From 2da835b0171ccdd3efc196ef0428e1a8e123ebec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcin=20=C5=81ojewski?= <marcin.lojewski@mlojewski.me>
Date: Wed, 26 Dec 2018 12:02:19 +0100
Subject: [PATCH] Crypto params validation

---
 lib/Controller/SettingsController.php | 61 ++++++++++++++++++++++++---
 lib/Properties.php                    | 37 ++++++++--------
 2 files changed, 75 insertions(+), 23 deletions(-)

diff --git a/lib/Controller/SettingsController.php b/lib/Controller/SettingsController.php
index 70de2f5..ef06b2d 100644
--- a/lib/Controller/SettingsController.php
+++ b/lib/Controller/SettingsController.php
@@ -198,6 +198,16 @@ class SettingsController extends Controller
             ];
         }
 
+        if (!$this->validateCryptoParams()) {
+            return [
+                "status" => "error", "data" => [
+                    "message" => $this->localization->t(
+                        "Hash algorithm parameter is out of range."
+                    )
+                ]
+            ];
+        }
+
         foreach ($properties as $key => $value) {
             $reqValue = $this->request->getParam(str_replace(".", "-", $key));
             $appValue = $this->properties[$key];
@@ -213,6 +223,9 @@ class SettingsController extends Controller
                     "Property '$key' has been set to: " . $value,
                     ["app" => $this->appName]
                 );
+            } elseif (!is_bool($appValue) && !isset($reqValue)) {
+                unset($this->properties[$key]);
+
             }
         }
 
@@ -230,6 +243,48 @@ class SettingsController extends Controller
         ];
     }
 
+    /**
+     * Validate request crypto params.
+     *
+     * @return bool TRUE if crypto params are correct FALSE otherwise.
+     */
+    private function validateCryptoParams()
+    {
+        $cryptoClass = $this->request->getParam("opt-crypto_class");
+        $configuration = $this->cryptoClassConfiguration($cryptoClass);
+
+        for ($i = 0; $i < count($configuration); ++$i) {
+            $reqParam = $this->request->getParam(
+                "opt-crypto_param_" . $i, null
+            );
+            $cryptoParam = $configuration[$i];
+
+            if (is_null($reqParam) || $reqParam < $cryptoParam->min
+                || $reqParam > $cryptoParam->max
+            ) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Get a crypto class configuration from request.
+     *
+     * @param $cryptoClass string Crypto class name.
+     *
+     * @return array A crypto class configuration.
+     */
+    private function cryptoClassConfiguration($cryptoClass)
+    {
+        /**
+         * @var $passwordAlgorithm IPasswordAlgorithm
+         */
+        $passwordAlgorithm = new $cryptoClass($this->localization);
+        return $passwordAlgorithm->configuration();
+    }
+
     /**
      * Clear the application cache memory.
      *
@@ -385,12 +440,8 @@ class SettingsController extends Controller
             "Entering cryptoParams()", ["app" => $this->appName]
         );
 
-        /**
-         * @var $passwordAlgorithm IPasswordAlgorithm
-         */
         $cryptoClass = $this->request->getParam("cryptoClass");
-        $passwordAlgorithm = new $cryptoClass($this->localization);
-        $configuration = $passwordAlgorithm->configuration();
+        $configuration = $this->cryptoClassConfiguration($cryptoClass);
 
         if ($cryptoClass === $this->properties[Opt::CRYPTO_CLASS]) {
             foreach ($configuration as $key => $value) {
diff --git a/lib/Properties.php b/lib/Properties.php
index 6e20ef8..5affa85 100644
--- a/lib/Properties.php
+++ b/lib/Properties.php
@@ -119,24 +119,6 @@ class Properties implements \ArrayAccess
         );
     }
 
-    /**
-     * Is given parameter a boolean parameter.
-     *
-     * @param $param string Parameter name.
-     *
-     * @return bool Is a boolean parameter.
-     */
-    private function isBooleanParam($param)
-    {
-        return in_array(
-            $param, [
-                Opt::APPEND_SALT, Opt::CASE_INSENSITIVE_USERNAME,
-                Opt::NAME_CHANGE, Opt::PASSWORD_CHANGE, Opt::PREPEND_SALT,
-                Opt::REVERSE_ACTIVE, Opt::USE_CACHE
-            ]
-        );
-    }
-
     /**
      * Return an array with all supported parameters.
      *
@@ -162,6 +144,24 @@ class Properties implements \ArrayAccess
         return $params;
     }
 
+    /**
+     * Is given parameter a boolean parameter.
+     *
+     * @param $param string Parameter name.
+     *
+     * @return bool Is a boolean parameter.
+     */
+    private function isBooleanParam($param)
+    {
+        return in_array(
+            $param, [
+                Opt::APPEND_SALT, Opt::CASE_INSENSITIVE_USERNAME,
+                Opt::NAME_CHANGE, Opt::PASSWORD_CHANGE, Opt::PREPEND_SALT,
+                Opt::REVERSE_ACTIVE, Opt::USE_CACHE
+            ]
+        );
+    }
+
     /**
      * Store properties in the cache memory.
      */
@@ -229,6 +229,7 @@ class Properties implements \ArrayAccess
      */
     public function offsetUnset($offset)
     {
+        $this->config->deleteAppValue($this->appName, $offset);
         unset($this->data[$offset]);
     }
 }