zydronium/getnamingo-registry
1
0
Fork 0
mirror of https://github.com/getnamingo/registry.git synced 2025-07-03 09:33:25 +02:00
Code Issues Projects Releases Packages Wiki Activity

Sanitize and validate

Browse source
This commit is contained in:
Pinga 2023-12-14 09:50:48 +02:00
parent 0e135befc2
commit e00a2985e9
6 changed files with 141 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

21
cp/app/Controllers/ContactsController.php
View file

@ -528,6 +528,13 @@ class ContactsController extends Controller
$uri = $request->getUri()->getPath(); $uri = $request->getUri()->getPath();
if ($args) { if ($args) {
$args = trim($args);
if (!preg_match('/^[a-zA-Z0-9\-]+$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid contact ID format');
return $response->withHeader('Location', '/contacts')->withStatus(302);
}
$contact = $db->selectRow('SELECT id, identifier, voice, fax, email, nin, nin_type, crdate, clid, disclose_voice, disclose_fax, disclose_email FROM contact WHERE identifier = ?', $contact = $db->selectRow('SELECT id, identifier, voice, fax, email, nin, nin_type, crdate, clid, disclose_voice, disclose_fax, disclose_email FROM contact WHERE identifier = ?',
[ $args ]); [ $args ]);
@ -585,6 +592,13 @@ class ContactsController extends Controller
$uri = $request->getUri()->getPath(); $uri = $request->getUri()->getPath();
if ($args) { if ($args) {
$args = trim($args);
if (!preg_match('/^[a-zA-Z0-9\-]+$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid contact ID format');
return $response->withHeader('Location', '/contacts')->withStatus(302);
}
$contact = $db->selectRow('SELECT id, identifier, voice, fax, email, nin, nin_type, crdate, clid, disclose_voice, disclose_fax, disclose_email FROM contact WHERE identifier = ?', $contact = $db->selectRow('SELECT id, identifier, voice, fax, email, nin, nin_type, crdate, clid, disclose_voice, disclose_fax, disclose_email FROM contact WHERE identifier = ?',
[ $args ]); [ $args ]);
@ -992,6 +1006,13 @@ class ContactsController extends Controller
$uri = $request->getUri()->getPath(); $uri = $request->getUri()->getPath();
if ($args) { if ($args) {
$args = trim($args);
if (!preg_match('/^[a-zA-Z0-9\-]+$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid contact ID format');
return $response->withHeader('Location', '/contacts')->withStatus(302);
}
$contact_id = $db->selectValue('SELECT id FROM contact WHERE identifier = ?', $contact_id = $db->selectValue('SELECT id FROM contact WHERE identifier = ?',
[ $args ]); [ $args ]);

90
cp/app/Controllers/DomainsController.php
View file

@ -780,6 +780,13 @@ class DomainsController extends Controller
$uri = $request->getUri()->getPath(); $uri = $request->getUri()->getPath();
if ($args) { if ($args) {
$args = strtolower(trim($args));
if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid domain name format');
return $response->withHeader('Location', '/domains')->withStatus(302);
}
$domain = $db->selectRow('SELECT id, name, registrant, crdate, exdate, lastupdate, clid, idnlang, rgpstatus FROM domain WHERE name = ?', $domain = $db->selectRow('SELECT id, name, registrant, crdate, exdate, lastupdate, clid, idnlang, rgpstatus FROM domain WHERE name = ?',
[ $args ]); [ $args ]);
@ -858,6 +865,13 @@ class DomainsController extends Controller
$uri = $request->getUri()->getPath(); $uri = $request->getUri()->getPath();
if ($args) { if ($args) {
$args = strtolower(trim($args));
if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid domain name format');
return $response->withHeader('Location', '/domains')->withStatus(302);
}
$domain = $db->selectRow('SELECT id, name, registrant, crdate, exdate, lastupdate, clid, idnlang, rgpstatus FROM domain WHERE name = ?', $domain = $db->selectRow('SELECT id, name, registrant, crdate, exdate, lastupdate, clid, idnlang, rgpstatus FROM domain WHERE name = ?',
[ $args ]); [ $args ]);
@ -1551,6 +1565,13 @@ class DomainsController extends Controller
$uri = $request->getUri()->getPath(); $uri = $request->getUri()->getPath();
if ($args) { if ($args) {
$args = strtolower(trim($args));
if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid domain name format');
return $response->withHeader('Location', '/domains')->withStatus(302);
}
$domain = $db->selectRow('SELECT id, name, registrant, crdate, exdate, lastupdate, clid, idnlang, rgpstatus FROM domain WHERE name = ?', $domain = $db->selectRow('SELECT id, name, registrant, crdate, exdate, lastupdate, clid, idnlang, rgpstatus FROM domain WHERE name = ?',
[ $args ]); [ $args ]);
@ -1620,6 +1641,13 @@ class DomainsController extends Controller
$uri = $request->getUri()->getPath(); $uri = $request->getUri()->getPath();
if ($args) { if ($args) {
$args = strtolower(trim($args));
if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid domain name format');
return $response->withHeader('Location', '/domains')->withStatus(302);
}
$domain = $db->selectRow('SELECT id, name, tldid, registrant, crdate, exdate, clid, crid, upid, trdate, trstatus, reid, redate, acid, acdate, rgpstatus, addPeriod, autoRenewPeriod, renewPeriod, renewedDate, transferPeriod FROM domain WHERE name = ?', $domain = $db->selectRow('SELECT id, name, tldid, registrant, crdate, exdate, clid, crid, upid, trdate, trstatus, reid, redate, acid, acdate, rgpstatus, addPeriod, autoRenewPeriod, renewPeriod, renewedDate, transferPeriod FROM domain WHERE name = ?',
[ $args ]); [ $args ]);
@ -2238,7 +2266,17 @@ class DomainsController extends Controller
//if ($request->getMethod() === 'POST') { //if ($request->getMethod() === 'POST') {
$data = $request->getParsedBody(); $data = $request->getParsedBody();
$db = $this->container->get('db'); $db = $this->container->get('db');
$domainName = $args ?? null;
if ($args) {
$args = strtolower(trim($args));
if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid domain name format');
return $response->withHeader('Location', '/domains')->withStatus(302);
}
$domainName = $args ?? null;
}
if (!$domainName) { if (!$domainName) {
$this->container->get('flash')->addMessage('error', 'Please provide the domain name'); $this->container->get('flash')->addMessage('error', 'Please provide the domain name');
@ -2403,7 +2441,17 @@ class DomainsController extends Controller
//if ($request->getMethod() === 'POST') { //if ($request->getMethod() === 'POST') {
$data = $request->getParsedBody(); $data = $request->getParsedBody();
$db = $this->container->get('db'); $db = $this->container->get('db');
$domainName = $args ?? null;
if ($args) {
$args = strtolower(trim($args));
if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid domain name format');
return $response->withHeader('Location', '/domains')->withStatus(302);
}
$domainName = $args ?? null;
}
if (!$domainName) { if (!$domainName) {
$this->container->get('flash')->addMessage('error', 'Please provide the domain name'); $this->container->get('flash')->addMessage('error', 'Please provide the domain name');
@ -2458,7 +2506,17 @@ class DomainsController extends Controller
//if ($request->getMethod() === 'POST') { //if ($request->getMethod() === 'POST') {
$data = $request->getParsedBody(); $data = $request->getParsedBody();
$db = $this->container->get('db'); $db = $this->container->get('db');
$domainName = $args ?? null;
if ($args) {
$args = strtolower(trim($args));
if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid domain name format');
return $response->withHeader('Location', '/domains')->withStatus(302);
}
$domainName = $args ?? null;
}
if (!$domainName) { if (!$domainName) {
$this->container->get('flash')->addMessage('error', 'Please provide the domain name'); $this->container->get('flash')->addMessage('error', 'Please provide the domain name');
@ -2513,8 +2571,18 @@ class DomainsController extends Controller
//if ($request->getMethod() === 'POST') { //if ($request->getMethod() === 'POST') {
$data = $request->getParsedBody(); $data = $request->getParsedBody();
$db = $this->container->get('db'); $db = $this->container->get('db');
$domainName = $args ?? null;
if ($args) {
$args = strtolower(trim($args));
if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid domain name format');
return $response->withHeader('Location', '/domains')->withStatus(302);
}
$domainName = $args ?? null;
}
if (!$domainName) { if (!$domainName) {
$this->container->get('flash')->addMessage('error', 'Please provide the domain name'); $this->container->get('flash')->addMessage('error', 'Please provide the domain name');
return $response->withHeader('Location', '/transfers')->withStatus(302); return $response->withHeader('Location', '/transfers')->withStatus(302);
@ -2578,7 +2646,17 @@ class DomainsController extends Controller
//if ($request->getMethod() === 'POST') { //if ($request->getMethod() === 'POST') {
$data = $request->getParsedBody(); $data = $request->getParsedBody();
$db = $this->container->get('db'); $db = $this->container->get('db');
$domainName = $args ?? null;
if ($args) {
$args = strtolower(trim($args));
if (!preg_match('/^([a-z0-9]([-a-z0-9]*[a-z0-9])?\.)*[a-z0-9]([-a-z0-9]*[a-z0-9])?$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid domain name format');
return $response->withHeader('Location', '/domains')->withStatus(302);
}
$domainName = $args ?? null;
}
if (!$domainName) { if (!$domainName) {
$this->container->get('flash')->addMessage('error', 'Please provide the domain name'); $this->container->get('flash')->addMessage('error', 'Please provide the domain name');

3
cp/app/Controllers/FinancialsController.php
View file

@ -22,10 +22,11 @@ class FinancialsController extends Controller
{ {
return view($response,'admin/financials/invoices.twig'); return view($response,'admin/financials/invoices.twig');
} }
public function viewInvoice(Request $request, Response $response, $args) public function viewInvoice(Request $request, Response $response, $args)
{ {
$invoiceNumberPattern = '/^[A-Za-z]+\d+-?\d+$/'; $invoiceNumberPattern = '/^[A-Za-z]+\d+-?\d+$/';
$args = trim($args);
if (preg_match($invoiceNumberPattern, $args)) { if (preg_match($invoiceNumberPattern, $args)) {
$invoiceNumber = $args; // valid format $invoiceNumber = $args; // valid format

6
cp/app/Controllers/HostsController.php
View file

@ -274,6 +274,8 @@ class HostsController extends Controller
$uri = $request->getUri()->getPath(); $uri = $request->getUri()->getPath();
function isValidHostname($hostname) { function isValidHostname($hostname) {
$hostname = trim($hostname);
// Check for IDN and convert to ASCII if necessary // Check for IDN and convert to ASCII if necessary
if (mb_detect_encoding($hostname, 'ASCII', true) === false) { if (mb_detect_encoding($hostname, 'ASCII', true) === false) {
$hostname = idn_to_ascii($hostname, 0, INTL_IDNA_VARIANT_UTS46); $hostname = idn_to_ascii($hostname, 0, INTL_IDNA_VARIANT_UTS46);
@ -343,6 +345,8 @@ class HostsController extends Controller
$uri = $request->getUri()->getPath(); $uri = $request->getUri()->getPath();
function isValidHostname($hostname) { function isValidHostname($hostname) {
$hostname = trim($hostname);
// Check for IDN and convert to ASCII if necessary // Check for IDN and convert to ASCII if necessary
if (mb_detect_encoding($hostname, 'ASCII', true) === false) { if (mb_detect_encoding($hostname, 'ASCII', true) === false) {
$hostname = idn_to_ascii($hostname, 0, INTL_IDNA_VARIANT_UTS46); $hostname = idn_to_ascii($hostname, 0, INTL_IDNA_VARIANT_UTS46);
@ -541,6 +545,8 @@ class HostsController extends Controller
$uri = $request->getUri()->getPath(); $uri = $request->getUri()->getPath();
function isValidHostname($hostname) { function isValidHostname($hostname) {
$hostname = trim($hostname);
// Check for IDN and convert to ASCII if necessary // Check for IDN and convert to ASCII if necessary
if (mb_detect_encoding($hostname, 'ASCII', true) === false) { if (mb_detect_encoding($hostname, 'ASCII', true) === false) {
$hostname = idn_to_ascii($hostname, 0, INTL_IDNA_VARIANT_UTS46); $hostname = idn_to_ascii($hostname, 0, INTL_IDNA_VARIANT_UTS46);

14
cp/app/Controllers/RegistrarsController.php
View file

@ -298,6 +298,13 @@ class RegistrarsController extends Controller
$uri = $request->getUri()->getPath(); $uri = $request->getUri()->getPath();
if ($args) { if ($args) {
$args = trim(preg_replace('/\s+/', ' ', $args));
if (!preg_match('/^[a-zA-Z0-9\s]+$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid registrar');
return $response->withHeader('Location', '/registrars')->withStatus(302);
}
$registrar = $db->selectRow('SELECT * FROM registrar WHERE name = ?', $registrar = $db->selectRow('SELECT * FROM registrar WHERE name = ?',
[ $args ]); [ $args ]);
@ -367,6 +374,13 @@ class RegistrarsController extends Controller
$uri = $request->getUri()->getPath(); $uri = $request->getUri()->getPath();
if ($args) { if ($args) {
$args = trim($args);
if (!preg_match('/^[a-z0-9]+$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid registrar');
return $response->withHeader('Location', '/registrars')->withStatus(302);
}
$registrar = $db->selectRow('SELECT * FROM registrar WHERE clid = ?', $registrar = $db->selectRow('SELECT * FROM registrar WHERE clid = ?',
[ $args ]); [ $args ]);

14
cp/app/Controllers/SystemController.php
View file

@ -459,6 +459,13 @@ class SystemController extends Controller
$db = $this->container->get('db'); $db = $this->container->get('db');
if ($args) { if ($args) {
$args = trim($args);
if (!preg_match('/^\.[a-zA-Z0-9]+(\.[a-zA-Z0-9]+)?[^\.]$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid TLD format');
return $response->withHeader('Location', '/registry/tlds')->withStatus(302);
}
$validators = [ $validators = [
'extension' => v::stringType()->notEmpty()->length(3, 64), 'extension' => v::stringType()->notEmpty()->length(3, 64),
'createm0' => v::numericVal()->between(0.00, 9999999.99, true), 'createm0' => v::numericVal()->between(0.00, 9999999.99, true),
@ -743,6 +750,13 @@ class SystemController extends Controller
$uri = $request->getUri()->getPath(); $uri = $request->getUri()->getPath();
if ($args) { if ($args) {
$args = trim($args);
if (!preg_match('/^\.[a-zA-Z0-9]+(\.[a-zA-Z0-9]+)?[^\.]$/', $args)) {
$this->container->get('flash')->addMessage('error', 'Invalid TLD format');
return $response->withHeader('Location', '/registry/tlds')->withStatus(302);
}
$tld = $db->selectRow('SELECT id, tld, idn_table, secure FROM domain_tld WHERE tld = ?', $tld = $db->selectRow('SELECT id, tld, idn_table, secure FROM domain_tld WHERE tld = ?',
[ $args ]); [ $args ]);