forked from wallabag/wallabag
AnnotationController: fix improper authorization vulnerability
This PR is based on 2.5.x branch. We fix the improper authorization by retrieving the annotation using id and user id. We also replace the ParamConverter used to get the requested Annotation on put and delete actions with an explicit call to AnnotationRepository in order to prevent a resource enumeration through response discrepancy. Fixes GHSA-mrqx-mjc4-vfh3 Co-authored-by: Jeremy Benoist <jeremy.benoist@gmail.com> Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
This commit is contained in:
Kevin Decherf
@ -3,9 +3,9 @@
|
||||
namespace Wallabag\AnnotationBundle\Controller;
|
||||
|
||||
use FOS\RestBundle\Controller\FOSRestController;
|
||||
use Sensio\Bundle\FrameworkExtraBundle\Configuration\ParamConverter;
|
||||
use Symfony\Component\HttpFoundation\JsonResponse;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use Wallabag\AnnotationBundle\Entity\Annotation;
|
||||
use Wallabag\AnnotationBundle\Form\EditAnnotationType;
|
||||
use Wallabag\AnnotationBundle\Form\NewAnnotationType;
|
||||
@ -25,7 +25,7 @@ class WallabagAnnotationController extends FOSRestController
|
||||
$annotationRows = $this
|
||||
->getDoctrine()
|
||||
->getRepository('WallabagAnnotationBundle:Annotation')
|
||||
->findAnnotationsByPageId($entry->getId(), $this->getUser()->getId());
|
||||
->findByEntryIdAndUserId($entry->getId(), $this->getUser()->getId());
|
||||
$total = \count($annotationRows);
|
||||
$annotations = ['total' => $total, 'rows' => $annotationRows];
|
||||
|
||||
@ -72,31 +72,35 @@ class WallabagAnnotationController extends FOSRestController
|
||||
*
|
||||
* @see Wallabag\ApiBundle\Controller\WallabagRestController
|
||||
*
|
||||
* @ParamConverter("annotation", class="WallabagAnnotationBundle:Annotation")
|
||||
*
|
||||
* @return JsonResponse
|
||||
*/
|
||||
public function putAnnotationAction(Annotation $annotation, Request $request)
|
||||
public function putAnnotationAction(Request $request, int $annotation)
|
||||
{
|
||||
$data = json_decode($request->getContent(), true);
|
||||
try {
|
||||
$annotation = $this->validateAnnotation($annotation, $this->getUser()->getId());
|
||||
|
||||
$form = $this->get('form.factory')->createNamed('', EditAnnotationType::class, $annotation, [
|
||||
'csrf_protection' => false,
|
||||
'allow_extra_fields' => true,
|
||||
]);
|
||||
$form->submit($data);
|
||||
$data = json_decode($request->getContent(), true, 512, \JSON_THROW_ON_ERROR);
|
||||
|
||||
if ($form->isValid()) {
|
||||
$em = $this->getDoctrine()->getManager();
|
||||
$em->persist($annotation);
|
||||
$em->flush();
|
||||
$form = $this->get('form.factory')->createNamed('', EditAnnotationType::class, $annotation, [
|
||||
'csrf_protection' => false,
|
||||
'allow_extra_fields' => true,
|
||||
]);
|
||||
$form->submit($data);
|
||||
|
||||
$json = $this->get('jms_serializer')->serialize($annotation, 'json');
|
||||
if ($form->isValid()) {
|
||||
$em = $this->getDoctrine()->getManager();
|
||||
$em->persist($annotation);
|
||||
$em->flush();
|
||||
|
||||
return JsonResponse::fromJsonString($json);
|
||||
$json = $this->get('jms_serializer')->serialize($annotation, 'json');
|
||||
|
||||
return JsonResponse::fromJsonString($json);
|
||||
}
|
||||
|
||||
return $form;
|
||||
} catch (\InvalidArgumentException $e) {
|
||||
throw new NotFoundHttpException($e);
|
||||
}
|
||||
|
||||
return $form;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -104,18 +108,35 @@ class WallabagAnnotationController extends FOSRestController
|
||||
*
|
||||
* @see Wallabag\ApiBundle\Controller\WallabagRestController
|
||||
*
|
||||
* @ParamConverter("annotation", class="WallabagAnnotationBundle:Annotation")
|
||||
*
|
||||
* @return JsonResponse
|
||||
*/
|
||||
public function deleteAnnotationAction(Annotation $annotation)
|
||||
public function deleteAnnotationAction(int $annotation)
|
||||
{
|
||||
try {
|
||||
$annotation = $this->validateAnnotation($annotation, $this->getUser()->getId());
|
||||
|
||||
$em = $this->getDoctrine()->getManager();
|
||||
$em->remove($annotation);
|
||||
$em->flush();
|
||||
|
||||
$json = $this->get('jms_serializer')->serialize($annotation, 'json');
|
||||
|
||||
return (new JsonResponse())->setJson($json);
|
||||
} catch (\InvalidArgumentException $e) {
|
||||
throw new NotFoundHttpException($e);
|
||||
}
|
||||
}
|
||||
|
||||
private function validateAnnotation(int $annotationId, int $userId)
|
||||
{
|
||||
$em = $this->getDoctrine()->getManager();
|
||||
$em->remove($annotation);
|
||||
$em->flush();
|
||||
|
||||
$json = $this->get('jms_serializer')->serialize($annotation, 'json');
|
||||
$annotation = $em->getRepository('WallabagAnnotationBundle:Annotation')->findOneByIdAndUserId($annotationId, $userId);
|
||||
|
||||
return (new JsonResponse())->setJson($json);
|
||||
if (null === $annotation) {
|
||||
throw new NotFoundHttpException();
|
||||
}
|
||||
|
||||
return $annotation;
|
||||
}
|
||||
}
|
||||
|
||||
@ -34,6 +34,15 @@ class AnnotationFixtures extends Fixture implements DependentFixtureInterface
|
||||
|
||||
$this->addReference('annotation2', $annotation2);
|
||||
|
||||
$annotation3 = new Annotation($this->getReference('bob-user'));
|
||||
$annotation3->setEntry($this->getReference('entry3'));
|
||||
$annotation3->setText('This is my first annotation !');
|
||||
$annotation3->setQuote('content');
|
||||
|
||||
$manager->persist($annotation3);
|
||||
|
||||
$this->addReference('annotation3', $annotation3);
|
||||
|
||||
$manager->flush();
|
||||
}
|
||||
|
||||
|
||||
@ -41,6 +41,24 @@ class AnnotationRepository extends EntityRepository
|
||||
;
|
||||
}
|
||||
|
||||
/**
|
||||
* Find annotation by id and user.
|
||||
*
|
||||
* @param int $annotationId
|
||||
* @param int $userId
|
||||
*
|
||||
* @return Annotation
|
||||
*/
|
||||
public function findOneByIdAndUserId($annotationId, $userId)
|
||||
{
|
||||
return $this->createQueryBuilder('a')
|
||||
->where('a.id = :annotationId')->setParameter('annotationId', $annotationId)
|
||||
->andWhere('a.user = :userId')->setParameter('userId', $userId)
|
||||
->setMaxResults(1)
|
||||
->getQuery()
|
||||
->getOneOrNullResult();
|
||||
}
|
||||
|
||||
/**
|
||||
* Find annotations for entry id.
|
||||
*
|
||||
@ -49,7 +67,7 @@ class AnnotationRepository extends EntityRepository
|
||||
*
|
||||
* @return array
|
||||
*/
|
||||
public function findAnnotationsByPageId($entryId, $userId)
|
||||
public function findByEntryIdAndUserId($entryId, $userId)
|
||||
{
|
||||
return $this->createQueryBuilder('a')
|
||||
->where('a.entry = :entryId')->setParameter('entryId', $entryId)
|
||||
@ -66,7 +84,7 @@ class AnnotationRepository extends EntityRepository
|
||||
*
|
||||
* @return array
|
||||
*/
|
||||
public function findLastAnnotationByPageId($entryId, $userId)
|
||||
public function findLastAnnotationByUserId($entryId, $userId)
|
||||
{
|
||||
return $this->createQueryBuilder('a')
|
||||
->where('a.entry = :entryId')->setParameter('entryId', $entryId)
|
||||
|
||||
Reference in New Issue
Block a user