From 0085dcb4e3ab76219819b8a53950df1261c04453 Mon Sep 17 00:00:00 2001 From: Filippo Bertilotti <filippobertilotti@gmail.com> Date: Fri, 04 Oct 2024 12:53:41 +0200 Subject: [PATCH] aggiunta controllo regex per prevenire xss attacks e rimozione debug --- app/Http/Controllers/FakeResponder/FakeResponder.php | 62 +++++++++++-------------------- 1 files changed, 22 insertions(+), 40 deletions(-) diff --git a/app/Http/Controllers/FakeResponder/FakeResponder.php b/app/Http/Controllers/FakeResponder/FakeResponder.php index d5307c2..0fbf2f3 100644 --- a/app/Http/Controllers/FakeResponder/FakeResponder.php +++ b/app/Http/Controllers/FakeResponder/FakeResponder.php @@ -3,18 +3,16 @@ namespace App\Http\Controllers\FakeResponder; use App\Http\Controllers\Controller; +use App\Http\Requests\genericPicasso; use App\Vola\Services\VolaFakeHTTPResponder\VolaFakeHTTPResponder; use Illuminate\Http\Request; -use Illuminate\Support\Str; +use App\Vola\Classes\Utils; class FakeResponder extends Controller { - public string $cookieFakeSSOName = "CAuthCookie"; - public string $cookieFakePicassoName = "SSOSESSIONID"; public array $headers; public VolaFakeHTTPResponder $VolaFakeSSO; - protected bool $openFakeSSO = true; function __construct() { @@ -27,47 +25,31 @@ } } + public function modelBasedRequest(Request $request) + { + \RequestLogger::logReceivedRequest($request); + + $responseContent = $this->VolaFakeSSO->getModelBasedResponses($request); + $responseContent = $this->compressIfRequested($request, $responseContent); + + return response($responseContent['data'], $responseContent['status'], $this->headers); + } + public function manageLegacyRequest(Request $request) { - if (isset($_COOKIE[$this->cookieFakeSSOName])) { - $testUser = intval(str_replace("xno:", "", $_COOKIE[$this->cookieFakeSSOName])); - $responseContent = $this->VolaFakeSSO->getResponses($request, $testUser); + \RequestLogger::logReceivedRequest($request); - $this->logRequest($request, $responseContent, "SSO Legacy"); - $responseContent = (config('custom.compressed_responses',false) === TRUE) ? gzencode($responseContent, 3) : $responseContent; + $picassoRequest = (str_starts_with($request->getRequestUri(), '/picasso/',)); + $profile = Utils::getRequestedUser($request); + + if (isset($profile)) { + $responseContent = $this->VolaFakeSSO->getResponses($request, $profile, $picassoRequest); + \RequestLogger::logProcessedRequest($request, $responseContent); + $responseContent = $this->compressIfRequested($request, $responseContent); return response($responseContent, 200, $this->headers); } else { - \Log::channel('requests_failed')->debug($request->url() . "\nNessun cookie di sessione ".$this->cookieFakeSSOName); - return response('No cookie', 400, $this->headers); - } - } - - public function managePicassoRequest(Request $request) - { - if (isset($_COOKIE[$this->cookieFakePicassoName])) { - $testUser = intval(str_replace("xno:", "", $_COOKIE[$this->cookieFakePicassoName])); - $responseContent = $this->VolaFakeSSO->getResponses($request, $testUser, true); - - $this->logRequest($request, $responseContent, "Picasso"); - $responseContent = (config('custom.compressed_responses',false) === TRUE) ? gzencode($responseContent, 3) : $responseContent; - return response($responseContent, 200, $this->headers); - } else { - \Log::channel('requests_failed')->debug("Picasso " . $request->url() . "\nNessun cookie di sessione ".$this->cookieFakePicassoName); - return response('No cookie', 400, $this->headers); - } - } - - public function logRequest(Request $request, $responseContent = null, $system = '') - { - if (config('custom.log_all_requests', true) === TRUE) { - $uriParts = explode("?", $request->url()); - $methodUri = Str::afterLast($uriParts[0], "/"); - $reqParams = !empty($request->query()) ? $request->query() : []; - //\Log::channel('requests_managed')->debug($system . " " . $request->getClientIp() ." ". $methodUri . " with params ".print_r($reqParams,1)); - //\Log::channel('requests_managed')->debug("Cookies received: " . print_r($_COOKIE,1)); - if (isset($responseContent)) { - \Log::channel('requests_managed')->debug("\n" . $system . " " . $request->getClientIp() . " " . $methodUri . " :\n" . print_r($responseContent, 1)); - } + \RequestLogger::logRejectedRequest($request); + return response('No cookie, no logged', 400, $this->headers); } } -- Gitblit v1.8.0