Skip to content

Commit

Permalink
Harden update restrictions
Browse files Browse the repository at this point in the history 
Signed-off-by: Jonas Rittershofer <jotoeri@users.noreply.github.com>
  • Loading branch information
@jotoeri
jotoeri committed Feb 11, 2021
1 parent a75262e commit a9b1d7e
Showing 1 changed file with 40 additions and 2 deletions.
42 changes: 40 additions & 2 deletions lib/Controller/ApiController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,20 @@ public function updateForm(int $id, array $keyValuePairs): DataResponse {
throw new OCSForbiddenException();
}

// Make sure we only store id
// Don't allow empty array
if (sizeof($keyValuePairs) === 0) {
$this->logger->info('Empty keyValuePairs, will not update.');
throw new OCSForbiddenException();
}

// Don't allow to change params id, hash, ownerId, created
if (key_exists('id', $keyValuePairs) || key_exists('hash', $keyValuePairs) ||
key_exists('ownerId', $keyValuePairs) || key_exists('created', $keyValuePairs)) {
$this->logger->info('Not allowed to update id, hash, ownerId or created');
throw new OCSForbiddenException();
}

// Make sure we only store id of shares
try {
if (array_key_exists('access', $keyValuePairs)) {
$keyValuePairs['access']['users'] = array_map(function (array $user): string {
Expand Down Expand Up @@ -496,7 +509,20 @@ public function updateQuestion(int $id, array $keyValuePairs): DataResponse {
throw new OCSForbiddenException();
}

if (array_key_exists('order', $keyValuePairs)) {
// Don't allow empty array
if (sizeof($keyValuePairs) === 0) {
$this->logger->info('Empty keyValuePairs, will not update.');
throw new OCSForbiddenException();
}

//Don't allow to change id or formId
if (key_exists('id', $keyValuePairs) || key_exists('formId', $keyValuePairs)) {
$this->logger->debug('Not allowed to update id or formId');
throw new OCSForbiddenException();
}

// Don't allow to reorder here
if (key_exists('order', $keyValuePairs)) {
$this->logger->debug('Key \'order\' is not allowed on updateQuestion. Please use reorderQuestions() to change order.');
throw new OCSForbiddenException('Please use reorderQuestions() to change order');
}
Expand Down Expand Up @@ -632,6 +658,18 @@ public function updateOption(int $id, array $keyValuePairs): DataResponse {
throw new OCSForbiddenException();
}

// Don't allow empty array
if (sizeof($keyValuePairs) === 0) {
$this->logger->info('Empty keyValuePairs, will not update.');
throw new OCSForbiddenException();
}

//Don't allow to change id or questionId
if (key_exists('id', $keyValuePairs) || key_exists('questionId', $keyValuePairs)) {
$this->logger->debug('Not allowed to update id or questionId');
throw new OCSForbiddenException();
}

// Create OptionEntity with given Params & Id.
$option = Option::fromParams($keyValuePairs);
$option->setId($id);
Expand Down

0 comments on commit a9b1d7e

Please sign in to comment.