Commit 566f2b4b authored by Ad Schellevis's avatar Ad Schellevis

(ids) sanitize query strings

parent 0a5f2f2b
...@@ -29,6 +29,7 @@ ...@@ -29,6 +29,7 @@
namespace OPNsense\IDS\Api; namespace OPNsense\IDS\Api;
use \Phalcon\Filter; use \Phalcon\Filter;
use \OPNsense\Base\Filters\QueryFilter;
use \OPNsense\Base\ApiControllerBase; use \OPNsense\Base\ApiControllerBase;
use \OPNsense\Core\Backend; use \OPNsense\Core\Backend;
use \OPNsense\IDS\IDS; use \OPNsense\IDS\IDS;
...@@ -162,13 +163,17 @@ class ServiceController extends ApiControllerBase ...@@ -162,13 +163,17 @@ class ServiceController extends ApiControllerBase
{ {
if ($this->request->isPost()) { if ($this->request->isPost()) {
$this->sessionClose(); $this->sessionClose();
// create filter to sanitize input data
$filter = new Filter();
$filter->add('query', new QueryFilter());
// fetch query parameters // fetch query parameters
$itemsPerPage = $this->request->getPost('rowCount', 'int', 9999); $itemsPerPage = $this->request->getPost('rowCount', 'int', 9999);
$currentPage = $this->request->getPost('current', 'int', 1); $currentPage = $this->request->getPost('current', 'int', 1);
if ($this->request->getPost('searchPhrase', 'string', '') != "") { if ($this->request->getPost('searchPhrase', 'string', '') != "") {
$searchPhrase = 'alert,src_ip/"*'.$this->request->getPost('searchPhrase', 'string', '').'*"'; $filterTag = $filter->sanitize($this->request->getPost('searchPhrase'), "query");
$searchPhrase = 'alert,src_ip/"*'.$filterTag .'*"';
} else { } else {
$searchPhrase = ''; $searchPhrase = '';
} }
......
...@@ -28,7 +28,9 @@ ...@@ -28,7 +28,9 @@
*/ */
namespace OPNsense\IDS\Api; namespace OPNsense\IDS\Api;
use \Phalcon\Filter;
use \OPNsense\Base\ApiControllerBase; use \OPNsense\Base\ApiControllerBase;
use \OPNsense\Base\Filters\QueryFilter;
use \OPNsense\Core\Backend; use \OPNsense\Core\Backend;
use \OPNsense\IDS\IDS; use \OPNsense\IDS\IDS;
use \OPNsense\Core\Config; use \OPNsense\Core\Config;
...@@ -62,6 +64,10 @@ class SettingsController extends ApiControllerBase ...@@ -62,6 +64,10 @@ class SettingsController extends ApiControllerBase
{ {
if ($this->request->isPost()) { if ($this->request->isPost()) {
$this->sessionClose(); $this->sessionClose();
// create filter to sanitize input data
$filter = new Filter();
$filter->add('query', new QueryFilter());
// fetch query parameters // fetch query parameters
$itemsPerPage = $this->request->getPost('rowCount', 'int', 9999); $itemsPerPage = $this->request->getPost('rowCount', 'int', 9999);
...@@ -80,20 +86,22 @@ class SettingsController extends ApiControllerBase ...@@ -80,20 +86,22 @@ class SettingsController extends ApiControllerBase
if ($sortStr != '') { if ($sortStr != '') {
$sortStr .= ','; $sortStr .= ',';
} }
$sortStr .= $sortKey . ' '. $sortOrd . ' '; $sortStr .= $filter->sanitize($sortKey, "query") . ' '. $sortOrd . ' ';
} }
} else { } else {
$sortStr = 'sid'; $sortStr = 'sid';
} }
if ($this->request->getPost('searchPhrase', 'string', '') != "") { if ($this->request->getPost('searchPhrase', 'string', '') != "") {
$searchPhrase = 'msg,classtype,source,sid/"%'.$this->request->getPost('searchPhrase', 'string', '').'"'; $searchTag = $filter->sanitize($this->request->getPost('searchPhrase'), "query");
$searchPhrase = 'msg,classtype,source,sid/"*'.$searchTag.'"';
} else { } else {
$searchPhrase = ''; $searchPhrase = '';
} }
// add filter for classtype // add filter for classtype
if ($this->request->getPost("classtype", "string", '') != "") { if ($this->request->getPost("classtype", "string", '') != "") {
$searchPhrase .= "classtype/".$this->request->getPost("classtype", "string", '').' '; $searchTag = $filter->sanitize($this->request->getPost('classtype'), "query");
$searchPhrase .= "classtype/".$searchTag.' ';
} }
// request list of installed rules // request list of installed rules
...@@ -114,6 +122,7 @@ class SettingsController extends ApiControllerBase ...@@ -114,6 +122,7 @@ class SettingsController extends ApiControllerBase
$result['rowCount'] = count($result['rows']); $result['rowCount'] = count($result['rows']);
$result['total'] = $data['total_rows']; $result['total'] = $data['total_rows'];
$result['parameters'] = $data['parameters'];
$result['current'] = (int)$currentPage; $result['current'] = (int)$currentPage;
return $result; return $result;
} else { } else {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment