From c9549e1c1f73e6b5566ac5da88b3d3b109b4fcfe Mon Sep 17 00:00:00 2001 From: horcsinbalint <51171286+horcsinbalint@users.noreply.github.com> Date: Sat, 13 Jul 2024 23:22:24 +0200 Subject: [PATCH 1/2] Fixing some security vulnerabilities (#562) * Remove ability to submit SVGs Giving users the ability to submit SVGs is a serious security vulnerability that gives option for attackers to perform an XSS attack * Sanitize latex Anyone with sufficient permissions was capable of injecting malicious latex commands to the pdflatex command (like being a collegist or a tenant). Blade's {{ }} does not sanitize latex files. User inputs are now escaped in latex files. * style: format code with PHP CS Fixer This commit fixes the style issues introduced in bc94a0f according to the output from PHP CS Fixer. Details: https://github.com/EotvosCollegium/mars/pull/562 * Add docs --------- Co-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com> --- .../Secretariat/UserController.php | 2 +- app/Utils/CheckoutHandler.php | 2 +- app/Utils/LatexSanitizer.php | 37 +++++++++++++++++++ resources/views/latex/import.blade.php | 6 +-- .../views/latex/register-statement.blade.php | 14 +++---- resources/views/latex/status-cert.blade.php | 21 +++++------ 6 files changed, 58 insertions(+), 24 deletions(-) create mode 100644 app/Utils/LatexSanitizer.php diff --git a/app/Http/Controllers/Secretariat/UserController.php b/app/Http/Controllers/Secretariat/UserController.php index d8689e085..ab52696b3 100644 --- a/app/Http/Controllers/Secretariat/UserController.php +++ b/app/Http/Controllers/Secretariat/UserController.php @@ -60,7 +60,7 @@ public function storeProfilePicture(Request $request, User $user): RedirectRespo session()->put('section', 'profile_picture'); $request->validate([ - 'picture' => 'required|mimes:jpg,jpeg,png,gif,svg', + 'picture' => 'required|mimes:jpg,jpeg,png,gif', ]); $path = $request->file('picture')->store('avatars'); $old_profile = $user->profilePicture; diff --git a/app/Utils/CheckoutHandler.php b/app/Utils/CheckoutHandler.php index 545b51bb7..05b712ce4 100644 --- a/app/Utils/CheckoutHandler.php +++ b/app/Utils/CheckoutHandler.php @@ -195,7 +195,7 @@ public function addExpense(Request $request): RedirectResponse 'comment' => 'required|string', 'amount' => 'required|integer|min:0', 'payer' => 'exists:users,id', - 'receipt' => 'required|mimes:pdf,jpg,jpeg,png,gif,svg', + 'receipt' => 'required|mimes:pdf,jpg,jpeg,png,gif', ]); $validator->validate(); diff --git a/app/Utils/LatexSanitizer.php b/app/Utils/LatexSanitizer.php new file mode 100644 index 000000000..67e5702b1 --- /dev/null +++ b/app/Utils/LatexSanitizer.php @@ -0,0 +1,37 @@ +name }} @if(isset($item->serial_number)) ({{ $item->serial_number }}) @endif + \item {{ \App\Utils\LatexSanitizer::sanitizeLatex($item->name) }} @if(isset($item->serial_number)) ({{ \App\Utils\LatexSanitizer::sanitizeLatex($item->serial_number) }}) @endif @endforeach \end{enumerate} @@ -63,11 +63,11 @@ birtokolt programokat és egyéb tartalmakat. \vspace{2em} -\noindent{}Budapest, {{ $date }} +\noindent{}Budapest, {{ \App\Utils\LatexSanitizer::sanitizeLatex($date) }} \hfill\lotofdots -\hfill {{ $name }} \hspace{3.5em} +\hfill {{ \App\Utils\LatexSanitizer::sanitizeLatex($name) }} \hspace{3.5em} \vspace{3em} diff --git a/resources/views/latex/register-statement.blade.php b/resources/views/latex/register-statement.blade.php index 750d5a48f..af398bd3e 100644 --- a/resources/views/latex/register-statement.blade.php +++ b/resources/views/latex/register-statement.blade.php @@ -31,12 +31,12 @@ \vspace*{2em} -\noindent{}Név: {{ $name }} \\ -Állandó lakcím: {{ $address }} \\ -Telefonszám: {{ $phone }} \\ -E-mail: {{ $email }} \\ -Születési hely és idő: {{ $place_and_of_birth }} \\ -Anyja neve: {{ $mothers_name }} \\ +\noindent{}Név: {{ \App\Utils\LatexSanitizer::sanitizeLatex($name) }} \\ +Állandó lakcím: {{ \App\Utils\LatexSanitizer::sanitizeLatex($address) }} \\ +Telefonszám: {{ \App\Utils\LatexSanitizer::sanitizeLatex($phone) }} \\ +E-mail: {{ \App\Utils\LatexSanitizer::sanitizeLatex($email) }} \\ +Születési hely és idő: {{ \App\Utils\LatexSanitizer::sanitizeLatex($place_and_of_birth) }} \\ +Anyja neve: {{ \App\Utils\LatexSanitizer::sanitizeLatex($mothers_name) }} \\ Beköltözés dátuma: \\ \\ Megjegyzések: @@ -50,7 +50,7 @@ A fentieket tudomásul vettem, a szobát a leltár szerint átvettem. \vspace{2em} -\noindent{}Budapest, {{ $date }} +\noindent{}Budapest, {{ \App\Utils\LatexSanitizer::sanitizeLatex($date) }} \hfill\lotofdots diff --git a/resources/views/latex/status-cert.blade.php b/resources/views/latex/status-cert.blade.php index cbdee5571..24f4568c1 100644 --- a/resources/views/latex/status-cert.blade.php +++ b/resources/views/latex/status-cert.blade.php @@ -1,13 +1,10 @@ \documentclass[12pt,a4paper]{article} -\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} \usepackage[magyar]{babel} \usepackage{amsmath} \usepackage{graphicx} \usepackage{multirow} -\usepackage{caption} -\usepackage[letterspace=300]{microtype} - \usepackage{atbegshi} \usepackage{tikz} \usepackage[left=2cm, right=2cm, top=5cm, bottom=1cm]{geometry} @@ -45,7 +42,7 @@ } \textsc{ {\scriptsize - {{ \App\Models\User::director()?->name }}\\ + {{ \App\Utils\LatexSanitizer::sanitizeLatex(\App\Models\User::director()?->name) }}\\ igazgató\\ } } @@ -56,7 +53,7 @@ \begin{flushleft} {\scriptsize H-1118 Budapest, Ménesi út 11-13\\ Tel.: +36 1 460 4481 • Fax.: +36 1 209 2044 \\ - E-mail: {{config("mail.secretary_mail")}} • {{\App\Models\User::director()?->email }} + E-mail: {{ \App\Utils\LatexSanitizer::sanitizeLatex(config("mail.secretary_mail")) }} • {{ \App\Utils\LatexSanitizer::sanitizeLatex(\App\Models\User::director()?->email) }} % valasztmany@eotvos.elte.hu • elnok@eotvos.elte.hu\\ Honlap: https://eotvos.elte.hu/ } \end{flushleft} @@ -79,16 +76,16 @@ \begin{document} \maketitle -Alulírott {{ \App\Models\User::director()?->name }}, az ELTE Eötvös József Collegium igazgatója, hivatalosan igazolom, hogy {{ $name }} (Neptun-kód: {{ $neptun }}) az ELTE Eötvös József Collegium tagja {{ $from }}. szeptemberétől. +Alulírott {{ \App\Utils\LatexSanitizer::sanitizeLatex(\App\Models\User::director()?->name) }}, az ELTE Eötvös József Collegium igazgatója, hivatalosan igazolom, hogy {{ \App\Utils\LatexSanitizer::sanitizeLatex($name) }} (Neptun-kód: {{ \App\Utils\LatexSanitizer::sanitizeLatex($neptun) }}) az ELTE Eötvös József Collegium tagja {{ \App\Utils\LatexSanitizer::sanitizeLatex($from) }}. szeptemberétől. -A tagság érvényességének befejezése: {{ $until }} +A tagság érvényességének befejezése: {{ \App\Utils\LatexSanitizer::sanitizeLatex($until) }} Személyes adatai: \begin{itemize} \itemsep0em - \item születési helye és ideje: {{ $place_and_date_of_birth }} - \item anyja neve: {{ $mothers_name }} - \item állandó lakcíme: {{ $address }} + \item születési helye és ideje: {{ \App\Utils\LatexSanitizer::sanitizeLatex($place_and_date_of_birth) }} + \item anyja neve: {{ \App\Utils\LatexSanitizer::sanitizeLatex($mothers_name) }} + \item állandó lakcíme: {{ \App\Utils\LatexSanitizer::sanitizeLatex($address) }} \end{itemize} @@ -98,7 +95,7 @@ \begin{flushright} \begin{minipage}[t]{0.4\textwidth} - \signature{ {{ \App\Models\User::director()?->name }} }{igazgató}{Eötvös József Collegium} + \signature{ {{ \App\Utils\LatexSanitizer::sanitizeLatex(\App\Models\User::director()?->name) }} }{igazgató}{Eötvös József Collegium} \end{minipage} \end{flushright} From 5456252d651d99030acbb9493e68eead2b99beec Mon Sep 17 00:00:00 2001 From: Balint Horcsin Date: Sat, 13 Jul 2024 23:23:32 +0200 Subject: [PATCH 2/2] Change version number --- config/app.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/app.php b/config/app.php index d318ede08..daeed0307 100644 --- a/config/app.php +++ b/config/app.php @@ -15,7 +15,7 @@ 'name' => env('APP_NAME', 'Urán'), - 'version' => '3.24', // update on release + 'version' => '3.23.2', // update on release 'logo_blue_path' => env('APP_ENV', "local") != "production" ? '/img/mars.png' : '/img/uran_blue.png',