Merge pull request #4 from LexioJ:fix/1.3.1-security-hardening

Release v1.3.1 - Security Hardening

Author: LexioJ

CHANGELOG.md

@@ -7,6 +7,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [1.3.1] - 2025-11-09
+
+### 🔒 Security Hardening
+
+This release includes important security enhancements to strengthen the application's defenses.
+
+### Changed
+- Replaced direct cURL usage with Nextcloud's IClientService for proper SSL certificate verification
+- Enhanced input validation and sanitization for OQL query parameters
+- Improved data validation for numeric identifiers
+
+### Security
+- Resolved issues related to network communication security
+- Strengthened protection against malicious input in database queries
+
+---
+
 ## [1.3.0] - 2025-11-08
 
 ### ✨ Major New Feature: Agent Notifications System

appinfo/info.xml

@@ -75,7 +75,7 @@ Seamlessly connect your Nextcloud collaboration platform with iTop IT Service Ma
 
 #### Start streamlining your ITSM workflow - Connect iTop with Nextcloud and experience unified IT service management!]]></description>
 
-	<version>1.3.0</version>
+	<version>1.3.1</version>
 	<licence>AGPL-3.0-or-later</licence>
 
 	<author>iTop Integration Team</author>

lib/Controller/ConfigController.php

@@ -19,6 +19,7 @@
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
+use OCP\Http\Client\IClientService;
 use OCP\IConfig;
 use OCP\IL10N;
 use OCP\IRequest;
@@ -39,6 +40,7 @@ public function __construct(
 		private CacheService $cacheService,
 		private LoggerInterface $logger,
 		private IAppManager $appManager,
+		private IClientService $clientService,
 		private ?string $userId
 	) {
 		parent::__construct($appName, $request);
@@ -269,26 +271,20 @@ public function getUserInfo(): DataResponse {
 				])
 			];
 
-			$ch = curl_init();
-			curl_setopt($ch, CURLOPT_URL, $apiUrl);
-			curl_setopt($ch, CURLOPT_POST, true);
-			curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postData));
-			curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-			curl_setopt($ch, CURLOPT_TIMEOUT, 15);
-			curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-			curl_setopt($ch, CURLOPT_HTTPHEADER, [
-				'Content-Type: application/x-www-form-urlencoded',
-				'Auth-Token: ' . $applicationToken,
-				'User-Agent: Nextcloud-iTop-Integration/1.0'
-			]);
-
-			$result = curl_exec($ch);
-			$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
-			$error = curl_error($ch);
-			curl_close($ch);
-
-			if ($result === false || !empty($error)) {
-				return new DataResponse(['error' => $this->l10n->t('Connection failed: %s', [$error ?: $this->l10n->t('Unknown error')])], Http::STATUS_SERVICE_UNAVAILABLE);
+			try {
+				$client = $this->clientService->newClient();
+				$response = $client->post($apiUrl, [
+					'body' => http_build_query($postData),
+					'headers' => [
+						'Content-Type' => 'application/x-www-form-urlencoded',
+						'Auth-Token' => $applicationToken,
+						'User-Agent' => 'Nextcloud-iTop-Integration/1.0'
+					],
+					'timeout' => 15,
+				]);
+				$result = $response->getBody();
+			} catch (\Exception $e) {
+				return new DataResponse(['error' => $this->l10n->t('Connection failed: %s', [$e->getMessage()])], Http::STATUS_SERVICE_UNAVAILABLE);
 			}
 
 			$responseData = json_decode($result, true);
@@ -412,30 +408,24 @@ public function testApplicationToken(string $token = ''): DataResponse {
 				])
 			];
 
-			$ch = curl_init();
-			curl_setopt($ch, CURLOPT_URL, $apiUrl);
-			curl_setopt($ch, CURLOPT_POST, true);
-			curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postData));
-			curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-			curl_setopt($ch, CURLOPT_TIMEOUT, 15);
-			curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-			curl_setopt($ch, CURLOPT_HTTPHEADER, [
-				'Content-Type: application/x-www-form-urlencoded',
-				'Auth-Token: ' . $token,
-				'User-Agent: Nextcloud-iTop-Integration/1.0'
-			]);
-
-			$result = curl_exec($ch);
-			$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
-			$error = curl_error($ch);
-			curl_close($ch);
-
-			$this->logger->info('iTop application token test - Method 1 (Auth-Token header) response: ' . $result, ['app' => Application::APP_ID]);
+			try {
+				$client = $this->clientService->newClient();
+				$response = $client->post($apiUrl, [
+					'body' => http_build_query($postData),
+					'headers' => [
+						'Content-Type' => 'application/x-www-form-urlencoded',
+						'Auth-Token' => $token,
+						'User-Agent' => 'Nextcloud-iTop-Integration/1.0'
+					],
+					'timeout' => 15,
+				]);
+				$result = $response->getBody();
 
-			if ($result === false || !empty($error)) {
+				$this->logger->info('iTop application token test response: ' . $result, ['app' => Application::APP_ID]);
+			} catch (\Exception $e) {
 				return new DataResponse([
 					'status' => 'error',
-					'message' => $this->l10n->t('Connection failed: %s', [$error ?: $this->l10n->t('Unknown error')])
+					'message' => $this->l10n->t('Connection failed: %s', [$e->getMessage()])
 				]);
 			}
 
@@ -532,37 +522,23 @@ public function testAdminConnection(string $url = ''): DataResponse {
 					'operation' => 'core/check_credentials'
 				])
 			];
-			
-			$ch = curl_init();
-			curl_setopt($ch, CURLOPT_URL, $apiUrl);
-			curl_setopt($ch, CURLOPT_POST, true);
-			curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postData));
-			curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-			curl_setopt($ch, CURLOPT_TIMEOUT, 15);
-			curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-			curl_setopt($ch, CURLOPT_HTTPHEADER, [
-				'Content-Type: application/x-www-form-urlencoded',
-				'User-Agent: Nextcloud-iTop-Integration/1.0'
-			]);
-			
-			$result = curl_exec($ch);
-			$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
-			$error = curl_error($ch);
-			curl_close($ch);
-			
-			if ($result === false || !empty($error)) {
-				return new DataResponse([
-					'status' => 'error',
-					'message' => $this->l10n->t('Connection failed: %s', [$error ?: $this->l10n->t('Unknown error')]),
-					'details' => ['url' => $testUrl, 'api_url' => $apiUrl]
-				]);
-			}
 
-			if ($httpCode !== 200) {
+			try {
+				$client = $this->clientService->newClient();
+				$response = $client->post($apiUrl, [
+					'body' => http_build_query($postData),
+					'headers' => [
+						'Content-Type' => 'application/x-www-form-urlencoded',
+						'User-Agent' => 'Nextcloud-iTop-Integration/1.0'
+					],
+					'timeout' => 15,
+				]);
+				$result = $response->getBody();
+			} catch (\Exception $e) {
 				return new DataResponse([
 					'status' => 'error',
-					'message' => $this->l10n->t('iTop API endpoint returned HTTP %d', [$httpCode]),
-					'details' => ['http_code' => $httpCode, 'url' => $testUrl, 'api_url' => $apiUrl]
+					'message' => $this->l10n->t('Connection failed: %s', [$e->getMessage()]),
+					'details' => ['url' => $testUrl, 'api_url' => $apiUrl]
 				]);
 			}
 
@@ -1207,30 +1183,24 @@ private function validatePersonalTokenAndExtractPersonId(string $personalToken):
 				])
 			];
 
-			$ch = curl_init();
-			curl_setopt($ch, CURLOPT_URL, $apiUrl);
-			curl_setopt($ch, CURLOPT_POST, true);
-			curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postData));
-			curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-			curl_setopt($ch, CURLOPT_TIMEOUT, 15);
-			curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-			curl_setopt($ch, CURLOPT_HTTPHEADER, [
-				'Content-Type: application/x-www-form-urlencoded',
-				'Auth-Token: ' . $personalToken,
-				'User-Agent: Nextcloud-iTop-Integration/1.0'
-			]);
-
-			$result = curl_exec($ch);
-			$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
-			$error = curl_error($ch);
-			curl_close($ch);
-
-			if ($result === false || !empty($error)) {
+			try {
+				$client = $this->clientService->newClient();
+				$response = $client->post($apiUrl, [
+					'body' => http_build_query($postData),
+					'headers' => [
+						'Content-Type' => 'application/x-www-form-urlencoded',
+						'Auth-Token' => $personalToken,
+						'User-Agent' => 'Nextcloud-iTop-Integration/1.0'
+					],
+					'timeout' => 15,
+				]);
+				$result = $response->getBody();
+			} catch (\Exception $e) {
 				return [
 					'success' => false,
 					'person_id' => null,
 					'user_info' => null,
-					'error' => $this->l10n->t('Connection failed: %s', [$error ?: $this->l10n->t('Unknown error')])
+					'error' => $this->l10n->t('Connection failed: %s', [$e->getMessage()])
 				];
 			}
 
@@ -1297,6 +1267,11 @@ private function validatePersonalTokenAndExtractPersonId(string $personalToken):
 					$applicationToken = $this->crypto->decrypt($encryptedAppToken);
 
 					// Query User class using application token
+					// Validate personId to prevent OQL injection
+					if (!is_numeric($personId) || $personId < 0) {
+						throw new \InvalidArgumentException('Invalid person ID');
+					}
+					$personId = (int)$personId;
 					$getUserData = [
 						'json_data' => json_encode([
 							'operation' => 'core/get',
@@ -1305,23 +1280,19 @@ private function validatePersonalTokenAndExtractPersonId(string $personalToken):
 							'output_fields' => 'id,login,finalclass'
 						])
 					];
-					
-					$ch2 = curl_init();
-					curl_setopt($ch2, CURLOPT_URL, $apiUrl);
-					curl_setopt($ch2, CURLOPT_POST, true);
-					curl_setopt($ch2, CURLOPT_POSTFIELDS, http_build_query($getUserData));
-					curl_setopt($ch2, CURLOPT_RETURNTRANSFER, true);
-					curl_setopt($ch2, CURLOPT_TIMEOUT, 15);
-					curl_setopt($ch2, CURLOPT_SSL_VERIFYPEER, false);
-					curl_setopt($ch2, CURLOPT_HTTPHEADER, [
-						'Content-Type: application/x-www-form-urlencoded',
-						'Auth-Token: ' . $applicationToken,
-						'User-Agent: Nextcloud-iTop-Integration/1.0'
+
+					$client = $this->clientService->newClient();
+					$response = $client->post($apiUrl, [
+						'body' => http_build_query($getUserData),
+						'headers' => [
+							'Content-Type' => 'application/x-www-form-urlencoded',
+							'Auth-Token' => $applicationToken,
+							'User-Agent' => 'Nextcloud-iTop-Integration/1.0'
+						],
+						'timeout' => 15,
 					]);
-					
-					$userResult = curl_exec($ch2);
-					curl_close($ch2);
-					
+					$userResult = $response->getBody();
+
 					$userData = json_decode($userResult, true);
 					if (isset($userData['objects']) && !empty($userData['objects'])) {
 						$userObject = reset($userData['objects']);

lib/Service/ItopAPIService.php

@@ -122,6 +122,57 @@ private function getPersonId(string $userId): ?string {
 		return $personId !== '' ? $personId : null;
 	}
 
+	/**
+	 * Escape a string value for use in OQL queries
+	 * Protects against OQL injection by properly escaping special characters
+	 *
+	 * @param string $value Value to escape
+	 * @return string Escaped value safe for OQL
+	 */
+	private function escapeOQLString(string $value): string {
+		// Escape backslashes first to prevent double-escaping
+		$value = str_replace('\\', '\\\\', $value);
+		// Escape single quotes
+		$value = str_replace("'", "\\'", $value);
+		// Escape double quotes
+		$value = str_replace('"', '\\"', $value);
+		return $value;
+	}
+
+	/**
+	 * Validate and sanitize a numeric ID for use in OQL queries
+	 * Throws exception if ID is not numeric to prevent injection
+	 *
+	 * @param mixed $id ID to validate
+	 * @return int Validated numeric ID
+	 * @throws \InvalidArgumentException If ID is not numeric
+	 */
+	private function validateNumericId($id): int {
+		if (!is_numeric($id) || $id < 0) {
+			throw new \InvalidArgumentException('Invalid ID: must be a positive integer');
+		}
+		return (int)$id;
+	}
+
+	/**
+	 * Validate class name against whitelist to prevent injection
+	 *
+	 * @param string $class Class name to validate
+	 * @return string Validated class name
+	 * @throws \InvalidArgumentException If class is not in whitelist
+	 */
+	private function validateClassName(string $class): string {
+		$allowedClasses = ['UserRequest', 'Incident', 'Person', 'User', 'Team', 'lnkContactToTicket',
+			'lnkPersonToTeam', 'Change', 'PC', 'Phone', 'IPPhone', 'MobilePhone', 'Tablet',
+			'Printer', 'Peripheral', 'PCSoftware', 'OtherSoftware', 'WebApplication', 'Software',
+			'SoftwareInstance', 'lnkContactToFunctionalCI'];
+
+		if (!in_array($class, $allowedClasses, true)) {
+			throw new \InvalidArgumentException('Invalid class name: ' . $class);
+		}
+		return $class;
+	}
+
 	/**
 	 * Get tickets created by the current user (UserRequest + Incident)
 	 *
@@ -153,14 +204,16 @@ public function getUserCreatedTickets(string $userId, ?string $since = null, ?in
 
 	// Get person_id for more precise queries
 	$personId = $this->config->getUserValue($userId, Application::APP_ID, 'person_id', '');
-	
+
 	// Query UserRequest tickets where user is caller OR contact
 	// Note: ORDER BY in complex queries with subqueries may not work, so we sort in PHP
 	if ($personId) {
-		$userRequestQuery = "SELECT UserRequest WHERE (caller_id = '$personId' OR id IN (SELECT UserRequest JOIN lnkContactToTicket ON lnkContactToTicket.ticket_id = UserRequest.id WHERE lnkContactToTicket.contact_id = '$personId')) AND status != 'closed'";
+		$personId = $this->validateNumericId($personId);
+		$userRequestQuery = "SELECT UserRequest WHERE (caller_id = $personId OR id IN (SELECT UserRequest JOIN lnkContactToTicket ON lnkContactToTicket.ticket_id = UserRequest.id WHERE lnkContactToTicket.contact_id = $personId)) AND status != 'closed'";
 	} else {
 		// Fallback to name-based query if no person_id
-		$userRequestQuery = "SELECT UserRequest WHERE caller_id_friendlyname = '$fullName' AND status != 'closed'";
+		$escapedFullName = $this->escapeOQLString($fullName);
+		$userRequestQuery = "SELECT UserRequest WHERE caller_id_friendlyname = '$escapedFullName' AND status != 'closed'";
 	}
 	$userRequestParams = [
 		'operation' => 'core/get',
@@ -210,10 +263,11 @@ public function getUserCreatedTickets(string $userId, ?string $since = null, ?in
 
 	// Query Incident tickets where user is caller OR contact
 	if ($personId) {
-		$incidentQuery = "SELECT Incident WHERE (caller_id = '$personId' OR id IN (SELECT Incident JOIN lnkContactToTicket ON lnkContactToTicket.ticket_id = Incident.id WHERE lnkContactToTicket.contact_id = '$personId')) AND status != 'closed'";
+		$incidentQuery = "SELECT Incident WHERE (caller_id = $personId OR id IN (SELECT Incident JOIN lnkContactToTicket ON lnkContactToTicket.ticket_id = Incident.id WHERE lnkContactToTicket.contact_id = $personId)) AND status != 'closed'";
 	} else {
 		// Fallback to name-based query if no person_id
-		$incidentQuery = "SELECT Incident WHERE caller_id_friendlyname = '$fullName' AND status != 'closed'";
+		$escapedFullName = $this->escapeOQLString($fullName);
+		$incidentQuery = "SELECT Incident WHERE caller_id_friendlyname = '$escapedFullName' AND status != 'closed'";
 	}
 	$incidentParams = [
 		'operation' => 'core/get',
@@ -339,7 +393,8 @@ public function getUserCreatedTicketsCount(string $userId): array {
 		$requestCount = 0;
 
 		// Query UserRequest tickets
-		$userRequestQuery = "SELECT UserRequest WHERE caller_id_friendlyname = '$fullName' AND status != 'closed'";
+		$escapedFullName = $this->escapeOQLString($fullName);
+		$userRequestQuery = "SELECT UserRequest WHERE caller_id_friendlyname = '$escapedFullName' AND status != 'closed'";
 		$userRequestParams = [
 			'operation' => 'core/get',
 			'class' => 'UserRequest',
@@ -351,9 +406,9 @@ public function getUserCreatedTicketsCount(string $userId): array {
 		if (isset($userRequestResult['objects'])) {
 			$requestCount = count($userRequestResult['objects']);
 		}
-		
+
 		// Query Incident tickets
-		$incidentQuery = "SELECT Incident WHERE caller_id_friendlyname = '$fullName' AND status != 'closed'";
+		$incidentQuery = "SELECT Incident WHERE caller_id_friendlyname = '$escapedFullName' AND status != 'closed'";
 		$incidentParams = [
 			'operation' => 'core/get',
 			'class' => 'Incident',