Skip to content

Commit

Permalink
Fix CSRF validation for sorting in property tables (#2893)
Browse files Browse the repository at this point in the history
  • Loading branch information
lippserd authored Nov 7, 2024
2 parents 0307409 + 7fd1468 commit 853efc8
Show file tree
Hide file tree
Showing 3 changed files with 68 additions and 3 deletions.
34 changes: 34 additions & 0 deletions library/Director/Web/Form/PropertyTableSortForm.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
<?php

namespace Icinga\Module\Director\Web\Form;

use Icinga\Web\Session;
use ipl\Html\Form;
use ipl\Html\ValidHtml;
use ipl\Web\Common\CsrfCounterMeasure;

class PropertyTableSortForm extends Form
{
use CsrfCounterMeasure;

protected $method = 'POST';

/** @var string Name of the form */
private $name;

/** @var ValidHtml Property table to sort */
private $table;

public function __construct(string $name, ValidHtml $table)
{
$this->name = $name;
$this->table = $table;
}

protected function assemble()
{
$this->addElement('hidden', '__FORM_NAME', ['value' => $this->name]);
$this->addElement($this->createCsrfCounterMeasure(Session::getSession()->getId()));
$this->addHtml($this->table);
}
}
18 changes: 16 additions & 2 deletions library/Director/Web/Table/PropertymodifierTable.php
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,16 @@

use Error;
use Exception;
use GuzzleHttp\Psr7\ServerRequest;
use Icinga\Module\Director\Hook\ImportSourceHook;
use Icinga\Module\Director\Objects\ImportSource;
use gipfl\IcingaWeb2\Link;
use gipfl\IcingaWeb2\Table\Extension\ZfSortablePriority;
use gipfl\IcingaWeb2\Table\ZfQueryBasedTable;
use gipfl\IcingaWeb2\Url;
use Icinga\Module\Director\Web\Form\PropertyTableSortForm;
use ipl\Html\Form;
use ipl\Html\HtmlString;

class PropertymodifierTable extends ZfQueryBasedTable
{
Expand Down Expand Up @@ -48,10 +52,20 @@ public function setReadOnly($readOnly = true)

public function render()
{
if ($this->readOnly) {
if ($this->readOnly || $this->request === null) {
return parent::render();
}
return $this->renderWithSortableForm();

return (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render())))
->setAction($this->request->getUrl()->getAbsoluteUrl())
->on(Form::ON_SENT, function (PropertyTableSortForm $form) {
$csrf = $form->getElement('CSRFToken');
if ($csrf !== null && $csrf->isValid()) {
$this->reallyHandleSortPriorityActions();
}
})
->handleRequest(ServerRequest::fromGlobals())
->render();
}

protected function assemble()
Expand Down
19 changes: 18 additions & 1 deletion library/Director/Web/Table/SyncpropertyTable.php
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,14 @@

namespace Icinga\Module\Director\Web\Table;

use GuzzleHttp\Psr7\ServerRequest;
use Icinga\Module\Director\Objects\SyncRule;
use gipfl\IcingaWeb2\Link;
use gipfl\IcingaWeb2\Table\Extension\ZfSortablePriority;
use gipfl\IcingaWeb2\Table\ZfQueryBasedTable;
use Icinga\Module\Director\Web\Form\PropertyTableSortForm;
use ipl\Html\Form;
use ipl\Html\HtmlString;

class SyncpropertyTable extends ZfQueryBasedTable
{
Expand Down Expand Up @@ -33,7 +37,20 @@ public static function create(SyncRule $rule)

public function render()
{
return $this->renderWithSortableForm();
if ($this->request === null) {
return parent::render();
}

return (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render())))
->setAction($this->request->getUrl()->getAbsoluteUrl())
->on(Form::ON_SENT, function (PropertyTableSortForm $form) {
$csrf = $form->getElement('CSRFToken');
if ($csrf !== null && $csrf->isValid()) {
$this->reallyHandleSortPriorityActions();
}
})
->handleRequest(ServerRequest::fromGlobals())
->render();
}

public function renderRow($row)
Expand Down

0 comments on commit 853efc8

Please sign in to comment.