From 3d59b8b3c9efa17aff8a8f601111070feb940a23 Mon Sep 17 00:00:00 2001
From: Bubka <858858+Bubka@users.noreply.github.com>
Date: Wed, 28 Jun 2023 21:11:13 +0200
Subject: [PATCH 1/6] Fix possible sql injection in whereRaw query
---
app/Rules/CaseInsensitiveEmailExists.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/app/Rules/CaseInsensitiveEmailExists.php b/app/Rules/CaseInsensitiveEmailExists.php
index df15137b..525c6f3b 100644
--- a/app/Rules/CaseInsensitiveEmailExists.php
+++ b/app/Rules/CaseInsensitiveEmailExists.php
@@ -27,7 +27,7 @@ class CaseInsensitiveEmailExists implements Rule
public function passes($attribute, $value)
{
$user = DB::table('users')
- ->whereRaw('email = \'' . strtolower($value) . '\'' . ('sqlite' === config('database.default') ? ' COLLATE NOCASE' : ''))
+ ->whereRaw('email = ?' . ('sqlite' === config('database.default') ? ' COLLATE NOCASE' : ''), [strtolower($value)])
->first();
return ! $user ? false : true;
From bac39882c311ff404e5b12b9c4a4f986bb6e9249 Mon Sep 17 00:00:00 2001
From: Bubka <858858+Bubka@users.noreply.github.com>
Date: Fri, 30 Jun 2023 14:50:57 +0200
Subject: [PATCH 2/6] Fix various possible XSS attacks
---
app/Api/v1/Controllers/IconController.php | 9 ++---
app/Api/v1/Requests/GroupStoreRequest.php | 2 +-
app/Api/v1/Requests/IconFetchRequest.php | 45 ++++++++++++++++++++++
resources/js/mixins.js | 4 ++
resources/js/views/twofaccounts/Create.vue | 6 +--
resources/js/views/twofaccounts/Edit.vue | 4 +-
6 files changed, 59 insertions(+), 11 deletions(-)
create mode 100644 app/Api/v1/Requests/IconFetchRequest.php
diff --git a/app/Api/v1/Controllers/IconController.php b/app/Api/v1/Controllers/IconController.php
index 68437b4b..d4acfc71 100644
--- a/app/Api/v1/Controllers/IconController.php
+++ b/app/Api/v1/Controllers/IconController.php
@@ -2,6 +2,7 @@
namespace App\Api\v1\Controllers;
+use App\Api\v1\Requests\IconFetchRequest;
use App\Http\Controllers\Controller;
use App\Models\TwoFAccount;
use App\Services\LogoService;
@@ -34,13 +35,11 @@ class IconController extends Controller
*
* @return \Illuminate\Http\JsonResponse
*/
- public function fetch(Request $request, LogoService $logoService)
+ public function fetch(IconFetchRequest $request, LogoService $logoService)
{
- $this->validate($request, [
- 'service' => 'string|regex:/^[^:]+$/i',
- ]);
+ $validated = $request->validated();
- $icon = $logoService->getIcon($request->service);
+ $icon = $logoService->getIcon($validated['service']);
return $icon
? response()->json(['filename' => $icon], 201)
diff --git a/app/Api/v1/Requests/GroupStoreRequest.php b/app/Api/v1/Requests/GroupStoreRequest.php
index 13a6f690..52147dce 100644
--- a/app/Api/v1/Requests/GroupStoreRequest.php
+++ b/app/Api/v1/Requests/GroupStoreRequest.php
@@ -28,7 +28,7 @@ class GroupStoreRequest extends FormRequest
return [
'name' => [
'required',
- 'string',
+ 'alpha_dash',
'max:32',
Rule::unique('groups')->where(fn ($query) => $query->where('user_id', $this->user()->id)),
],
diff --git a/app/Api/v1/Requests/IconFetchRequest.php b/app/Api/v1/Requests/IconFetchRequest.php
new file mode 100644
index 00000000..fb12ec63
--- /dev/null
+++ b/app/Api/v1/Requests/IconFetchRequest.php
@@ -0,0 +1,45 @@
+ 'string|regex:/^[^:]+$/i',
+ ];
+ }
+
+ /**
+ * Prepare the data for validation.
+ *
+ * @codeCoverageIgnore
+ *
+ * @return void
+ */
+ protected function prepareForValidation()
+ {
+ $this->merge([
+ 'service' => strip_tags($this->service),
+ ]);
+ }
+}
diff --git a/resources/js/mixins.js b/resources/js/mixins.js
index 570ab6e1..e6ca1ad5 100644
--- a/resources/js/mixins.js
+++ b/resources/js/mixins.js
@@ -126,6 +126,10 @@ Vue.mixin({
this.setTheme(this.$root.userPreferences.theme)
},
+
+ strip_tags (str) {
+ return str.replace(/(<([^> ]+)>)/ig, "")
+ }
}
})
\ No newline at end of file
diff --git a/resources/js/views/twofaccounts/Create.vue b/resources/js/views/twofaccounts/Create.vue
index 85321957..0827648e 100644
--- a/resources/js/views/twofaccounts/Create.vue
+++ b/resources/js/views/twofaccounts/Create.vue
@@ -149,7 +149,7 @@
{{ $t('errors.data_of_qrcode_is_not_valid_URI') }}
-
+ {{ uri }}