Skip to content

Commit dde0134

Browse files
gr8bgr8b
gr8b
and
gr8b
authored
fix: csv should use safe mode when it is enabled; encode query to prevent cf filters from baning request to backend (gr8b)
Co-authored-by: gr8b <[email protected]>
1 parent e493c52 commit dde0134

File tree

3 files changed

+27
-15
lines changed

3 files changed

+27
-15
lines changed

Module.php

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -56,11 +56,10 @@ public function getDatabase() {
5656
];
5757
}
5858

59-
public function dbSelect(string $query) {
59+
public function dbSelect(string $query, &$error = null) {
6060
global $DB;
6161

6262
$db = null;
63-
$error = null;
6463
$rows = [];
6564
$config = $this->getManifest();
6665

actions/SqlForm.php

Lines changed: 24 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,14 @@ protected function doAction() {
5151
];
5252
$this->getInputs($data, array_keys($data));
5353

54+
if ($this->hasInput('query')) {
55+
$query = @base64_decode($data['query']);
56+
57+
if ($query !== false) {
58+
$data['query'] = urldecode($query);
59+
}
60+
}
61+
5462
$this->setResponse(
5563
$this->getAction() === 'sqlexplorer.csv'
5664
? $this->getCsvResponse($data)
@@ -59,14 +67,16 @@ protected function doAction() {
5967
}
6068

6169
protected function getCsvResponse(array $data) {
62-
$cursor = DBselect($data['query']);
63-
if ($cursor === false) {
70+
$error = null;
71+
$rows = $this->module->dbSelect($data['query'], $error);
72+
73+
if ($error !== null) {
6474
$response = new CControllerResponseRedirect(
6575
(new CUrl('zabbix.php'))
6676
->setArgument('action', 'sqlexplorer.form')
6777
->getUrl()
6878
);
69-
$response->setFormData($this->getInputAll());
79+
$response->setFormData($data);
7080

7181
if (version_compare(ZABBIX_VERSION, '6.0', '<')) {
7282
[$message] = clear_messages();
@@ -79,8 +89,6 @@ protected function getCsvResponse(array $data) {
7989
return $response;
8090
}
8191

82-
$rows = DBfetchArray($cursor);
83-
8492
if ($rows && $data['add_column_names']) {
8593
array_unshift($rows, array_keys($rows[0]));
8694
}
@@ -106,12 +114,18 @@ protected function getCsvResponse(array $data) {
106114

107115
protected function getHtmlResponse(array $data) {
108116
if ($this->hasInput('preview')) {
109-
$data['rows'] = $this->module->dbSelect($data['query']);
110-
$data['rows_limit'] = $this->getGuiSearchLimit();
111-
$data['rows_count'] = count($data['rows']);
117+
$error = null;
118+
$rows = $this->module->dbSelect($data['query'], $error);
119+
120+
if ($error === null) {
121+
$data['rows_limit'] = $this->getGuiSearchLimit();
122+
$data['rows_count'] = count($rows);
123+
124+
if ($data['rows_count'] > $data['rows_limit']) {
125+
$data['rows'] = array_slice($rows, 0, $data['rows_limit']);
126+
}
112127

113-
if ($data['rows_count'] > $data['rows_limit']) {
114-
$data['rows'] = array_slice($data['rows'], 0, $data['rows_limit']);
128+
$data['rows'] = $rows;
115129
}
116130

117131
if (version_compare(ZABBIX_VERSION, '6.0', '<')) {

app.js

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ document.getElementById('csv').addEventListener('click', function() {
2626
setActionToken('sqlexplorer.csv', form)
2727
form.setAttribute('action', 'zabbix.php?action=sqlexplorer.csv')
2828
setLoadingState(true)
29+
query_textbox.value = window.btoa(unescape(encodeURIComponent(editor.state.doc.toString())))
2930
form.submit()
3031
setTimeout(() => setLoadingState(false), 1000)
3132
});
@@ -40,6 +41,7 @@ document.getElementById('preview').addEventListener('click', function(e) {
4041
return false
4142
}
4243

44+
query_textbox.value = window.btoa(unescape(encodeURIComponent(editor.state.doc.toString())))
4345
setLoadingState(true)
4446
form.submit()
4547
});
@@ -157,9 +159,6 @@ let editor = new EditorView({
157159
}),
158160
parent: query_textbox.parentElement
159161
})
160-
form.addEventListener('submit', e => {
161-
query_textbox.value = editor.state.doc.toString()
162-
})
163162
query_textbox.addEventListener('change', e => {
164163
let old_value = editor.state.doc.toString()
165164

0 commit comments

Comments
 (0)