Skip to content

Commit

Permalink
Fix for critical security error related to file include
Browse files Browse the repository at this point in the history
  • Loading branch information
@beatrycze-volk
beatrycze-volk committed Jun 13, 2024
1 parent 564bfd4 commit d140e03
Show file tree
Hide file tree
Showing 7 changed files with 1,132 additions and 1,279 deletions.
43 changes: 38 additions & 5 deletions Classes/Controller/Backend/NewTenantController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,11 @@
use TYPO3\CMS\Backend\View\BackendTemplateView;
use TYPO3\CMS\Core\Exception\SiteNotFoundException;
use TYPO3\CMS\Core\Localization\LocalizationFactory;
use TYPO3\CMS\Core\Resource\ResourceFactory;
use TYPO3\CMS\Core\Site\Entity\NullSite;
use TYPO3\CMS\Core\Site\SiteFinder;
use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
use TYPO3\CMS\Core\Utility\File\ExtendedFileUtility;
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Extbase\Mvc\View\ViewInterface;
use TYPO3\CMS\Extbase\Persistence\Generic\PersistenceManager;
Expand Down Expand Up @@ -179,7 +181,7 @@ protected function initializeAction(): void
public function addFormatAction(): void
{
// Include formats definition file.
$formatsDefaults = include(ExtensionManagementUtility::extPath('dlf') . 'Resources/Private/Data/FormatDefaults.php');
$formatsDefaults = $this->getRecords('Format');

$frameworkConfiguration = $this->configurationManager->getConfiguration($this->configurationManager::CONFIGURATION_TYPE_FRAMEWORK);
// tx_dlf_formats are stored on PID = 0
Expand Down Expand Up @@ -221,7 +223,7 @@ public function addFormatAction(): void
public function addMetadataAction(): void
{
// Include metadata definition file.
$metadataDefaults = include(ExtensionManagementUtility::extPath('dlf') . 'Resources/Private/Data/MetadataDefaults.php');
$metadataDefaults = $this->getRecords('Metadata');

// load language file in own array
$metadataLabels = $this->languageFactory->getParsedData('EXT:dlf/Resources/Private/Language/locallang_metadata.xlf', $this->siteLanguages[0]->getTypo3Language());
Expand Down Expand Up @@ -344,7 +346,7 @@ public function addSolrCoreAction(): void
public function addStructureAction(): void
{
// Include structure definition file.
$structureDefaults = include(ExtensionManagementUtility::extPath('dlf') . 'Resources/Private/Data/StructureDefaults.php');
$structureDefaults = $this->getRecords('Structure');

// load language file in own array
$structureLabels = $this->languageFactory->getParsedData('EXT:dlf/Resources/Private/Language/locallang_structure.xlf', $this->siteLanguages[0]->getTypo3Language());
Expand Down Expand Up @@ -459,15 +461,15 @@ public function errorAction(): void
/**
* Get language label for given key and language.
*
* @access protected
* @access private
*
* @param string $index
* @param string $lang
* @param array $langArray
*
* @return string
*/
protected function getLLL(string $index, string $lang, array $langArray): string
private function getLLL(string $index, string $lang, array $langArray): string

Check notice on line 472 in Classes/Controller/Backend/NewTenantController.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

Classes/Controller/Backend/NewTenantController.php#L472 

Private method name "NewTenantController::getLLL" is not in camel caps format
{
if (isset($langArray[$lang][$index][0]['target'])) {
return $langArray[$lang][$index][0]['target'];
Expand All @@ -477,4 +479,35 @@ protected function getLLL(string $index, string $lang, array $langArray): string
return 'Missing translation for ' . $index;
}
}

/**
* Get records from file for given record type.
*
* @access private
*
* @param string $recordType
*
* @return array
*/
private function getRecords(string $recordType): array
{
$filePath = GeneralUtility::getFileAbsFileName(
ExtensionManagementUtility::extPath('dlf') . 'Resources/Private/Data/' . $recordType . 'Defaults.php'
);

if ($filePath && file_exists($filePath)) {

Check warning on line 498 in Classes/Controller/Backend/NewTenantController.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

Classes/Controller/Backend/NewTenantController.php#L498 

The use of function file_exists() is discouraged
// Get resource from file
$storage = GeneralUtility::makeInstance(ResourceFactory::class)->getDefaultStorage();
$fileObject = $storage->getFile($filePath);

Check notice on line 502 in Classes/Controller/Backend/NewTenantController.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

Classes/Controller/Backend/NewTenantController.php#L502 

Whitespace found at end of line
if ($fileObject !== null) {
$fileContents = $fileObject->getContents();
$records = json_decode($fileContents, true);
if (json_last_error() === JSON_ERROR_NONE) {
return $records;
}
}
}
return [];
}
}
32 changes: 32 additions & 0 deletions Resources/Private/Data/FormatDefaults.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"MODS": {
"root": "mods",
"namespace": "http://www.loc.gov/mods/v3",
"class": "Kitodo\\Dlf\\Format\\Mods"
},
"TEIHDR": {
"root": "teiHeader",
"namespace": "http://www.tei-c.org/ns/1.0",
"class": "Kitodo\\Dlf\\Format\\TeiHeader"
},
"ALTO": {
"root": "alto",
"namespace": "http://www.loc.gov/standards/alto/ns-v2#",
"class": "Kitodo\\Dlf\\Format\\Alto"
},
"IIIF1": {
"root": "IIIF1",
"namespace": "http://www.shared-canvas.org/ns/context.json",
"class": ""
},
"IIIF2": {
"root": "IIIF2",
"namespace": "http://iiif.io/api/presentation/2/context.json",
"class": ""
},
"IIIF3": {
"root": "IIIF3",
"namespace": "http://iiif.io/api/presentation/3/context.json",
"class": ""
}
}
44 changes: 0 additions & 44 deletions Resources/Private/Data/FormatDefaults.php
View file

This file was deleted.

Loading

0 comments on commit d140e03

Please sign in to comment.