viscous/espocrm
1
0
Fork 0
mirror of https://github.com/espocrm/espocrm.git synced 2026-06-27 22:46:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

sanitizer

Browse Source
This commit is contained in:
Yuri Kuznetsov
2023-11-11 17:39:46 +02:00
parent 109392c1ae
commit 2ed8edf842
10 changed files with 344 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
application/Espo/Classes/FieldSanitizers/Phone.php Normal file
View File

@@ -0,0 +1,77 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM - Open Source CRM application.
* Copyright (C) 2014-2023 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
* Website: https://www.espocrm.com
*
* EspoCRM is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* EspoCRM is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with EspoCRM. If not, see http://www.gnu.org/licenses/.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU General Public License version 3.
*
* In accordance with Section 7(b) of the GNU General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\FieldSanitizers;
use Espo\Core\FieldSanitize\Sanitizer;
use Espo\Core\FieldSanitize\Sanitizer\Data;
use Espo\Core\PhoneNumber\Sanitizer as PhoneNumberSanitizer;
use stdClass;
class Phone implements Sanitizer
{
public function __construct(
private PhoneNumberSanitizer $phoneNumberSanitizer
) {}
public function sanitize(Data $data, string $entityType, string $field): void
{
$number = $data->get($field);
if ($number !== null) {
$number = $this->phoneNumberSanitizer->sanitize($number);
$data->set($field, $number);
}
$items = $data->get($field . 'Data');
if (!is_array($items)) {
return;
}
foreach ($items as $item) {
if (!$item instanceof stdClass) {
continue;
}
$number = $item->phoneNumber ?? null;
if (!is_scalar($number)) {
continue;
}
$number = (string) $number;
$item->phoneNumber = $this->phoneNumberSanitizer->sanitize($number);
}
$data->set($field . 'Data', $items);
}
}

114
application/Espo/Core/FieldSanitize/SanitizeManager.php Normal file
View File

@@ -0,0 +1,114 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM - Open Source CRM application.
* Copyright (C) 2014-2023 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
* Website: https://www.espocrm.com
*
* EspoCRM is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* EspoCRM is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with EspoCRM. If not, see http://www.gnu.org/licenses/.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU General Public License version 3.
*
* In accordance with Section 7(b) of the GNU General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\FieldSanitize;
use Espo\Core\FieldSanitize\Sanitizer\Data;
use Espo\Core\InjectableFactory;
use Espo\Core\Utils\FieldUtil;
use Espo\Core\Utils\Metadata;
use stdClass;
class SanitizeManager
{
public function __construct(
private Metadata $metadata,
private FieldUtil $fieldUtil,
private InjectableFactory $injectableFactory
) {}
public function process(string $entityType, stdClass $rawData): void
{
$data = new Data($rawData);
foreach ($this->fieldUtil->getEntityTypeFieldList($entityType) as $field) {
if (!$this->isFieldSetInData($entityType, $field, $rawData)) {
continue;
}
$this->processField($entityType, $field, $data);
}
}
private function processField(string $entityType, string $field, Data $data): void
{
foreach ($this->getSanitizerList($entityType, $field) as $sanitizer) {
$sanitizer->sanitize($data, $entityType, $field);
}
}
private function isFieldSetInData(string $entityType, string $field, stdClass $data): bool
{
$attributeList = $this->fieldUtil->getActualAttributeList($entityType, $field);
$isSet = false;
foreach ($attributeList as $attribute) {
if (property_exists($data, $attribute)) {
$isSet = true;
break;
}
}
return $isSet;
}
/**
* @return Sanitizer[]
*/
private function getSanitizerList(string $entityType, string $field): array
{
$fieldType = $this->fieldUtil->getFieldType($entityType, $field);
if (!$fieldType) {
return [];
}
/** @var ?class-string<Sanitizer> $className */
$className = $this->metadata->get("fields.$fieldType.sanitizerClassName");
if ($className) {
$classNameList[] = $className;
}
/** @var class-string<Sanitizer>[] $classNameList */
$classNameList = $this->metadata->get("entityDefs.$entityType.fields.$field.sanitizerClassNameList") ?? [];
$classNameList = array_merge(
$className ? [$className] : [],
$classNameList
);
return array_map(
fn ($className) => $this->injectableFactory->create($className),
$classNameList
);
}
}

37
application/Espo/Core/FieldSanitize/Sanitizer.php Normal file
View File

@@ -0,0 +1,37 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM - Open Source CRM application.
* Copyright (C) 2014-2023 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
* Website: https://www.espocrm.com
*
* EspoCRM is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* EspoCRM is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with EspoCRM. If not, see http://www.gnu.org/licenses/.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU General Public License version 3.
*
* In accordance with Section 7(b) of the GNU General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\FieldSanitize;
use Espo\Core\FieldSanitize\Sanitizer\Data;
interface Sanitizer
{
public function sanitize(Data $data, string $entityType, string $field): void;
}

78
application/Espo/Core/FieldSanitize/Sanitizer/Data.php Normal file
View File

@@ -0,0 +1,78 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM - Open Source CRM application.
* Copyright (C) 2014-2023 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
* Website: https://www.espocrm.com
*
* EspoCRM is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* EspoCRM is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with EspoCRM. If not, see http://www.gnu.org/licenses/.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU General Public License version 3.
*
* In accordance with Section 7(b) of the GNU General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\FieldSanitize\Sanitizer;
use stdClass;
/**
* Input data. No 'clear' method, as unsetting is not supposed to happen in sanitization.
*/
class Data
{
public function __construct(private stdClass $data)
{}
/**
* Get a value.
*/
public function get(string $attribute): mixed
{
return $this->data->$attribute ?? null;
}
/**
* Whether a value is set.
*/
public function has(string $attribute): bool
{
return property_exists($this->data, $attribute);
}
/**
* Update a value.
*/
public function set(string $attribute, mixed $value): self
{
$this->data->$attribute = $value;
return $this;
}
/**
* Unset an attribute.
*/
public function clear(string $attribute): self
{
unset($this->data->$attribute);
return $this;
}
}

2
application/Espo/Core/PhoneNumber/Sanitizer.php
View File

@@ -39,7 +39,7 @@ class Sanitizer
private Config $config
) {}
public function sanitize(string $value, ?string $countryCode): string
public function sanitize(string $value, ?string $countryCode = null): string
{
$value = trim($value);

19
application/Espo/Core/Record/Service.php
View File

@@ -40,6 +40,7 @@ use Espo\Core\Exceptions\Forbidden;
use Espo\Core\Exceptions\ForbiddenSilent;
use Espo\Core\Exceptions\NotFound;
use Espo\Core\Exceptions\NotFoundSilent;
use Espo\Core\FieldSanitize\SanitizeManager;
use Espo\Core\ORM\Entity as CoreEntity;
use Espo\Core\ORM\Repository\Option\SaveOption;
use Espo\Core\Record\Access\LinkCheck;
@@ -367,6 +368,9 @@ class Service implements Crud,
}
/**
* Warning: Do not extend.
*
* @todo Fix signature.
* @param TEntity $entity
* @param stdClass $data
* @return void
@@ -431,6 +435,19 @@ class Service implements Crud,
return $this->linkCheck;
}
/**
* Sanitize input data.
*
* @param stdClass $data Input data.
* @since 8.1.0
*/
public function sanitizeInput(stdClass $data): void
{
$manager = $this->injectableFactory->create(SanitizeManager::class);
$manager->process($this->entityType, $data);
}
/**
* @param string $attribute
* @param mixed $value
@@ -705,6 +722,7 @@ class Service implements Crud,
$entity = $this->getRepository()->getNew();
$this->filterCreateInput($data);
$this->sanitizeInput($data);
$entity->set($data);
@@ -758,6 +776,7 @@ class Service implements Crud,
}
$this->filterUpdateInput($data);
$this->sanitizeInput($data);
$entity = $this->getEntityBeforeUpdate ?
$this->getEntity($id) :

7
application/Espo/Core/Utils/FieldUtil.php
View File

@@ -37,12 +37,17 @@ class FieldUtil
public function __construct(private Metadata $metadata)
{}
public function getFieldType(string $entityType, string $field): ?string
{
return $this->metadata->get("entityDefs.$entityType.fields.$field.type");
}
/**
* @return string[]
*/
private function getAttributeListByType(string $entityType, string $name, string $type): array
{
$fieldType = $this->metadata->get('entityDefs.' . $entityType . '.fields.' . $name . '.type');
$fieldType = $this->getFieldType($entityType, $name);
if (!$fieldType) {
return [];

1
application/Espo/Resources/metadata/fields/phone.json
View File

@@ -77,5 +77,6 @@
"personalData": true,
"valueFactoryClassName": "Espo\\Core\\Field\\PhoneNumber\\PhoneNumberGroupFactory",
"attributeExtractorClassName": "Espo\\Core\\Field\\PhoneNumber\\PhoneNumberGroupAttributeExtractor",
"sanitizerClassName": "Espo\\Classes\\FieldSanitizers\\Phone",
"default": null
}

7
schema/metadata/entityDefs.json
View File

@@ -536,6 +536,13 @@
},
"description": "Validations to be bypassed for the field."
},
"sanitizerClassNameList": {
"type": "array",
"items": {
"type": "string"
},
"description": "A list of sanitizers. Should implement Espo\\Core\\FieldSanitize\\Sanitizer."
},
"inlineEditDisabled": {
"type": "boolean",
"default": "Disable inline edit."

4
schema/metadata/fields.json
View File

@@ -167,6 +167,10 @@
"converterClassName": {
"type": "string",
"description": "A metadata converter. Converts field metadata to ORM metadata. Should implement Espo\\Core\\Utils\\Database\\Orm\\FieldConverter."
},
"sanitizerClassName": {
"type": "string",
"description": "A sanitizer. Should implement Espo\\Core\\FieldSanitize\\Sanitizer."
}
}
}