Skip to content

Commit 3eb2a5a

Browse files
carlreedwcarlreedw
committed
adds validateSubjectId() method in attempt to prevent SSRF detection from psalm
1 parent cb4dcad commit 3eb2a5a

File tree

2 files changed

+37
-4
lines changed

2 files changed

+37
-4
lines changed

.gitignore

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,6 @@
11
ignore/
2-
able_test.php
2+
able_test.php
3+
/vendor/
4+
psalm.xml
5+
composer.json
6+
composer.lock

CAT_MH_CHA.php

Lines changed: 32 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -365,7 +365,13 @@ public function makeInterview() {
365365
echo("Cannot create a new interview. Please have the REDCap administrator configure the application and organization IDs for CAT-MH use.");
366366
return;
367367
}
368-
$args['subjectID'] = $sid;
368+
369+
if ($valid_sid = $this->validateSubjectId($sid)) {
370+
$args['subjectID'] = $valid_sid;
371+
} else {
372+
echo("Cannot create a new interview due to invalid subjectID! Please have the REDCap administrator configure the application and organization IDs for CAT-MH use.");
373+
return;
374+
}
369375

370376
// determine timeframeID
371377
$seq_index = array_search(htmlentities($_GET['sequence'], ENT_QUOTES, 'UTF-8'), $this->getProjectSetting('sequence'));
@@ -391,7 +397,7 @@ public function makeInterview() {
391397
}
392398

393399
$interview = $this->createInterview($args);
394-
$interview['subjectID'] = $sid;
400+
$interview['subjectID'] = $valid_sid;
395401

396402
$new_interview = [
397403
"sequence" => $sequence,
@@ -403,7 +409,7 @@ public function makeInterview() {
403409
"labels" => $interview['labels'],
404410
"status" => 1,
405411
"timestamp" => time(),
406-
"subjectID" => $sid
412+
"subjectID" => $valid_sid
407413
];
408414
$log_id = $this->updateInterview($new_interview);
409415

@@ -1204,6 +1210,29 @@ public function getAPIUrl() {
12041210
}
12051211
}
12061212

1213+
public function validateSubjectId($sid) {
1214+
// remove non-alphanumeric characters
1215+
$sid = preg_replace("/\W|_/", "", $sid);
1216+
1217+
// check for an existing, matching subjectid
1218+
$get_params = [
1219+
"project_id" => $this->getProjectId(),
1220+
"return_format" => "json",
1221+
"fields" => "subjectid",
1222+
"filterLogic" => "[subjectid] = '$sid'"
1223+
];
1224+
$data = json_decode(\REDCap::getData($get_params));
1225+
$found_sid = $data[0]->subjectid;
1226+
1227+
// if it matches the given subjectid, return the retrieved subjectid
1228+
if ($found_sid === $sid) {
1229+
return $found_sid;
1230+
}
1231+
1232+
// otherwise return false
1233+
return false;
1234+
}
1235+
12071236
public function createInterview($args) {
12081237
// args needed: applicationid, organizationid, subjectID, language, timeframeID, tests[]
12091238
$out = [];

0 commit comments

Comments
 (0)