From 085ac349b7f0a406b533ca559e8c8af967340ba6 Mon Sep 17 00:00:00 2001
From: Damien <damien.burel@maarch.org>
Date: Wed, 24 Jan 2018 11:56:18 +0100
Subject: [PATCH] FEAT #15 test where clause

---
 .../basket/controllers/BasketController.php   |  9 ++++++++
 .../controllers/PreparedClauseController.php  | 22 +++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/src/app/basket/controllers/BasketController.php b/src/app/basket/controllers/BasketController.php
index 45bf742815e..72aaa6b2e97 100644
--- a/src/app/basket/controllers/BasketController.php
+++ b/src/app/basket/controllers/BasketController.php
@@ -22,6 +22,7 @@ use Core\Models\ValidatorModel;
 use Respect\Validation\Validator;
 use Slim\Http\Request;
 use Slim\Http\Response;
+use SrcCore\controllers\PreparedClauseController;
 
 class BasketController
 {
@@ -69,6 +70,10 @@ class BasketController
             return $response->withStatus(400)->withJson(['errors' => 'Basket already exists']);
         }
 
+        if (!PreparedClauseController::isClauseValid(['clause' => $data['clause'], 'userId' => $GLOBALS['userId']])) {
+            return $response->withStatus(400)->withJson(['errors' => 'Clause is not valid']);
+        }
+
         $data['isVisible'] = empty($data['isSearchBasket']) ? 'Y' : 'N';
         $data['isFolderBasket'] = empty($data['isFolderBasket']) ? 'N' : 'Y';
         $data['flagNotif'] = empty($data['flagNotif']) ? 'N' : 'Y';
@@ -98,6 +103,10 @@ class BasketController
             return $response->withStatus(400)->withJson(['errors' => 'Bad Request']);
         }
 
+        if (!PreparedClauseController::isClauseValid(['clause' => $data['clause'], 'userId' => $GLOBALS['userId']])) {
+            return $response->withStatus(400)->withJson(['errors' => 'Clause is not valid']);
+        }
+
         $data['isVisible'] = empty($data['isSearchBasket']) ? 'Y' : 'N';
         $data['isFolderBasket'] = empty($data['isFolderBasket']) ? 'N' : 'Y';
         $data['flagNotif'] = empty($data['flagNotif']) ? 'N' : 'Y';
diff --git a/src/core/controllers/PreparedClauseController.php b/src/core/controllers/PreparedClauseController.php
index b5e1c0c0849..2c028d780ec 100644
--- a/src/core/controllers/PreparedClauseController.php
+++ b/src/core/controllers/PreparedClauseController.php
@@ -18,6 +18,7 @@ namespace SrcCore\controllers;
 use Core\Models\UserModel;
 use Core\Models\ValidatorModel;
 use Entities\Models\EntityModel;
+use Resource\models\ResModel;
 
 class PreparedClauseController
 {
@@ -207,4 +208,25 @@ class PreparedClauseController
         return $clause;
     }
 
+    public static function isClauseValid(array $aArgs)
+    {
+        ValidatorModel::notEmpty($aArgs, ['clause', 'userId']);
+        ValidatorModel::stringType($aArgs, ['clause', 'userId']);
+
+        $clause = PreparedClauseController::getPreparedClause(['clause' => $aArgs['clause'], 'userId' => $aArgs['userId']]);
+
+        $preg = preg_match('#\b(?:abort|alter|copy|create|delete|disgard|drop|execute|grant|insert|load|lock|move|reset|truncate|update)\b#i', $clause);
+        if ($preg === 1) {
+            return false;
+        }
+
+        try {
+            ResModel::getOnView(['select' => [1], 'where' => [$clause]]);
+        } catch (\Exception $e) {
+            return false;
+        }
+
+        return true;
+    }
+
 }
-- 
GitLab