Skip to content

Commit

Permalink
Fix CSRF validation for sorting in property tables
Browse files Browse the repository at this point in the history
  • Loading branch information
raviks789 committed Jul 30, 2024
1 parent 428a49f commit ae2b0c8
Show file tree
Hide file tree
Showing 3 changed files with 63 additions and 3 deletions.
28 changes: 28 additions & 0 deletions library/Director/Web/Form/PropertyTableSortForm.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
<?php

namespace Icinga\Module\Director\Web\Form;

use ipl\Html\Form;
use ipl\Html\ValidHtml;

class PropertyTableSortForm extends Form
{
/** @var string Name of the form */
private $name;

/** @var ValidHtml Property table to sort */
private $table;

public function __construct(string $name, ValidHtml $table)
{
$this->name = $name;
$this->table = $table;
}

protected function assemble()
{
$this->addElement('hidden', '__FORM_NAME', ['value' => $this->name]);
$this->addElement('hidden', '__FORM_CSRF', ['value' => CsrfToken::generate()]);
$this->addHtml($this->table);
}
}
18 changes: 16 additions & 2 deletions library/Director/Web/Table/PropertymodifierTable.php
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@
use gipfl\IcingaWeb2\Table\Extension\ZfSortablePriority;
use gipfl\IcingaWeb2\Table\ZfQueryBasedTable;
use gipfl\IcingaWeb2\Url;
use Icinga\Module\Director\Web\Form\CsrfToken;
use Icinga\Module\Director\Web\Form\PropertyTableSortForm;
use Icinga\Module\Director\Web\Form\QuickForm;
use ipl\Html\HtmlString;

class PropertymodifierTable extends ZfQueryBasedTable
{
Expand Down Expand Up @@ -48,10 +52,20 @@ public function setReadOnly($readOnly = true)

public function render()
{
if ($this->readOnly) {
if ($this->readOnly || $this->request === null) {
return parent::render();
} elseif ($this->request->isPost() && $this->hasBeenSent($this->request)) {
if (! CsrfToken::isValid((string) $this->request->get(QuickForm::CSRF))) {
die('Invalid CSRF token provided');
}

$this->reallyHandleSortPriorityActions();
}
return $this->renderWithSortableForm();

$form = (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render())))
->setAction($this->request->getUrl()->getAbsoluteUrl());

return $form->render();
}

protected function assemble()
Expand Down
20 changes: 19 additions & 1 deletion library/Director/Web/Table/SyncpropertyTable.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@
use gipfl\IcingaWeb2\Link;
use gipfl\IcingaWeb2\Table\Extension\ZfSortablePriority;
use gipfl\IcingaWeb2\Table\ZfQueryBasedTable;
use Icinga\Module\Director\Web\Form\CsrfToken;
use Icinga\Module\Director\Web\Form\PropertyTableSortForm;
use Icinga\Module\Director\Web\Form\QuickForm;
use ipl\Html\Form;
use ipl\Html\HtmlString;

class SyncpropertyTable extends ZfQueryBasedTable
{
Expand Down Expand Up @@ -33,7 +38,20 @@ public static function create(SyncRule $rule)

public function render()
{
return $this->renderWithSortableForm();
if ($this->request === null) {
return parent::render();
} elseif ($this->request->isPost() && $this->hasBeenSent($this->request)) {
if (! CsrfToken::isValid((string) $this->request->get(QuickForm::CSRF))) {
die('Invalid CSRF token provided');
}

$this->reallyHandleSortPriorityActions();
}

$form = (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render())))
->setAction($this->request->getUrl()->getAbsoluteUrl());

return $form->render();
}

public function renderRow($row)
Expand Down

0 comments on commit ae2b0c8

Please sign in to comment.