Fix security issues

isc-etamarch · isc-etamarch · commit 5f528a464425 · 2024-10-29T11:42:20.000-04:00
diff --git a/cls/SourceControl/Git/Utils.cls b/cls/SourceControl/Git/Utils.cls
@@ -2933,55 +2933,4 @@ ClassMethod InDefaultBranchBasicMode() As %Boolean
     quit 0
 }
 
-ClassMethod ConfigureFavoriteNamespaces(username As %String, newNamespaces As %String)
-{
-    // Delete all the GIT favorite links for the user 
-    &sql(DELETE FROM %SYS_Portal.Users WHERE Username = :username AND Page LIKE '%Git%')
-
-    set iterator = newNamespaces.%GetIterator()
-    while iterator.%GetNext(.key, .value) {
-        set installNamespace = value
-        
-        // Insert Git link
-        set caption = "Git: " _ installNamespace
-        set link = "/isc/studio/usertemplates/gitsourcecontrol/webuidriver.csp/" _ installNamespace _ "/"
-        &sql(INSERT OR UPDATE INTO %SYS_Portal.Users (Username, Page, Data) VALUES (:username, :caption, :link))
-        
-        // Insert Git Pull link
-        set caption = "Git Pull: " _ installNamespace
-        set link = "/isc/studio/usertemplates/gitsourcecontrol/pull.csp?$NAMESPACE=" _ installNamespace
-        &sql(INSERT OR UPDATE INTO %SYS_Portal.Users (Username, Page, Data) VALUES (:username, :caption, :link))
-    }
-}
-
-ClassMethod GetFavoriteNamespaces(ByRef favNamespaces As %DynamicArray, ByRef nonFavNamespaces As %DynamicArray)
-{
-    set allNamespaces = ..GetContexts(1)
-    set iterator = allNamespaces.%GetIterator()
-
-    set username = $USERNAME
-    set pagePrefix = "Git:"    
-    &sql(DECLARE FavCursor CURSOR FOR SELECT Page into :page from %SYS_Portal.Users where username = :username and page %STARTSWITH :pagePrefix)
-
-    while iterator.%GetNext(.key, .value) {
-        set foundFlag = 0
-        &sql(OPEN FavCursor)
-        throw:SQLCODE<0 ##class(%Exception.SQL).CreateFromSQLCODE(SQLCODE, %msg)
-        &sql(FETCH FavCursor)
-        while (SQLCODE = 0) {
-            set pageValue = "Git: "_value 
-            if (page = pageValue) {
-                do favNamespaces.%Push(value)
-                set foundFlag = 1
-            }
-            &sql(FETCH FavCursor)
-        }
-        &sql(CLOSE FavCursor)
-
-        if ('foundFlag) {
-            do nonFavNamespaces.%Push(value)
-        }
-    }
-}
-
 }
diff --git a/cls/_zpkg/isc/sc/git/Favorites.cls b/cls/_zpkg/isc/sc/git/Favorites.cls
@@ -1,54 +1,85 @@
-Class %zpkg.isc.sc.git.Favorites Extends %RegisteredObject
+Class %zpkg.isc.sc.git.Favorites
 {
-    ClassMethod ConfigureFavoriteNamespaces(username As %String, newNamespaces As %String)
+    ClassMethod ConfigureFavoriteNamespaces(username As %String, newNamespaces As %Library.DynamicObject)
 {
-    $$$AddAllRoleTemporary
-    // Delete all the GIT favorite links for the user 
-    &sql(DELETE FROM %SYS_Portal.Users WHERE Username = :username AND Page LIKE '%Git%')
-
-    set iterator = newNamespaces.%GetIterator()
-    while iterator.%GetNext(.key, .value) {
-        set installNamespace = value
-        
-        // Insert Git link
-        set caption = "Git: " _ installNamespace
-        set link = "/isc/studio/usertemplates/gitsourcecontrol/webuidriver.csp/" _ installNamespace _ "/"
-        &sql(INSERT OR UPDATE INTO %SYS_Portal.Users (Username, Page, Data) VALUES (:username, :caption, :link))
-        
-        // Insert Git Pull link
-        set caption = "Git Pull: " _ installNamespace
-        set link = "/isc/studio/usertemplates/gitsourcecontrol/pull.csp?$NAMESPACE=" _ installNamespace
-        &sql(INSERT OR UPDATE INTO %SYS_Portal.Users (Username, Page, Data) VALUES (:username, :caption, :link))
+    // Convert to $listbuild
+    set namespaces = $lb("")
+    for i=0:1:newNamespaces.%Size() {
+        set namespaces = namespaces_$lb(newNamespaces.%Get(i))
+    }
+    // Call the private method
+    try {
+        do ..SetFavs(username, namespaces)
+    } catch e {
+        return e.AsStatus()
     }
+    return $$$OK    
 }
 
 ClassMethod GetFavoriteNamespaces(ByRef favNamespaces As %DynamicArray, ByRef nonFavNamespaces As %DynamicArray)
 {
+    try {
+        set namespaces = ..GetFavs()
+        set favNamespaces = namespaces.%Get("Favorites")
+        set nonFavNamespaces = namespaces.%Get("NonFavorites")
+    } catch e {
+        return e.AsStatus()
+    }
+    return $$$OK
+}
+
+ClassMethod GetFavs() As %Library.DynamicObject [Private] {
     $$$AddAllRoleTemporary
     set allNamespaces = ##class(SourceControl.Git.Utils).GetContexts(1)
-    set iterator = allNamespaces.%GetIterator()
+
+    set favNamespaces = []
+    set nonFavNamespaces = []
 
     set username = $USERNAME
     set pagePrefix = "Git:"    
     &sql(DECLARE FavCursor CURSOR FOR SELECT Page into :page from %SYS_Portal.Users where username = :username and page %STARTSWITH :pagePrefix)
 
-    while iterator.%GetNext(.key, .value) {
+    for i=0:1:(allNamespaces.%Size() - 1) {
+        set namespace = allNamespaces.%Get(i)
         set foundFlag = 0
         &sql(OPEN FavCursor)
         throw:SQLCODE<0 ##class(%Exception.SQL).CreateFromSQLCODE(SQLCODE, %msg)
         &sql(FETCH FavCursor)
         while (SQLCODE = 0) {
-            set pageValue = "Git: "_value 
+            set pageValue = "Git: "_namespace 
             if (page = pageValue) {
-                do favNamespaces.%Push(value)
+                do favNamespaces.%Push(namespace)
                 set foundFlag = 1
             }
             &sql(FETCH FavCursor)
         }
         &sql(CLOSE FavCursor)
 
         if ('foundFlag) {
-            do nonFavNamespaces.%Push(value)
+            do nonFavNamespaces.%Push(namespace)
+        }
+    }
+    return {"Favorites": (favNamespaces), "NonFavorites": (nonFavNamespaces)}
+}
+
+ClassMethod SetFavs(username As %String, namespaces As %List) [Private] {
+    $$$AddAllRoleTemporary
+    &sql(DELETE FROM %SYS_Portal.Users WHERE Username = :username AND Page LIKE '%Git%')
+
+    for i=1:1:$listlength(namespaces) {
+        set namespace = $listget(namespaces, i)
+        if (namespace '= "") {
+            set installNamespace = namespace
+            
+            // Insert Git link
+            set caption = "Git: " _ installNamespace
+            set link = "/isc/studio/usertemplates/gitsourcecontrol/webuidriver.csp/" _ installNamespace _ "/"
+            &sql(INSERT OR UPDATE INTO %SYS_Portal.Users (Username, Page, Data) VALUES (:username, :caption, :link))
+            
+            // Insert Git Pull link
+            set caption = "Git Pull: " _ installNamespace
+            set link = "/isc/studio/usertemplates/gitsourcecontrol/pull.csp?$NAMESPACE=" _ installNamespace
+            &sql(INSERT OR UPDATE INTO %SYS_Portal.Users (Username, Page, Data) VALUES (:username, :caption, :link))
         }
     }
 }
