|
64 | 64 | break; |
65 | 65 | } |
66 | 66 |
|
67 | | - $debug_queries = implode('<br>', $queries); |
| 67 | + // WHITELIST: Permetti solo pattern SQL sicuri |
| 68 | + $allowed_patterns = [ |
| 69 | + '/^ALTER\s+TABLE\s+`?[\w]+`?\s+(ADD|MODIFY|CHANGE|DROP)\s+(COLUMN\s+)?`?[\w]+`?/i', |
| 70 | + '/^CREATE\s+(UNIQUE\s+)?INDEX\s+`?[\w]+`?\s+ON\s+`?[\w]+`?\s*\(/i', |
| 71 | + '/^DROP\s+INDEX\s+`?[\w]+`?\s+ON\s+`?[\w]+`?$/i', |
| 72 | + '/^UPDATE\s+`?zz_views`?\s+SET\s+/i', |
| 73 | + '/^INSERT\s+INTO\s+`?zz_\w+`?\s*\(/i', |
| 74 | + '/^DELETE\s+FROM\s+`?zz_\w+`?\s+WHERE\s+/i', |
| 75 | + ]; |
| 76 | + |
| 77 | + $safe_queries = []; |
| 78 | + $rejected = []; |
68 | 79 |
|
69 | | - $dbo->query('SET FOREIGN_KEY_CHECKS=0'); |
| 80 | + foreach ($queries as $query) { |
| 81 | + $is_safe = false; |
| 82 | + foreach ($allowed_patterns as $pattern) { |
| 83 | + if (preg_match($pattern, trim($query))) { |
| 84 | + $is_safe = true; |
| 85 | + break; |
| 86 | + } |
| 87 | + } |
| 88 | + |
| 89 | + if ($is_safe) { |
| 90 | + $safe_queries[] = $query; |
| 91 | + } else { |
| 92 | + $rejected[] = $query; |
| 93 | + } |
| 94 | + } |
| 95 | + |
| 96 | + if (!empty($rejected)) { |
| 97 | + echo json_encode([ |
| 98 | + 'success' => false, |
| 99 | + 'message' => tr('Query non permesse rilevate. Operazione bloccata per motivi di sicurezza.'), |
| 100 | + 'rejected_count' => count($rejected), |
| 101 | + ]); |
| 102 | + break; |
| 103 | + } |
| 104 | + |
| 105 | + if (empty($safe_queries)) { |
| 106 | + echo json_encode([ |
| 107 | + 'success' => false, |
| 108 | + 'message' => tr('Nessuna query valida da eseguire dopo la validazione.'), |
| 109 | + ]); |
| 110 | + break; |
| 111 | + } |
| 112 | + |
| 113 | + $debug_queries = implode('<br>', $safe_queries); |
70 | 114 |
|
71 | 115 | $errors = []; |
72 | 116 | $executed = 0; |
73 | 117 |
|
74 | | - foreach ($queries as $query) { |
| 118 | + foreach ($safe_queries as $query) { |
75 | 119 | try { |
76 | 120 | $dbo->query($query); |
77 | 121 | ++$executed; |
78 | 122 | } catch (Exception $e) { |
79 | | - $errors[] = $query.' - '.$e->getMessage(); |
| 123 | + // Sanifica il messaggio di errore per evitare leak di informazioni |
| 124 | + $errors[] = tr('Errore durante l\'esecuzione di una query.'); |
80 | 125 | } |
81 | 126 | } |
82 | | - $dbo->query('SET FOREIGN_KEY_CHECKS=1'); |
83 | 127 |
|
84 | 128 | if (empty($errors)) { |
85 | 129 | $success_message = tr('Tutte le query sono state eseguite con successo (_NUM_ query).', [ |
|
0 commit comments