Merge pull request #4359 from nilsteampassnet/vulnerability-log-injec…

…tion

Vulnerability log injection

includes/config/include.php

@@ -28,7 +28,7 @@
 
 define('TP_VERSION', '3.1.2');
 define("UPGRADE_MIN_DATE", "1727110744");
-define('TP_VERSION_MINOR', '112');
+define('TP_VERSION_MINOR', '114');
 define('TP_TOOL_NAME', 'Teampass');
 define('TP_ONE_DAY_SECONDS', 86400);
 define('TP_ONE_WEEK_SECONDS', 604800);

includes/tables_integrity.json

@@ -13,11 +13,11 @@
     },
     {
         "table_name": "background_tasks",
-        "structure_hash": "38da4ecc0e0b9ca5885c527507656b4fcf98df29e6b8bc794c4c45b00683aa21"
+        "structure_hash": "79a62efdee7707b95762fece4b2981229a155dedede422a44e4410270ad0c869"
     },
     {
         "table_name": "background_tasks_logs",
-        "structure_hash": "670985b7418ff8176df19b15c6568b935ab27137112fed7f02e6d4f4f006a765"
+        "structure_hash": "5b885ec26fdf2bb38ef63969be47ea2ca773f3f40be61e2afffa738cc3c73795"
     },
     {
         "table_name": "cache",
@@ -97,11 +97,11 @@
     },
     {
         "table_name": "log_items",
-        "structure_hash": "41e2733b5cc25a4eab9b62d5e9ecc130c9427509c0dcc915f79e347048bb03fe"
+        "structure_hash": "bd6960c43399a81559a8ff6feb0c924421f7aa6c456241c00ccb3ba0cb75def6"
     },
     {
         "table_name": "log_system",
-        "structure_hash": "5f62e1cbf98308aac6598cbafb4e938435162a2640c99e42cec8d6c5c60767fc"
+        "structure_hash": "966e6fd89b125f152be3f2d0113a95466ad770989bae9b73d8129820c9777281"
     },
     {
         "table_name": "misc",

sources/items.logs.php

@@ -123,8 +123,19 @@
                 $post_data,
                 'decode'
             );
+
+            // Check if the data is correct
+            // Required keys: id, label, user_id, action, login
+            $requiredKeys = ['id', 'label', 'user_id', 'action', 'login'];
 
-            if (is_array($dataReceived) === true && count($dataReceived) > 0 && array_key_exists('id', $dataReceived) === true && null !== filter_var($dataReceived['id'], FILTER_SANITIZE_NUMBER_INT)) {
+            if (
+                is_array($dataReceived) && // check if the data is an array
+                array_diff_key(array_flip($requiredKeys), $dataReceived) === [] &&  // check if all required keys have a valuekeys are present
+                count(array_filter($dataReceived)) === count($requiredKeys) && // check if all required 
+                in_array($dataReceived['action'], ['at_password_shown', 'at_password_copied'], true) && // only log these actions
+                $session->get('user-id') === (int) filter_var($dataReceived['user_id'], FILTER_SANITIZE_NUMBER_INT) // only log actions of the current user
+            ) {
+                // Log the action
                 logItems(
                     $SETTINGS,
                     (int) filter_var($dataReceived['id'], FILTER_SANITIZE_NUMBER_INT),

sources/main.functions.php

@@ -1569,7 +1569,7 @@ function logItems(
         ]
     );
     // Timestamp the last change
-    if ($action === 'at_creation' || $action === 'at_modifiation' || $action === 'at_delete' || $action === 'at_import') {
+    if (in_array($action, ['at_creation', 'at_modifiation', 'at_delete', 'at_import'], true)) {
         DB::update(
             prefixTable('misc'),
             [
@@ -1583,7 +1583,7 @@ function logItems(
     }
 
     // SYSLOG
-    if (isset($SETTINGS['syslog_enable']) === true && $SETTINGS['syslog_enable'] === '1') {
+    if (isset($SETTINGS['syslog_enable']) === true && (int) $SETTINGS['syslog_enable'] === 1) {
         // Extract reason
         $attribute = is_null($raison) === true ? Array('') : explode(' : ', $raison);
         // Get item info if not known