mirror of
https://github.com/grocy/grocy.git
synced 2025-10-12 16:44:55 +00:00
Sanitize user input on all API routes (references #996)
This commit is contained in:
Bernd Bestel
@@ -115,4 +115,22 @@ class BaseApiController extends BaseController
|
||||
|
||||
return $this->OpenApiSpec;
|
||||
}
|
||||
|
||||
private static $htmlPurifierInstance = null;
|
||||
|
||||
protected function GetParsedAndFilteredRequestBody($request)
|
||||
{
|
||||
if (self::$htmlPurifierInstance == null)
|
||||
{
|
||||
self::$htmlPurifierInstance = new \HTMLPurifier(\HTMLPurifier_Config::createDefault());
|
||||
}
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
foreach ($requestBody as $key => &$value)
|
||||
{
|
||||
$value = self::$htmlPurifierInstance->purify($value);
|
||||
}
|
||||
|
||||
return $requestBody;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -27,7 +27,7 @@ class BatteriesApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_BATTERIES_TRACK_CHARGE_CYCLE);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
|
||||
@@ -10,7 +10,7 @@ class ChoresApiController extends BaseApiController
|
||||
{
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$choreId = null;
|
||||
|
||||
@@ -60,7 +60,7 @@ class ChoresApiController extends BaseApiController
|
||||
|
||||
public function TrackChoreExecution(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
|
||||
@@ -18,7 +18,7 @@ class GenericEntityApiController extends BaseApiController
|
||||
User::checkPermission($request, User::PERMISSION_ADMIN);
|
||||
}
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@@ -78,7 +78,8 @@ class GenericEntityApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_ADMIN);
|
||||
}
|
||||
$requestBody = $request->getParsedBody();
|
||||
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@@ -202,7 +203,7 @@ class GenericEntityApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
|
||||
@@ -24,7 +24,7 @@ class LoginController extends BaseController
|
||||
|
||||
public function ProcessLogin(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
|
||||
{
|
||||
$postParams = $request->getParsedBody();
|
||||
$postParams = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
if (isset($postParams['username']) && isset($postParams['password']))
|
||||
{
|
||||
|
||||
@@ -10,7 +10,7 @@ class RecipesApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
$excludedProductIds = null;
|
||||
|
||||
if ($requestBody !== null && array_key_exists('excludedProductIds', $requestBody))
|
||||
|
||||
@@ -13,7 +13,7 @@ class StockApiController extends BaseApiController
|
||||
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$listId = 1;
|
||||
|
||||
@@ -37,7 +37,7 @@ class StockApiController extends BaseApiController
|
||||
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$listId = 1;
|
||||
|
||||
@@ -59,7 +59,7 @@ class StockApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_STOCK_PURCHASE);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@@ -143,7 +143,7 @@ class StockApiController extends BaseApiController
|
||||
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$listId = 1;
|
||||
$amount = 1;
|
||||
@@ -190,7 +190,7 @@ class StockApiController extends BaseApiController
|
||||
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$listId = 1;
|
||||
|
||||
@@ -212,7 +212,7 @@ class StockApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_STOCK_CONSUME);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$result = null;
|
||||
|
||||
@@ -323,7 +323,7 @@ class StockApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_STOCK_EDIT);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@@ -399,7 +399,7 @@ class StockApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_STOCK_INVENTORY);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@@ -467,7 +467,7 @@ class StockApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_STOCK_OPEN);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@@ -582,7 +582,7 @@ class StockApiController extends BaseApiController
|
||||
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$listId = 1;
|
||||
$amount = 1;
|
||||
@@ -664,7 +664,7 @@ class StockApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_STOCK_TRANSFER);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
|
||||
@@ -49,7 +49,7 @@ class SystemApiController extends BaseApiController
|
||||
{
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$this->getLocalizationService()->CheckAndAddMissingTranslationToPot($requestBody['text']);
|
||||
return $this->EmptyApiResponse($response);
|
||||
|
||||
@@ -15,7 +15,7 @@ class TasksApiController extends BaseApiController
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_TASKS_MARK_COMPLETED);
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
|
||||
@@ -11,7 +11,7 @@ class UsersApiController extends BaseApiController
|
||||
try
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_ADMIN);
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$this->getDatabase()->user_permissions()->createRow([
|
||||
'user_id' => $args['userId'],
|
||||
@@ -32,7 +32,7 @@ class UsersApiController extends BaseApiController
|
||||
public function CreateUser(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args)
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_USERS_CREATE);
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@@ -75,7 +75,7 @@ class UsersApiController extends BaseApiController
|
||||
User::checkPermission($request, User::PERMISSION_USERS_EDIT);
|
||||
}
|
||||
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
try
|
||||
{
|
||||
@@ -152,7 +152,7 @@ class UsersApiController extends BaseApiController
|
||||
try
|
||||
{
|
||||
User::checkPermission($request, User::PERMISSION_ADMIN);
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
$db = $this->getDatabase();
|
||||
$db->user_permissions()
|
||||
->where('user_id', $args['userId'])
|
||||
@@ -186,7 +186,7 @@ class UsersApiController extends BaseApiController
|
||||
{
|
||||
try
|
||||
{
|
||||
$requestBody = $request->getParsedBody();
|
||||
$requestBody = $this->GetParsedAndFilteredRequestBody($request);
|
||||
|
||||
$value = $this->getUsersService()->SetUserSetting(GROCY_USER_ID, $args['settingKey'], $requestBody['value']);
|
||||
return $this->EmptyApiResponse($response);
|
||||
|
||||
Reference in New Issue
Block a user