Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix/snyk report #18077

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Fix/snyk report #18077

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
973c208
remove unused demo data script
orthagh Oct 16, 2024
6e27869
xss on inventory conf
orthagh Oct 17, 2024
3202cdb
avoid false report from snyk
orthagh Oct 17, 2024
3e261c4
avoid instanciating classes outside GLPI
orthagh Oct 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions front/commonitilobject_commonitilobject.form.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,12 @@
if (isset($_POST['purge'], $_POST['id'])) {
[$link_class_1, $link_class_2, $link_id] = explode('_', $_POST['id'], 3);
$link_class = $link_class_1 . '_' . $link_class_2;

// limit to GLPI Classes
if (!class_exists($link_class) && !is_subclass_of($_POST["itemtype"], "CommonDBTM")) {
return;
}
Comment on lines +49 to +52
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should always use getItemForItemtype() to instanciate classes from a dynamic classname.


$itil_itil = new $link_class();
$_POST['id'] = $link_id;
$itil_itil->check($_POST['id'], PURGE);
Expand Down
2 changes: 2 additions & 0 deletions src/CommonGLPI.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -717,6 +717,8 @@ private static function getTabIconClass(?string $form_itemtype = null): string
**/
public static function createTabEntry($text, $nb = 0, ?string $form_itemtype = null, string $icon = '')
{
$text = htmlspecialchars($text);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I created a PR for this one as it requires some calls to be adapted. See #18121.


if (empty($icon)) {
$icon = static::getTabIconClass($form_itemtype);
}
Expand Down
12 changes: 6 additions & 6 deletions src/Glpi/Inventory/Conf.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -359,7 +359,7 @@ public function showConfigForm()

echo "<th>";
echo "<label for='enabled_inventory'>";
echo __('Enable inventory');
echo __s('Enable inventory');
echo "</label>";
echo "</th>";
echo "<td colspan='3'>";
Expand All @@ -376,7 +376,7 @@ public function showConfigForm()
echo "<div class='alert alert-info d-flex align-items-center m-0' role='alert'>";
echo "<span class='ms-2'>";
echo "<i class='fas fa-info-circle'> </i> &nbsp;";
echo __("The inventory is disabled, remember to activate it if necessary");
echo __s("The inventory is disabled, remember to activate it if necessary");
echo "</span>";
echo "</div>";
} else {
Expand All @@ -400,7 +400,7 @@ public function showConfigForm()

echo "<tr>";
echo "<th colspan='4'>";
echo __('Import options');
echo __s('Import options');
echo "</th>";
echo "</tr>";

Expand Down Expand Up @@ -609,7 +609,7 @@ public function showConfigForm()

echo "<tr class='tab_bg_1'>";
echo "<th colspan='4'>";
echo __('Related configurations');
echo __s('Related configurations');
echo "</th>";
echo "</tr>";
echo "<tr class='tab_bg_1'>";
Expand Down Expand Up @@ -705,7 +705,7 @@ public function showConfigForm()

echo "<tr class='tab_bg_1'>";
echo "<td colspan='4' style='text-align:right;'>";
echo "<span class='red'>" . __('Will attempt to create components from VM information sent from host, do not use if you plan to inventory any VM directly!') . "</span>";
echo "<span class='red'>" . __s('Will attempt to create components from VM information sent from host, do not use if you plan to inventory any VM directly!') . "</span>";
echo "</td>";
echo "</tr>";

Expand Down Expand Up @@ -917,7 +917,7 @@ public function showConfigForm()
echo "</tr>";

echo "<tr class='tab_bg_1'>";
echo "<th colspan=4 >" . __('Agent cleanup') . "</th></tr>";
echo "<th colspan=4 >" . __s('Agent cleanup') . "</th></tr>";
echo "<tr class='tab_bg_1'><td>";
echo \Agent::createTabEntry(__('Update agents who have not contacted the server for (in days)'), 0, \Agent::getType());
echo "</td><td width='20%'>";
Expand Down
8 changes: 5 additions & 3 deletions src/Session.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,13 +168,15 @@ public static function init(Auth $auth)

$auth->user->computePreferences();
foreach ($CFG_GLPI['user_pref_field'] as $field) {
if ($field == 'language' && isset($_POST['language']) && $_POST['language'] != '') {
$_SESSION["glpi$field"] = $_POST[$field];
} else if (isset($auth->user->fields[$field])) {
if (isset($auth->user->fields[$field])) {
$_SESSION["glpi$field"] = $auth->user->fields[$field];
}
}

if (isset($_POST['language']) && $_POST['language'] != '' && isset($CFG_GLPI['languages'][$_POST['language']])) {
$_SESSION["glpilanguage"] = $_POST['language'];
}
Comment on lines +176 to +178
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the purpose of this is to be able to display a confirmation message in the target language when the user uses the language switch feature. This can probably be done in User::prepareInputForUpdate() when the target user is the current user.

It would prevent side effects, for instance when the language present in the $_POST variable is related to something else than the current user.


if (isset($_SESSION['glpidefault_central_tab']) && $_SESSION['glpidefault_central_tab']) {
Session::setActiveTab("central", "Central$" . $_SESSION['glpidefault_central_tab']);
}
Expand Down
61 changes: 0 additions & 61 deletions tools/demo_data.sql
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can even drop the GLPI_DEMO_MODE constant and its different usages. See #18122.

This file was deleted.