suite = new pts_test_suite($ts_file);
diff --git a/pts-core/phoromatic/pages/phoromatic_schedules.php b/pts-core/phoromatic/pages/phoromatic_schedules.php
index 9424a65577..333221d4b3 100644
--- a/pts-core/phoromatic/pages/phoromatic_schedules.php
+++ b/pts-core/phoromatic/pages/phoromatic_schedules.php
@@ -57,7 +57,7 @@ public static function render_page_process($PATH)
if(!PHOROMATIC_USER_IS_VIEWER)
{
- if(isset($_POST['add_to_schedule_select_test']))
+ if(isset($_POST['add_to_schedule_select_test']) && verify_submission_token())
{
phoromatic_quit_if_invalid_input_found(array('add_to_schedule_select_test'));
$name = $_POST['add_to_schedule_select_test'];
@@ -89,7 +89,7 @@ public static function render_page_process($PATH)
phoromatic_add_activity_stream_event('tests_for_schedule', $PATH[0], 'added');
}
}
- else if(isset($_POST['suite_add']))
+ else if(isset($_POST['suite_add']) && verify_submission_token())
{
$test_suite = phoromatic_server::find_suite_file($_SESSION['AccountID'], $_POST['suite_add']);
if(is_file($test_suite))
@@ -154,7 +154,7 @@ public static function render_page_process($PATH)
$row['State'] = $new_state;
phoromatic_add_activity_stream_event('schedule', $PATH[0], $PATH[1]);
}
- else if(isset($_POST['do_manual_test_run']))
+ else if(isset($_POST['do_manual_test_run']) && verify_submission_token())
{
$stmt = phoromatic_server::$db->prepare('INSERT INTO phoromatic_schedules_triggers (AccountID, ScheduleID, Trigger, TriggeredOn) VALUES (:account_id, :schedule_id, :trigger, :triggered_on)');
$stmt->bindValue(':account_id', $_SESSION['AccountID']);
@@ -164,7 +164,7 @@ public static function render_page_process($PATH)
$stmt->execute();
$main .= 'Manual Test Run Triggered
';
}
- else if(isset($_POST['skip_current_ticket']))
+ else if(isset($_POST['skip_current_ticket']) && verify_submission_token())
{
$stmt = phoromatic_server::$db->prepare('INSERT INTO phoromatic_schedules_trigger_skips (AccountID, ScheduleID, Trigger) VALUES (:account_id, :schedule_id, :trigger)');
$stmt->bindValue(':account_id', $_SESSION['AccountID']);
@@ -251,10 +251,10 @@ public static function render_page_process($PATH)
$main .= 'This test schedule can be manually triggered to run at any time by calling ' . $trigger_url . ' where XXX is the trigger value to be used (if relevant, such as a time-stamp, Git/SVN commit number or hash, etc). There\'s also the option of sub-targeting system(s) part of this schedule. One option is appending &sub_target_this_ip if this URL is being called from one of the client test systems to only sub-target the triggered testing on that client, among other options.
';
$main .= 'If you wish to run this test schedule now, click the following button and the schedule will be run on all intended systems at their next earliest possible convenience.
';
$main .= '
';
$main .= '';
}
@@ -329,7 +329,7 @@ public static function render_page_process($PATH)
{
$main .= '
Add A Test
';
$main .= '