From 034ed3e21bad3050373300ab35083c86eda8d690 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Thu, 23 Feb 2023 09:24:56 -0500 Subject: [PATCH] Sanitise attr input in FilterTerm to prefent SQL Injection. Fixes GHSA-222j-wh8m-xjrx --- web/includes/FilterTerm.php | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/web/includes/FilterTerm.php b/web/includes/FilterTerm.php index 8cf4bba40a..6149b5d857 100644 --- a/web/includes/FilterTerm.php +++ b/web/includes/FilterTerm.php @@ -1,5 +1,4 @@ filter = $filter; $validConjunctionTypes = getFilterQueryConjunctionTypes(); $this->index = $index; $this->attr = $term['attr']; + $this->attr = preg_replace('/[^A-Za-z0-9\.]/', '', $term['attr'], -1, $count); + if ($count) Error("Invalid characters removed from filter attr ${term['attr']}, possible hacking attempt."); $this->op = $term['op']; $this->val = $term['val']; if ( isset($term['cnj']) ) { @@ -67,7 +66,7 @@ public function __construct($filter = null, $term = NULL, $index=0) { public function sql_values() { $values = array(); if ( !isset($this->val) ) { - Logger::Warning('No value in term'.$this->attr); + Warning('No value in term '.$this->attr); return $values; } @@ -75,7 +74,6 @@ public function sql_values() { foreach ( $vals as $value ) { $value_upper = strtoupper($value); switch ( $this->attr ) { - case 'AlarmedZoneId': $value = '(SELECT * FROM Stats WHERE EventId=E.Id AND ZoneId='.$value.' AND Score > 0)'; break; @@ -86,7 +84,6 @@ public function sql_values() { $value = ''; break; case 'MonitorName': - case 'MonitorName': case 'Name': case 'Cause': case 'Notes':