DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2025-01-12 14:27:33 -08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #10478 from snipe/fixes/whitelist_modal_views

Browse source 
Added allow list to modal view options
This commit is contained in:
snipe 2021-12-30 18:29:30 -08:00 committed by GitHub
parent 950a23b0f4 c6ce928567
commit 39a5b6b426
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 36 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
app/Http/Controllers/ModalController.php
View file

@ -6,15 +6,43 @@ use App\Helpers\Helper;
class ModalController extends Controller class ModalController extends Controller
{ {
function show($type, $itemId = null) {
$view = view("modals.${type}");
if($type == "statuslabel") { /**
$view->with('statuslabel_types', Helper::statusTypeList()); * Load the modal views after confirming they are in the allowed_types array.
* The allowed types away just prevents shithead skiddies from fuzzing the urls
* with automated scripts and junking up the logs. - snipe
*/
function show ($type, $itemId = null) {
$allowed_types = [
'category',
'kit-model',
'kit-license',
'kit-consumable',
'kit-accessory',
'location',
'manufacturer',
'model',
'statuslabel',
'supplier',
'upload-file',
'user',
];
if (in_array($type, $allowed_types)) {
$view = view("modals.${type}");
if ($type == "statuslabel") {
$view->with('statuslabel_types', Helper::statusTypeList());
}
if (in_array($type, ['kit-model', 'kit-license', 'kit-consumable', 'kit-accessory'])) {
$view->with('kitId', $itemId);
}
return $view;
} }
if(in_array($type, ['kit-model', 'kit-license', 'kit-consumable', 'kit-accessory'])) {
$view->with('kitId', $itemId); abort(404,'Page not found');
}
return $view;
} }
} }