Merge branch 'master' of https://github.com/merelendor/evoleasing-site

2024-12-02 09:52:51 +03:00 · 2024-12-02 09:52:51 +03:00 · ed0a48ef06
commit ed0a48ef06
parent d7625e7895 d8e78722e2
5 changed files with 52 additions and 28 deletions
--- a/api/index.php
+++ b/api/index.php
@ -10,7 +10,7 @@ use \Bitrix\Main\Context,
 	\Bitrix\Main\Loader,
 	\Bitrix\Iblock;

-
+$sanitizer = new CBXSanitizer;
 $httpClient = new \Bitrix\Main\Web\HttpClient();

 $PARAM_1 = isset($_REQUEST["PARAM_1"]) ? $_REQUEST["PARAM_1"] : null;
@ -89,7 +89,7 @@ function checkRequestIsLocal()
 		return true;
 	}

-	if(strpos($_SERVER['HTTP_X_FORWARDED_FOR'], SELF_IP) > -1)
+	if($_SERVER[API_SELF_IP_LOOKUP_KEY] === SELF_IP)
 	{
 		return true;
 	}
@ -342,9 +342,9 @@ function setCompanyForUser($ID, $REQ, $replace = false)
 	}
 }

-if($_SERVER['REMOTE_USER'] && strpos($_SERVER['REMOTE_USER'], "Bearer") > -1)
+if($_SERVER[API_AUTH_LOOKUP_KEY] && strpos($_SERVER[API_AUTH_LOOKUP_KEY], "Bearer") > -1)
 {
-	$token = str_replace("Bearer ", "", $_SERVER['REMOTE_USER']);
+	$token = str_replace("Bearer ", "", $_SERVER[API_AUTH_LOOKUP_KEY]);

 	try
 	{
@ -2599,12 +2599,14 @@ switch($PARAM_1)
 	{
 		switch($PARAM_2)
 		{
+			/* DEPRECATED & DISABLED due to security reasons
 			case "token":
 			{
 				print \Bitrix\Main\Web\JWT::encode(["acc_number" => $REQ['acc_number']], $secret, 'HS256', null, null);
 				die();
 			}
 			break;
+			*/

 			case "recovery":
 			{
@ -2804,7 +2806,7 @@ switch($PARAM_1)
 					{
 						if(checkRequestIsLocal())
 						{
-							$token = str_replace("Bearer ", "", $_SERVER['REMOTE_USER']);
+							$token = str_replace("Bearer ", "", $_SERVER[API_AUTH_LOOKUP_KEY]);
 							$auth = (array) \Bitrix\Main\Web\JWT::decode($token, $secret, ["HS256"]);

 							$user = new \CUser;
@ -3207,10 +3209,10 @@ switch($PARAM_1)
 	case "calculation":
 	{
 		$payload = json_encode([
-			"car_price" => $REQ['car_price'], 
-			"initial_payment" => $REQ['initial_payment'], 
-			"lease_period" => $REQ['lease_period'], 
-			"redemption_payment" => $REQ['redemption_payment'], 
+			"car_price" => sanitize_string($REQ['car_price'], false, false, true), 
+			"initial_payment" => sanitize_string($REQ['initial_payment'], false, false, true), 
+			"lease_period" => sanitize_string($REQ['lease_period'], false, false, true), 
+			"redemption_payment" => sanitize_string($REQ['redemption_payment'], false, false, true), 
 		]);

 		$c = curl_init();
@ -3236,7 +3238,7 @@ switch($PARAM_1)
 	case "vizitka":
 	{
 		$c = curl_init();
-		curl_setopt($c, CURLOPT_URL, API_HOST."/site/GetUserBusinessCard/?guid=".$_REQUEST['guid']);
+		curl_setopt($c, CURLOPT_URL, API_HOST."/site/GetUserBusinessCard/?guid=".sanitize_string($REQ['guid'], false, false, true));
 		curl_setopt($c, CURLOPT_CONNECTTIMEOUT, 30);
 		curl_setopt($c, CURLOPT_TIMEOUT, 30);
 		curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
@ -3256,13 +3258,13 @@ switch($PARAM_1)
 	case "preapproval":
 	{
 		$payload = [ 
-			"inn" => $_REQUEST['vat'], 
+			"inn" => sanitize_string($REQ['vat'], false, false, true), 
 		];

 		$payload_json = json_encode($payload);

 		$c = curl_init();
-		curl_setopt($c, CURLOPT_URL, API_HOST."/site/FindClientInDatabase?inn=".$_REQUEST['vat']);
+		curl_setopt($c, CURLOPT_URL, API_HOST."/site/FindClientInDatabase?inn=".sanitize_string($REQ['vat'], false, false, true));
 		curl_setopt($c, CURLOPT_CONNECTTIMEOUT, 30);
 		curl_setopt($c, CURLOPT_TIMEOUT, 30);
 		curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
@ -3296,7 +3298,7 @@ switch($PARAM_1)
 					$ar_user = $rs_user->Fetch();

 					$company_res = CIBlockElement::GetList([ 'id' => 'desc' ], [ 'IBLOCK_ID' => IBLOCK_ID_CLIENTS, 'CODE' => $auth['acc_number'] ], false, []);
-			
+
 					while ($company_element = $company_res->GetNextElement())
 					{
 						$company_record = $company_element->GetFields();
@ -3326,7 +3328,7 @@ switch($PARAM_1)
 					$new_feedback = new CIBlockElement;
 					if($new_feedback_id = $new_feedback->Add($ar_new_feedback))
 					{
-		
+
 					}

 					print json_encode([
--- a/bitrix/php_interface/init.php
+++ b/bitrix/php_interface/init.php
@ -231,7 +231,10 @@ function zerof_request($path, $query, $timeout = 900)
 		$check_file = file_get_contents($_SERVER['DOCUMENT_ROOT']."/zerof-500.txt");
 		if(strpos($check_file, $check) < 0)
 		{
-			file_put_contents($_SERVER['DOCUMENT_ROOT']."/zerof-500.txt", $path."\n".var_export($query, true)."\n".$http_code." | ".$response."\n\n");
+			if(DEBUG_ZEROF_CYCLE)
+			{
+				file_put_contents($_SERVER['DOCUMENT_ROOT']."/zerof-500.txt", $path."\n".var_export($query, true)."\n".$http_code." | ".$response."\n\n");
+			}
 			print "response with error logged\n";
 		}

@ -476,7 +479,10 @@ function OnBeforeIBlockElementAddHandler(&$arFields)

 		if(isset($properties['ADVERTISING']))
 		{
-			file_put_contents($_SERVER['DOCUMENT_ROOT']."/element_add_before_adv_".$arFields['IBLOCK_ID'].".txt", var_export([ "CODE" => $arFields['CODE'], ], true)."\n\n".str_repeat("-", 150)."\n\n", FILE_APPEND);
+			if(DEBUG_IBLOCK_CYCLE)
+			{
+				file_put_contents($_SERVER['DOCUMENT_ROOT']."/element_add_before_adv_".$arFields['IBLOCK_ID'].".txt", var_export([ "CODE" => $arFields['CODE'], ], true)."\n\n".str_repeat("-", 150)."\n\n", FILE_APPEND);
+			}

 			if(!is_null($arFields['PROPERTY_VALUES']['ADVERTISING']))
 			{
@ -612,12 +618,18 @@ function OnBeforeIBlockElementUpdateHandler(&$arFields)

 		if(isset($properties['ADVERTISING']))
 		{
-			file_put_contents($_SERVER['DOCUMENT_ROOT']."/element_adv_1.txt", var_export([ "ID" => $arFields['ID'], ], true)."\n\n".str_repeat("-", 150)."\n\n", FILE_APPEND);
+			if(DEBUG_ADV_CYCLE)
+			{
+				file_put_contents($_SERVER['DOCUMENT_ROOT']."/element_adv_1.txt", var_export([ "ID" => $arFields['ID'], ], true)."\n\n".str_repeat("-", 150)."\n\n", FILE_APPEND);
+			}

 			if(is_array($arFields['PROPERTY_VALUES'][$properties['ADVERTISING']]))
 			{
-				file_put_contents($_SERVER['DOCUMENT_ROOT']."/element_adv_2.txt", var_export([ "ID" => $arFields['ID'], ], true)."\n\n".str_repeat("-", 150)."\n\n", FILE_APPEND);
-				file_put_contents($_SERVER['DOCUMENT_ROOT']."/element_adv_values_on_update.txt", var_export($arFields, true)."\n\n".str_repeat("-", 150)."\n\n", FILE_APPEND);
+				if(DEBUG_ADV_CYCLE)
+				{
+					file_put_contents($_SERVER['DOCUMENT_ROOT']."/element_adv_2.txt", var_export([ "ID" => $arFields['ID'], ], true)."\n\n".str_repeat("-", 150)."\n\n", FILE_APPEND);
+					file_put_contents($_SERVER['DOCUMENT_ROOT']."/element_adv_values_on_update.txt", var_export($arFields, true)."\n\n".str_repeat("-", 150)."\n\n", FILE_APPEND);
+				}

 				if($arFields['PROPERTY_VALUES'][$properties['ADVERTISING_ERIR']][array_keys($arFields['PROPERTY_VALUES'][$properties['ADVERTISING_ERIR']])[0]]['VALUE'] === "")
 				{
@ -728,12 +740,6 @@ function OnBeforeIBlockElement($arFields)
 				if(count($code_matches) == 0)
 				{
 					$arFields["BODY"] .= " ".$code;
-					file_put_contents($_SERVER['DOCUMENT_ROOT']."/element_index_".$arFields['PARAM2'].".txt", "CODE = ".$code." INDEX\n", FILE_APPEND);
-				}
-				else
-				{
-					file_put_contents($_SERVER['DOCUMENT_ROOT']."/element_index_".$arFields['PARAM2'].".txt", "CODE = ".$code." EXISTS\n", FILE_APPEND);
-					file_put_contents($_SERVER['DOCUMENT_ROOT']."/element_index_".$arFields['PARAM2']."_dump.txt", $arFields["BODY"]."\n".str_repeat("-", 150)."\n\n", FILE_APPEND);
 				}
 			}
 		}
@ -742,4 +748,9 @@ function OnBeforeIBlockElement($arFields)
 	return $arFields;
 }

+function sanitize_string($str, $punctuation = false, $space = false, $replace = false)
+{
+	return preg_replace("/[^\d". ($space ? "\s" : "") ."\.\_\-@". ($punctuation ? "\"'=+,;«»()&!?%" : "") ."\p{Latin}\p{Cyrillic}]/ui", $replace ? " " : "", $str);
+}
+
 ?>
--- a/local/components/evolution/leasing.programs.faq/component.php
+++ b/local/components/evolution/leasing.programs.faq/component.php
@ -19,10 +19,14 @@ if($this->StartResultCache(60*60*24, md5(var_export($_POST, true))))
 {
 	if(CModule::IncludeModule('iblock'))
 	{
+		$sanitizer = new CBXSanitizer;
+
 		$arResult = [
 			'SECTIONS' => [], 
 		];
-		$arResult['SEARCH'] = $_REQUEST['search'];
+
+		$query = sanitize_string($sanitizer->SanitizeHtml($_REQUEST['search']), true, true, true);
+		$arResult['SEARCH'] = $query;

 		$sort = Array("SORT" => "ASC", "NAME" => "ASC");
 		$filter = Array("ACTIVE" => "Y", "IBLOCK_ID" => 19);
@ -33,9 +37,9 @@ if($this->StartResultCache(60*60*24, md5(var_export($_POST, true))))
 		{
 			$section['ITEMS'] = [];
 			$filter = array_merge($filter, [ "SECTION_ID" => $section['ID'] ]);
-			if(!empty($_REQUEST['search']))
+			if(!empty($query))
 			{
-				$filter = array_merge($filter, [ "SEARCHABLE_CONTENT" => "%".$_REQUEST['search']."%" ]);
+				$filter = array_merge($filter, [ "SEARCHABLE_CONTENT" => "%".$query."%" ]);
 			}

 			$res = CIBlockElement::GetList($sort, $filter, false, $options);	
--- a/readme.md
+++ b/readme.md
@ -6,4 +6,10 @@ SELF_IP - публичный IPv4 адрес сервера
 MODE_PRODUCTION - включен ли production режим
 DEBUG_IBLOCK_CYCLE - позволять ли сохранять дамп структуры элемента инфоблока при Add/Update операциях на подверженных рекламе инфоблоках
 ADVERTISING_IBLOCK_ARRAY - Массив идентификаторов инфоблоков, формата КОНСТАНТА => строковое значение из проекта evolution-advertiser
+```
+## Константы, зависящие от метода размещения - за CDN/без, используется ли контейнеризация
+### авторизация в методах API осуществляется посредством передачи JWT токена
+```
+API_SELF_IP_LOOKUP_KEY - ключ в заголовках http запроса/передаваемых параметрах веб-сервера, валидные значения: REMOTE_ADDR; при использовании CDN: HTTP_CF_CONNECTING_IP или иной ключ, не подверженный подмене первичным отправителем запроса
+API_AUTH_LOOKUP_KEY - ключ в заголовках http запроса/передаваемых параметрах веб-сервера, валидные значения: HTTP_AUTHORIZATION, REMOTE_USER
 ```
--- a/search/index.php
+++ b/search/index.php
@ -12,6 +12,7 @@ $APPLICATION->SetTitle("Поиск");
 		<div class="pageWithSide">
 			<div class="leftColumn">
 				<?
+					$_REQUEST['q'] = sanitize_string($_REQUEST['q'], true, true, true);
 					$APPLICATION->IncludeComponent("bitrix:search.page", "evolution", Array(
 						"TAGS_SORT" => "NAME",
 						"TAGS_PAGE_ELEMENTS" => "150",