Merge pull request #4481 from corentin-soriano/get_user_info_injection

Get user info injection

includes/core/load.js.php

@@ -126,20 +126,10 @@ function(data) {
                 // Refresh list of last items shopwn
                 refreshListLastSeenItems()
             ).then(function() {
-                // Check if new privatekey needs to be adapted
-                var data = {
-                    'user_id': store.get('teampassUser').user_id,
-                    'fields' : 'special, auth_type, is_ready_for_usage, ongoing_process_id, otp_provided, keys_recovery_time',
-                }
-                if (debugJavascript === true) {
-                    console.info('Sending request for:');
-                    console.log(data);
-                }
                 $.post(
                     "sources/main.queries.php", {
                         type: "get_user_info",
                         type_category: 'action_user',
-                        data: prepareExchangedData(JSON.stringify(data), 'encode', '<?php echo $session->get('key'); ?>'),
                         key: "<?php echo $session->get('key'); ?>"
                     },
                     function(data) {

pages/2fa.php

@@ -138,11 +138,7 @@
                                         $arrRolesMFA = [];
                                     }
                                     // Get full list
-                                    $roles = performDBQuery(
-                                        $SETTINGS,
-                                        'id, title',
-                                        'roles_title'
-                                    );
+                                    $roles = getRolesTitles();
                                     foreach ($roles as $role) {
                                         echo '
                                     <option value="' . $role['id'] . '"', in_array($role['id'], $arrRolesMFA) === true ? ' selected' : '', '>' . addslashes($role['title']) . '</option>';

pages/options.php

@@ -799,11 +799,7 @@
                                             $arrRolesToPrint = [];
                                         }
                                         // Get full list
-                                        $roles = performDBQuery(
-                                            $SETTINGS,
-                                            'id, title',
-                                            'roles_title'
-                                        );
+                                        $roles = getRolesTitles();
                                         foreach ($roles as $role) {
                                             echo '
                                     <option value="' . htmlspecialchars($role['id']) . '"', in_array($role['id'], $arrRolesToPrint) === true ? ' selected' : '', '>' . htmlspecialchars(addslashes($role['title'])) . '</option>';

sources/main.functions.php

@@ -2174,26 +2174,19 @@ function obfuscateEmail(string $email): string
 }
 
 /**
- * Perform a Query.
- *
- * @param array  $SETTINGS Teamapss settings
- * @param string $fields   Fields to use
- * @param string $table    Table to use
+ * Get id and title from role_titles table.
  *
  * @return array
  */
-function performDBQuery(array $SETTINGS, string $fields, string $table): array
+function getRolesTitles(): array
 {
-    // include librairies & connect to DB
-    //include_once $SETTINGS['cpassman_dir'] . '/includes/config/settings.php';
-
     // Load class DB
     loadClasses('DB');
 
     // Insert log in DB
     return DB::query(
-        'SELECT ' . $fields . '
-        FROM ' . prefixTable($table)
+        'SELECT id, title
+        FROM ' . prefixTable('roles_title')
     );
 }
 
@@ -4387,36 +4380,6 @@ function convertPasswordStrength($passwordStrength): int
     }
 }
 
-/**
- * Vérifie si les IDs d'un tableau existent bien dans la table.
- *
- * @param array $ids - Tableau d'IDs à vérifier
- * @param string $tableName - Nom de la table dans laquelle vérifier les IDs
- * @param string $fieldName - Nom du champ dans lequel vérifier les IDs
- * @return array - IDs qui n'existent pas dans la table
- */
-function checkIdsExist(array $ids, string $tableName, string $fieldName) : array
-{
-    // Assure-toi que le tableau d'IDs n'est pas vide
-    if (empty($ids)) {
-        return [];
-    }
-
-    // Nettoyage des IDs pour éviter les injections SQL
-    $ids = array_map('intval', $ids);  // Assure que chaque ID est un entier
-
-    // Construction de la requête SQL pour vérifier les IDs dans la table
-    $result = DB::query('SELECT id FROM ' . prefixTable($tableName) . ' WHERE ' . $fieldName . ' IN %li', $ids);
-
-    // Extraire les IDs existants de la table
-    $existingIds = array_column($result, 'id');
-
-    // Trouver les IDs manquants en comparant les deux tableaux
-    $missingIds = array_diff($ids, $existingIds);
-
-    return $missingIds; // Renvoie les IDs qui n'existent pas dans la table
-}
-
 /**
  * Check that a password is strong. The password needs to have at least :
  *   - length >= 10.

sources/main.queries.php

@@ -392,7 +392,6 @@ function userHandler(string $post_type, array|null|string $dataReceived, array $
         case 'get_user_info'://action_user
             return getUserInfo(
                 (int) $filtered_user_id,
-                (string) filter_var($dataReceived['fields'], FILTER_SANITIZE_FULL_SPECIAL_CHARS),
                 $SETTINGS
             );
 
@@ -3064,7 +3063,6 @@ function migrateTo3_DoUserPersonalItemsEncryption(
 
 function getUserInfo(
     int $post_user_id,
-    string $post_fields,
     array $SETTINGS
 )
 {
@@ -3075,7 +3073,7 @@ function getUserInfo(
     if (isUserIdValid($post_user_id) === true) {
         // Get user info
         $userData = DB::queryFirstRow(
-            'SELECT '.$post_fields.'
+            'SELECT special, auth_type, is_ready_for_usage, ongoing_process_id, otp_provided, keys_recovery_time
             FROM ' . prefixTable('users') . '
             WHERE id = %i',
             $post_user_id