Merge pull request #5 from nekudo/feature/hardening

nekudo · web-flow · commit 489d2eaa60dd · 2020-04-18T13:39:44.000+02:00
Do not sent protected database fields to client
diff --git a/src/ShinyDeploy/Action/WsDataAction/UpdateRepository.php b/src/ShinyDeploy/Action/WsDataAction/UpdateRepository.php
@@ -39,12 +39,23 @@ public function __invoke(array $actionPayload) : bool
             return false;
         }
 
+        // get users encryption key:
+        $auth = new Auth($this->config, $this->logger);
+        $encryptionKey = $auth->getEncryptionKeyFromToken($this->token);
+        if (empty($encryptionKey)) {
+            $this->responder->setError('Could not get encryption key.');
+            return false;
+        }
+        $repositories->setEnryptionKey($encryptionKey);
+
         // check if url is okay:
         if (!isset($repositoryData['username'])) {
             $repositoryData['username'] = '';
         }
-        if (!isset($repositoryData['password'])) {
-            $repositoryData['password'] = '';
+        if (empty($repositoryData['password'])) {
+            $repositoryId = (int) $repositoryData['id'];
+            $currentRepoData = $repositories->getRepositoryData($repositoryId);
+            $repositoryData['password'] = $currentRepoData['password'] ?? '';
         }
         $repositoryData['url'] = preg_replace('/\.git$/s', '', $repositoryData['url']);
         $urlCheckResult = $this->checkUrl(
@@ -57,16 +68,7 @@ public function __invoke(array $actionPayload) : bool
             return false;
         }
 
-        // get users encryption key:
-        $auth = new Auth($this->config, $this->logger);
-        $encryptionKey = $auth->getEncryptionKeyFromToken($this->token);
-        if (empty($encryptionKey)) {
-            $this->responder->setError('Could not get encryption key.');
-            return false;
-        }
-
         // update repository:
-        $repositories->setEnryptionKey($encryptionKey);
         $addResult = $repositories->updateRepository($repositoryData);
         if ($addResult === false) {
             $this->responder->setError('Could not update repository.');
diff --git a/src/ShinyDeploy/Domain/Database/Repositories.php b/src/ShinyDeploy/Domain/Database/Repositories.php
@@ -155,21 +155,33 @@ public function updateRepository(array $repositoryData) : bool
         if ($repositoryData === false) {
             throw new RuntimeException('Data encryption failed.');
         }
-        return $this->db->prepare(
-            "UPDATE repositories
-            SET `name` = %s,
-              `type` = %s,
-              `url` = %s,
-              `username` = %s,
-              `password` = %s
-            WHERE id = %i",
-            $repositoryData['name'],
-            $repositoryData['type'],
-            $repositoryData['url'],
-            $repositoryData['username'],
-            $repositoryData['password'],
-            $repositoryData['id']
-        )->execute();
+
+        $statement = "UPDATE repositories
+                SET `name` = %s, `type` = %s, `url` = %s, `username` = %s, `password` = %s
+                WHERE id = %i";
+        if (empty($repositoryData['password'])) {
+            $statement = str_replace(', `password` = %s', '', $statement);
+            $result = $this->db->prepare(
+                $statement,
+                $repositoryData['name'],
+                $repositoryData['type'],
+                $repositoryData['url'],
+                $repositoryData['username'],
+                $repositoryData['id']
+            )->execute();
+        } else {
+            $result = $this->db->prepare(
+                $statement,
+                $repositoryData['name'],
+                $repositoryData['type'],
+                $repositoryData['url'],
+                $repositoryData['username'],
+                $repositoryData['password'],
+                $repositoryData['id']
+            )->execute();
+        }
+
+        return $result;
     }
 
     /**
diff --git a/src/ShinyDeploy/Domain/Database/Servers.php b/src/ShinyDeploy/Domain/Database/Servers.php
@@ -172,25 +172,43 @@ public function updateServer(array $serverData) : bool
             throw new RuntimeException('Data encryption failed.');
         }
 
-        return $this->db->prepare(
-            "UPDATE servers
-            SET `name` = %s,
+        $statement = "UPDATE servers
+            SET 
+              `name` = %s,
               `type` = %s,
               `hostname` = %s,
               `port` = %s,
               `username` = %s,
               `password` = %s,
               `root_path` = %s
-            WHERE id = %i",
-            $serverData['name'],
-            $serverData['type'],
-            $serverData['hostname'],
-            $serverData['port'],
-            $serverData['username'],
-            $serverData['password'],
-            $serverData['root_path'],
-            $serverData['id']
-        )->execute();
+            WHERE id = %i";
+        if (empty($serverData['password'])) {
+            $statement = str_replace('`password` = %s,', '', $statement);
+            $result = $this->db->prepare(
+                $statement,
+                $serverData['name'],
+                $serverData['type'],
+                $serverData['hostname'],
+                $serverData['port'],
+                $serverData['username'],
+                $serverData['root_path'],
+                $serverData['id']
+            )->execute();
+        } else {
+            $result = $this->db->prepare(
+                $statement,
+                $serverData['name'],
+                $serverData['type'],
+                $serverData['hostname'],
+                $serverData['port'],
+                $serverData['username'],
+                $serverData['password'],
+                $serverData['root_path'],
+                $serverData['id']
+            )->execute();
+        }
+
+        return $result;
     }
 
     /**
diff --git a/src/ShinyDeploy/Responder/WsDataResponder.php b/src/ShinyDeploy/Responder/WsDataResponder.php
@@ -84,8 +84,40 @@ public function getFrameData() : array
         if ($this->responseType === 'error') {
             $frameData['reason'] = $this->errorMsg;
         } else {
-            $frameData['payload'] = $this->payload;
+            $frameData['payload'] = $this->getSecurePayload();
         }
         return $frameData;
     }
+
+    /**
+     * Returns payload with all protected/secure fields removed.
+     *
+     * @return array
+     */
+    protected function getSecurePayload(): array
+    {
+        $protectedFields = ['password'];
+        $securePayload = $this->payload;
+        foreach ($protectedFields as $protectedField) {
+            $this->unsetProtectedField($securePayload, $protectedField);
+        }
+
+        return $securePayload;
+    }
+
+    /**
+     * Recursively removes given field/key from an array.
+     *
+     * @param array $payload
+     * @param string $protectedField
+     */
+    private function unsetProtectedField(array &$payload, string $protectedField): void
+    {
+        unset($payload[$protectedField]);
+        foreach ($payload as &$value) {
+            if (is_array($value)) {
+                $this->unsetProtectedField($value, $protectedField);
+            }
+        }
+    }
 }
