Security: remove possibility for get_user_popup to be called recursively with all user_id by using a none predictable hash instead of the user_id -refs BT#21323

NicoDucou · NicoDucou · commit 015cbccff2bc · 2024-01-08T21:37:54.000+01:00
diff --git a/main/inc/ajax/user_manager.ajax.php b/main/inc/ajax/user_manager.ajax.php
@@ -121,7 +121,8 @@
 
         $courseId = (int) $request->get('course_id');
         $sessionId = (int) $request->get('session_id');
-        $userId = (int) $request->get('user_id');
+        $hash = (string) $request->get('hash');
+        $userId = (int) UserManager::decryptUserHash($hash);
 
         $user_info = api_get_user_info($userId);
 
diff --git a/main/inc/lib/CoursesAndSessionsCatalog.class.php b/main/inc/lib/CoursesAndSessionsCatalog.class.php
@@ -1780,6 +1780,7 @@ public static function getFormattedSessionsBlock(array $sessions)
             $plugin = \BuyCoursesPlugin::create();
             $isThisSessionOnSale = $plugin->getBuyCoursePluginPrice($session);
 
+            $userIdHash = UserManager::generateUserHash($coachId);
             $sessionsBlock = [
                 'id' => $session->getId(),
                 'name' => $session->getName(),
@@ -1788,7 +1789,7 @@ public static function getFormattedSessionsBlock(array $sessions)
                 'nbr_users' => $session->getNbrUsers(),
                 'coach_id' => $coachId,
                 'coach_url' => $generalCoach
-                    ? api_get_path(WEB_AJAX_PATH).'user_manager.ajax.php?a=get_user_popup&user_id='.$coachId
+                    ? api_get_path(WEB_AJAX_PATH).'user_manager.ajax.php?a=get_user_popup&hash='.$userIdHash
                     : '',
                 'coach_name' => $coachName,
                 'coach_avatar' => UserManager::getUserPicture($coachId, USER_IMAGE_SIZE_SMALL),
diff --git a/main/inc/lib/api.lib.php b/main/inc/lib/api.lib.php
@@ -1820,7 +1820,8 @@ function _api_format_user($user, $add_password = false, $loadAvatars = true)
     $result['profile_url'] = api_get_path(WEB_CODE_PATH).'social/profile.php?u='.$user_id;
 
     // Send message link
-    $sendMessage = api_get_path(WEB_AJAX_PATH).'user_manager.ajax.php?a=get_user_popup&user_id='.$user_id;
+    $userIdHash = UserManager::generateUserHash($user_id);
+    $sendMessage = api_get_path(WEB_AJAX_PATH).'user_manager.ajax.php?a=get_user_popup&hash='.$userIdHash;
     $result['complete_name_with_message_link'] = Display::url(
         $result['complete_name_with_username'],
         $sendMessage,
@@ -10615,9 +10616,23 @@ function api_decrypt_ldap_password(string $encryptedText): string
     } else {
         return false;
     }
+
+    return api_decrypt_hash($encryptedText,$secret);
+}
+
+/**
+ * Decrypt sent hash encoded with secret
+ *
+ * @param $encryptedText The hash text to be decrypted
+ * @param $secret        The secret used to encoded the hash
+ *
+ * @return string The decrypted text or false
+ */
+function api_decrypt_hash(string $encryptedHash, string $secret): string
+{
     $secret = hex2bin($secret);
-    $iv = base64_decode(substr($encryptedText, 0, 16), true);
-    $data = base64_decode(substr($encryptedText, 16), true);
+    $iv = base64_decode(substr($encryptedHash, 0, 16), true);
+    $data = base64_decode(substr($encryptedHash, 16), true);
     $tag = substr($data, strlen($data) - 16);
     $data = substr($data, 0, strlen($data) - 16);
 
@@ -10634,3 +10649,31 @@ function api_decrypt_ldap_password(string $encryptedText): string
         return false;
     }
 }
+
+/**
+ * Encrypt sent data with secret
+ *
+ * @param $data   The text to be encrypted
+ * @param $secret The secret to use encode data
+ *
+ * @return string The encrypted text or false
+ */
+function api_encrypt_hash($data, $secret)
+{
+  $secret = hex2bin($secret);
+  $iv = random_bytes(12);
+  $tag = '';
+
+  $encrypted = openssl_encrypt(
+    $data,
+    'aes-256-gcm',
+    $secret,
+    OPENSSL_RAW_DATA,
+    $iv,
+    $tag,
+    '',
+    16
+  );
+
+  return base64_encode($iv) . base64_encode($encrypted . $tag);
+}
diff --git a/main/inc/lib/course.lib.php b/main/inc/lib/course.lib.php
@@ -2222,7 +2222,8 @@ public static function getTeachersFromCourse($courseId, $loadAvatars = true)
                 $userPicture = UserManager::getUserPicture($teacher['user_id'], USER_IMAGE_SIZE_SMALL);
                 $teachers['avatar'] = $userPicture;
             }
-            $teachers['url'] = $url.'&user_id='.$teacher['user_id'];
+            $userIdHash = UserManager::generateUserHash($teacher['user_id']);
+            $teachers['url'] = $url.'&hash='.$userIdHash;
             $listTeachers[] = $teachers;
         }
 
@@ -2255,7 +2256,8 @@ public static function getTeacherListFromCourseCodeToString(
                     $teacher['lastname']
                 );
                 if ($add_link_to_profile) {
-                    $url = api_get_path(WEB_AJAX_PATH).'user_manager.ajax.php?a=get_user_popup&user_id='.$teacher['user_id'];
+                    $userIdHash = UserManager::generateUserHash($teacher['user_id']);
+                    $url = api_get_path(WEB_AJAX_PATH).'user_manager.ajax.php?a=get_user_popup&hash='.$userIdHash;
                     $teacher_name = Display::url(
                         $teacher_name,
                         $url,
@@ -2337,7 +2339,9 @@ public static function get_coachs_from_course($session_id = 0, $courseId = 0, $l
                 $row['avatar'] = $loadAvatars
                     ? UserManager::getUserPicture($row['user_id'], USER_IMAGE_SIZE_SMALL)
                     : '';
-                $row['url'] = "$url&user_id={$row['user_id']}";
+                $userIdHash = UserManager::generateUserHash($row['user_id']);
+                $row['url'] = $url.'&hash='.$userIdHash;
+                $row['hash'] = $userIdHash; 
 
                 $coaches[] = $row;
             }
@@ -2368,7 +2372,8 @@ public static function get_coachs_from_course_to_string(
             foreach ($coachList as $coach_course) {
                 $coach_name = $coach_course['full_name'];
                 if ($add_link_to_profile) {
-                    $url = api_get_path(WEB_AJAX_PATH).'user_manager.ajax.php?a=get_user_popup&user_id='.$coach_course['user_id'].'&course_id='.$courseId.'&session_id='.$session_id;
+                    $userIdHash = UserManager::generateUserHash($coach_course['user_id']);
+                    $url = api_get_path(WEB_AJAX_PATH).'user_manager.ajax.php?a=get_user_popup&hash='.$userIdHash.'&course_id='.$courseId.'&session_id='.$session_id;
                     $coach_name = Display::url(
                         $coach_name,
                         $url,
diff --git a/main/inc/lib/social.lib.php b/main/inc/lib/social.lib.php
@@ -1220,9 +1220,10 @@ public static function show_social_menu(
                     'new-message.png',
                     $sendMessageText
                 );
+                $userIdHash = UserManager::generateUserHash($user_id);
                 $sendMessageUrl = api_get_path(WEB_AJAX_PATH).'user_manager.ajax.php?'.http_build_query([
                     'a' => 'get_user_popup',
-                    'user_id' => $user_id,
+                    'hash' => $userIdHash,
                 ]);
 
                 $links .= '<li>';
diff --git a/main/inc/lib/statistics.lib.php b/main/inc/lib/statistics.lib.php
@@ -415,9 +415,10 @@ public static function getActivitiesData(
                 }
 
                 // User id.
+                $userIdHash = UserManager::generateUserHash($row[6]);
                 $row[5] = Display::url(
                     $row[5],
-                    api_get_path(WEB_AJAX_PATH).'user_manager.ajax.php?a=get_user_popup&user_id='.$row[6],
+                    api_get_path(WEB_AJAX_PATH).'user_manager.ajax.php?a=get_user_popup&hash='.$userIdHash,
                     ['class' => 'ajax']
                 );
 
diff --git a/main/inc/lib/usermanager.lib.php b/main/inc/lib/usermanager.lib.php
@@ -8201,4 +8201,42 @@ private static function getGravatar(
 
         return $url;
     }
+
+   /**
+    * return user hash based on user_id and loggedin user's salt
+    *
+    * @param int user_id id of the user for whom we need the hash
+    *
+    * @return string containing the hash
+    */ 
+    public static function generateUserHash(int $user_id): string
+    {
+        $currentUserId = api_get_user_id();
+        $userManager = self::getManager();
+        /** @var User $user */
+        $user = self::getRepository()->find($currentUserId);
+        if (empty($user)) {
+            return false;
+        }
+        return rawurlencode(api_encrypt_hash($user_id, $user->getSalt()));
+    }
+
+   /**
+    * return decrypted hash or false
+    *
+    * @param string hash    hash that is to be decrypted
+    *
+    * @return string
+    */ 
+    public static function decryptUserHash(string $hash): string
+    {
+        $currentUserId = api_get_user_id();
+        $userManager = self::getManager();
+        /** @var User $user */
+        $user = self::getRepository()->find($currentUserId);
+        if (empty($user)) {
+            return false;
+        }
+        return api_decrypt_hash(rawurldecode($hash), $user->getSalt());
+    }
 }
diff --git a/main/inc/lib/userportal.lib.php b/main/inc/lib/userportal.lib.php
@@ -2033,8 +2033,9 @@ public function returnCoursesAndSessions(
                                 $params['category_id'] = $session_box['category_id'];
                                 $params['title'] = $session_box['title'];
                                 $params['id_coach'] = $coachId;
+                                $userIdHash = UserManager::generateUserHash($coachId);
                                 $params['coach_url'] = api_get_path(WEB_AJAX_PATH).
-                                    'user_manager.ajax.php?a=get_user_popup&user_id='.$coachId;
+                                    'user_manager.ajax.php?a=get_user_popup&hash='.$userIdHash;
                                 $params['coach_name'] = !empty($session_box['coach']) ? $session_box['coach'] : null;
                                 $params['coach_avatar'] = UserManager::getUserPicture(
                                     $coachId,
diff --git a/main/social/search.php b/main/social/search.php
@@ -98,9 +98,10 @@
                              <em class="fa fa-user"></em> '.get_lang('SendInvitation').'</a>';
             }
 
+            $userIdHash = UserManager::generateUserHash($user_info['user_id']);
             $sendMessageUrl = api_get_path(WEB_AJAX_PATH).'user_manager.ajax.php?'.http_build_query([
                 'a' => 'get_user_popup',
-                'user_id' => $user_info['user_id'],
+                'hash' => $userIdHash,
             ]);
 
             $sendMessage = Display::toolbarButton(
diff --git a/main/template/default/user_portal/classic_session.tpl b/main/template/default/user_portal/classic_session.tpl
@@ -119,7 +119,7 @@
                                                 <img src="{{ 'teacher.png'|icon(16) }}" width="16" height="16">
                                                 {% for coach in item.coaches %}
                                                     {{ loop.index > 1 ? ' | ' }}
-                                                    <a href="{{ _p.web_ajax ~ 'user_manager.ajax.php?' ~ {'a': 'get_user_popup', 'user_id': coach.user_id, 'session_id': row.id, 'course_id': item.real_id }|url_encode() }}"
+                                                    <a href="{{ _p.web_ajax ~ 'user_manager.ajax.php?' ~ {'a': 'get_user_popup', 'hash': coach.hash, 'session_id': row.id, 'course_id': item.real_id }|url_encode() }}"
                                                        data-title="{{ coach.full_name }}" class="ajax">
                                                         {{ coach.firstname }}, {{ coach.lastname }}
                                                     </a>
@@ -186,4 +186,4 @@
             <!-- end view simple info -->
         {% endif %}
     </div>
-{% endfor %}
+{% endfor %}
