Factorize code to know if a parameter is used to store a secret

2020-10-05 12:13:06 +02:00 · 2020-10-05 12:13:06 +02:00 · cfc3c01815
commit cfc3c01815
parent 8a079cf716
5 changed files with 40 additions and 9 deletions
--- a/htdocs/admin/system/dolibarr.php
+++ b/htdocs/admin/system/dolibarr.php
@ -464,7 +464,7 @@ if ($resql)
 		print '<tr class="oddeven">';
 		print '<td class="tdoverflowmax300">'.$obj->name.'</td>'."\n";
 		print '<td class="tdoverflowmax300">';
-		if (preg_match('/(_pass|password|_pw|_key|securekey|serverkey|secret\d?|p12key|exportkey|_PW_[a-z]+|token)$/i', $obj->name)) {
+		if (isASecretKey($obj->name)) {
 			if (empty($dolibarr_main_prod)) {
 				print '<!-- '.$obj->value.' -->';
 			}
--- a/htdocs/api/class/api_login.class.php
+++ b/htdocs/api/class/api_login.class.php
@ -40,7 +40,7 @@ class Login
 	 *
 	 * Request the API token for a couple username / password.
 	 * Using method POST is recommanded for security reasons (method GET is often logged by default by web servers with parameters so with login and pass into server log file).
-	 * Both methods are provided for developer conveniance. Best is to not use at all the login API method and enter directly the "DOLAPIKEY" into field at the top right of page. Note: The API key (DOLAPIKEY) can be found/set on the user page.
+	 * Both methods are provided for developer conveniance. Best is to not use at all the login API method and enter directly the "DOLAPIKEY" into field at the top right of page. Note: The API token (DOLAPIKEY) can be found/set on the user page.
 	 *
 	 * @param   string  $login			User login
 	 * @param   string  $password		User password
--- a/htdocs/api/class/api_setup.class.php
+++ b/htdocs/api/class/api_setup.class.php
@ -66,6 +66,10 @@ class Setup extends DolibarrApi
    {
        $list = array();

+        if (!DolibarrApiAccess::$user->rights->commande->lire) {
+        	throw new RestException(401);
+        }
+
        $sql = "SELECT rowid, code, libelle as label, module";
        $sql .= " FROM ".MAIN_DB_PREFIX."c_input_method as t";
        $sql .= " WHERE t.active = ".$active;
@ -127,6 +131,10 @@ class Setup extends DolibarrApi
    {
        $list = array();

+        if (!DolibarrApiAccess::$user->rights->propal->lire && !DolibarrApiAccess::$user->rights->commande->lire && !DolibarrApiAccess::$user->rights->facture->lire) {
+        	throw new RestException(401);
+        }
+
        $sql = "SELECT id, code, type, libelle as label, module";
        $sql .= " FROM ".MAIN_DB_PREFIX."c_paiement as t";
        $sql .= " WHERE t.entity IN (".getEntity('c_paiement').")";
@ -468,6 +476,10 @@ class Setup extends DolibarrApi
    {
        $list = array();

+        if (!DolibarrApiAccess::$user->rights->commande->lire) {
+        	throw new RestException(401);
+        }
+
        $sql = "SELECT rowid, code, label";
        $sql .= " FROM ".MAIN_DB_PREFIX."c_availability as t";
        $sql .= " WHERE t.active = ".$active;
@ -960,6 +972,10 @@ class Setup extends DolibarrApi
    {
        $list = array();

+        if (!DolibarrApiAccess::$user->admin) {
+        	throw new RestException(401, 'Only an admin user can get list of extrafields');
+        }
+
        if ($type == 'thirdparty') $type = 'societe';
        if ($type == 'contact') $type = 'socpeople';

@ -1100,6 +1116,10 @@ class Setup extends DolibarrApi
    {
        $list = array();

+        if (!DolibarrApiAccess::$user->rights->propal->lire && !DolibarrApiAccess::$user->rights->commande->lire && !DolibarrApiAccess::$user->rights->facture->lire) {
+        	throw new RestException(401);
+        }
+
        $sql = "SELECT rowid as id, code, sortorder, libelle as label, libelle_facture as descr, type_cdr, nbjour, decalage, module";
        $sql .= " FROM ".MAIN_DB_PREFIX."c_payment_term as t";
        $sql .= " WHERE t.entity IN (".getEntity('c_payment_term').")";
@ -1545,15 +1565,15 @@ class Setup extends DolibarrApi
    	global $conf;

    	if (!DolibarrApiAccess::$user->admin
-    		&& (empty($conf->global->API_LOGIN_ALLOWED_FOR_ADMIN_CHECK) || DolibarrApiAccess::$user->login != $conf->global->API_LOGIN_ALLOWED_FOR_ADMIN_CHECK)) {
-    		throw new RestException(403, 'Error API open to admin users only or to the login user defined with constant API_LOGIN_ALLOWED_FOR_ADMIN_CHECK');
+    		&& (empty($conf->global->API_LOGINS_ALLOWED_FOR_CONST_READ) || DolibarrApiAccess::$user->login != $conf->global->API_LOGINS_ALLOWED_FOR_CONST_READ)) {
+    		throw new RestException(403, 'Error API open to admin users only or to the users with logins defined into constant API_LOGINS_ALLOWED_FOR_CONST_READ');
    	}

    	if (!preg_match('/^[a-zA-Z0-9_]+$/', $constantname) || !isset($conf->global->$constantname)) {
    		throw new RestException(404, 'Error Bad or unknown value for constantname');
    	}
-    	if (preg_match('/(_pass|_pw|password|secret|_key|key$)/i', $constantname)) {
-    		throw new RestException(403, 'Forbidden');
+    	if (isASecretKey($constantname)) {
+    		throw new RestException(403, 'Forbidden. This parameter cant be read with APIs');
    	}

    	return $conf->global->$constantname;
@ -1578,7 +1598,7 @@ class Setup extends DolibarrApi
    	if (!DolibarrApiAccess::$user->admin
    		&& (empty($conf->global->API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK) || DolibarrApiAccess::$user->login != $conf->global->API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK))
    	{
-    		throw new RestException(503, 'Error API open to admin users only or to the login user defined with constant API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK');
+    		throw new RestException(503, 'Error API open to admin users only or to the users with logins defined into constant API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK');
    	}

    	require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
--- a/htdocs/core/class/commondocgenerator.class.php
+++ b/htdocs/core/class/commondocgenerator.class.php
@ -325,7 +325,7 @@ abstract class CommonDocGenerator

    	foreach ($conf->global as $key => $val)
    	{
-    		if (preg_match('/(_pass|_pw|password|secret|_key|key$)/i', $key)) $newval = '*****forbidden*****';
+    		if (isASecretKey($key)) $newval = '*****forbidden*****';
    		else $newval = $val;
    		$array_other['__['.$key.']__'] = $newval;
    	}
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@ -118,6 +118,17 @@ function setEntity($currentobject)
 	}
 }

+/**
+ * 	Return if string has a name dedicated to store a secret
+ *
+ * 	@param	string	$keyname	Name of key to test
+ * 	@return	boolean				True if key is used to store a secret
+ */
+function isASecretKey($keyname)
+{
+	return preg_match('/(_pass|password|_pw|_key|securekey|serverkey|secret\d?|p12key|exportkey|_PW_[a-z]+|token)$/i', $keyname);
+}
+
 /**
 * Return information about user browser
 *
@ -6452,7 +6463,7 @@ function make_substitutions($text, $substitutionarray, $outputlangs = null)
 		if (dol_textishtml($text, 1)) $msgishtml = 1;

 		$keyfound = $reg[1];
-		if (preg_match('/(_pass|_pw|password|secret|_key|key$)/i', $keyfound)) $newval = '*****forbidden*****';
+		if (isASecretKey($keyfound)) $newval = '*****forbidden*****';
 		else $newval = empty($conf->global->$keyfound) ? '' : $conf->global->$keyfound;
 		$text = preg_replace('/__\['.preg_quote($keyfound, '/').'\]__/', $msgishtml ?dol_htmlentitiesbr($newval) : $newval, $text);
 	}