mirror of
https://github.com/wavelog/wavelog.git
synced 2026-03-22 10:24:14 +00:00
430 lines
14 KiB
PHP
430 lines
14 KiB
PHP
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
|
|
|
|
class Search extends CI_Controller {
|
|
|
|
|
|
function __construct() {
|
|
parent::__construct();
|
|
|
|
$this->load->helper(array('form', 'url'));
|
|
$this->load->model('user_model');
|
|
if(!$this->user_model->authorize(2)) { $this->session->set_flashdata('error', __("You're not allowed to do that!")); redirect('dashboard'); }
|
|
}
|
|
|
|
public function index() {
|
|
$data['page_title'] = __("Search");
|
|
|
|
$this->load->view('interface_assets/header', $data);
|
|
$this->load->view('search/main');
|
|
$this->load->view('interface_assets/footer');
|
|
}
|
|
|
|
// Filter is for advanced searching and filtering of the logbook
|
|
public function filter() {
|
|
$data['page_title'] = __("Search & Filter Logbook");
|
|
|
|
$this->load->library('form_validation');
|
|
|
|
$this->load->model('Search_filter');
|
|
|
|
$data['get_table_names'] = $this->Search_filter->get_table_columns();
|
|
$data['stored_queries'] = $this->Search_filter->get_stored_queries();
|
|
|
|
//print_r($this->Search_filter->get_table_columns());
|
|
|
|
if ($this->form_validation->run() == FALSE)
|
|
{
|
|
$this->load->view('interface_assets/header', $data);
|
|
$this->load->view('search/filter');
|
|
$this->load->view('interface_assets/footer');
|
|
} else {
|
|
$this->load->view('interface_assets/header', $data);
|
|
$this->load->view('search/filter');
|
|
$this->load->view('interface_assets/footer');
|
|
}
|
|
}
|
|
|
|
// Searches for incorrect CQ Zones
|
|
public function incorrect_cq_zones() {
|
|
$this->load->model('stations');
|
|
|
|
$data['station_profile'] = $this->stations->all_of_user();
|
|
$data['page_title'] = __("Incorrectly logged CQ zones");
|
|
|
|
$this->load->view('interface_assets/header', $data);
|
|
$this->load->view('search/cqzones');
|
|
$this->load->view('interface_assets/footer');
|
|
}
|
|
|
|
// Searches for incorrect ITU Zones
|
|
public function incorrect_itu_zones() {
|
|
$this->load->model('stations');
|
|
|
|
$data['station_profile'] = $this->stations->all_of_user();
|
|
$data['page_title'] = __("Incorrectly logged ITU zones");
|
|
|
|
$this->load->view('interface_assets/header', $data);
|
|
$this->load->view('search/ituzones');
|
|
$this->load->view('interface_assets/footer');
|
|
}
|
|
|
|
// Searches for unconfirmed Lotw QSOs where QSO partner has uploaded to LoTW after the QSO date
|
|
public function lotw_unconfirmed() {
|
|
$this->load->model('stations');
|
|
|
|
$data['station_profile'] = $this->stations->all_of_user();
|
|
$data['page_title'] = __("QSOs unconfirmed on LoTW, but the callsign has uploaded to LoTW after QSO date");
|
|
|
|
$this->load->view('interface_assets/header', $data);
|
|
$this->load->view('search/lotw_unconfirmed');
|
|
$this->load->view('interface_assets/footer');
|
|
}
|
|
|
|
function json_result() {
|
|
$result = $this->fetchQueryResult(($this->input->post('search', TRUE) ?? ''), FALSE);
|
|
echo json_encode($result->result_array());
|
|
}
|
|
|
|
function get_stored_queries() {
|
|
$this->load->model('Search_filter');
|
|
$data['result'] = $this->Search_filter->get_stored_queries();
|
|
$this->load->view('search/stored_queries', $data);
|
|
}
|
|
|
|
function search_result() {
|
|
$sstring = str_replace('Ø', "0", $this->input->post("search", TRUE) ?? '');
|
|
$data['results'] = $this->fetchQueryResult($sstring, FALSE);
|
|
$this->load->view('search/search_result_ajax', $data);
|
|
}
|
|
|
|
function export_to_adif() {
|
|
$sstring = str_replace('Ø', "0", $this->input->post("search", TRUE) ?? '');
|
|
$data['qsos'] = $this->fetchQueryResult($sstring, FALSE);
|
|
$this->load->view('adif/data/exportall', $data);
|
|
}
|
|
|
|
function export_stored_query_to_adif() {
|
|
$this->db->where('id', xss_clean($this->input->post('id')));
|
|
$sql = $this->db->get('queries')->result();
|
|
|
|
$query = $sql[0]->query;
|
|
|
|
// Security: Validate query only accesses allowed tables
|
|
if (!$this->_validate_query_tables($query)) {
|
|
show_error("Invalid query: unauthorized table access detected", 403);
|
|
return;
|
|
}
|
|
|
|
// Security: Block dangerous SQL keywords to prevent SQL injection
|
|
// Note: 'join' is NOT blocked because legitimate queries use JOINs
|
|
$blocked = ['insert', 'drop', 'alter', 'create', 'exec', 'script', 'into outfile', 'load_file'];
|
|
foreach ($blocked as $word) {
|
|
if (stristr($query, $word)) {
|
|
show_error("Invalid query: contains blocked keyword", 403);
|
|
return;
|
|
}
|
|
}
|
|
|
|
$data['qsos'] = $this->db->query($query);
|
|
$this->load->view('adif/data/exportall', $data);
|
|
}
|
|
|
|
function run_query() {
|
|
$this->db->where('id', xss_clean($this->input->post('id')));
|
|
$sql = $this->db->get('queries')->result();
|
|
$sql = $sql[0]->query;
|
|
|
|
// Security: Only allow SELECT queries
|
|
if (stristr($sql, 'select') && !stristr($sql, 'delete') && !stristr($sql, 'update')) {
|
|
// Security: Validate query only accesses allowed tables
|
|
if (!$this->_validate_query_tables($sql)) {
|
|
show_error("Invalid query: unauthorized table access detected", 403);
|
|
return;
|
|
}
|
|
|
|
// Security: Block dangerous SQL keywords to prevent SQL injection
|
|
// Note: 'join' is NOT blocked because legitimate queries use JOINs
|
|
$blocked = ['insert', 'drop', 'alter', 'create', 'exec', 'script', 'into outfile', 'load_file'];
|
|
foreach ($blocked as $word) {
|
|
if (stristr($sql, $word)) {
|
|
show_error("Invalid query: contains blocked keyword", 403);
|
|
return;
|
|
}
|
|
}
|
|
|
|
if (!(strpos(strtolower($sql),'limit'))) {
|
|
$sql.=' limit 5000';
|
|
}
|
|
$data['results'] = $this->db->query($sql);
|
|
|
|
$this->load->view('search/search_result_ajax', $data);
|
|
}
|
|
}
|
|
|
|
function save_query() {
|
|
$search_param = $this->input->post('search', TRUE);
|
|
$description = $this->input->post('description', TRUE);
|
|
|
|
$query = $this->fetchQueryResult($search_param, TRUE);
|
|
|
|
$data = array(
|
|
'userid' => xss_clean($this->session->userdata('user_id')),
|
|
'query' => $query,
|
|
'description' => $description
|
|
);
|
|
|
|
$this->db->insert('queries', $data);
|
|
$last_id = $this->db->insert_id();
|
|
header('Content-Type: application/json');
|
|
echo json_encode(array('id' => $last_id, 'description' => $description));
|
|
}
|
|
|
|
function delete_query() {
|
|
$id = xss_clean($this->input->post('id'));
|
|
$this->load->model('search_filter');
|
|
$this->search_filter->delete_query($id);
|
|
}
|
|
|
|
function save_edited_query() {
|
|
$data = array(
|
|
'description' => xss_clean($this->input->post('description')),
|
|
);
|
|
|
|
$this->db->where('id', xss_clean($this->input->post('id')));
|
|
$this->db->where('userid', $this->session->userdata['user_id']);
|
|
$this->db->update('queries', $data);
|
|
}
|
|
|
|
function buildWhere(array $object, ?string $condition = null): void {
|
|
/*
|
|
* The $object is one of the following:
|
|
* - a group, with 'condition' and 'rules' keys
|
|
* - a condition, that is either 'AND' or 'OR' depending on the parent group setting
|
|
*/
|
|
$objectIsGroup = isset($object['condition']);
|
|
if ($objectIsGroup) {
|
|
if ($condition === null || $condition === 'AND') {
|
|
$this->db->group_start();
|
|
} else {
|
|
$this->db->or_group_start();
|
|
}
|
|
foreach ($object['rules'] as $rule) {
|
|
/*
|
|
* Now iterate over the children, that are either groups or conditions
|
|
*/
|
|
$this->buildWhere($rule, $object['condition']);
|
|
}
|
|
$this->db->group_end();
|
|
} else {
|
|
$object['field'] = $this->config->item('table_name') . '.' . $object['field'];
|
|
|
|
if ($object['operator'] == "equal") {
|
|
if ($condition == "AND") {
|
|
$this->db->where($object['field'], $object['value']);
|
|
} else {
|
|
$this->db->or_where($object['field'], $object['value']);
|
|
}
|
|
}
|
|
|
|
if ($object['operator'] == "not_equal") {
|
|
if ($condition == "AND") {
|
|
$this->db->where($object['field'] . ' !=', $object['value']);
|
|
} else {
|
|
$this->db->or_where($object['field'] . ' !=', $object['value']);
|
|
}
|
|
}
|
|
|
|
if ($object['operator'] == "begins_with") {
|
|
if ($condition == "AND") {
|
|
$this->db->where($object['field'] . ' like ', $object['value'] . "%");
|
|
} else {
|
|
$this->db->or_where($object['field'] . ' like ', $object['value'] . "%");
|
|
}
|
|
}
|
|
|
|
if ($object['operator'] == "contains") {
|
|
if ($condition == "AND") {
|
|
$this->db->where($object['field'] . ' like ', "%" . $object['value'] . "%");
|
|
} else {
|
|
$this->db->or_where($object['field'] . ' like ', "%" . $object['value'] . "%");
|
|
}
|
|
}
|
|
|
|
if ($object['operator'] == "ends_with") {
|
|
if ($condition == "AND") {
|
|
$this->db->where($object['field'] . ' like ', "%" . $object['value']);
|
|
} else {
|
|
$this->db->or_where($object['field'] . ' like ', "%" . $object['value']);
|
|
}
|
|
}
|
|
|
|
if ($object['operator'] == "is_empty") {
|
|
if ($condition == "AND") {
|
|
$this->db->where($object['field'], '');
|
|
} else {
|
|
$this->db->or_where($object['field'], '');
|
|
}
|
|
}
|
|
|
|
if ($object['operator'] == "is_not_empty") {
|
|
if ($condition == "AND") {
|
|
$this->db->where($object['field'] . ' !=', '');
|
|
} else {
|
|
$this->db->or_where($object['field'] . ' !=', '');
|
|
}
|
|
}
|
|
|
|
if ($object['operator'] == "is_null") {
|
|
if ($condition == "AND") {
|
|
$this->db->where($object['field'] . ' IS NULL');
|
|
} else {
|
|
$this->db->or_where($object['field'] . ' IS NULL');
|
|
}
|
|
}
|
|
|
|
if ($object['operator'] == "is_not_null") {
|
|
if ($condition == "AND") {
|
|
$this->db->where($object['field'] . ' IS NOT NULL');
|
|
} else {
|
|
$this->db->or_where($object['field'] . ' IS NOT NULL');
|
|
}
|
|
}
|
|
|
|
|
|
if ($object['operator'] == "less") {
|
|
if ($condition == "AND") {
|
|
$this->db->where($object['field'] . ' <', $object['value']);
|
|
} else {
|
|
$this->db->or_where($object['field'] . ' <', $object['value']);
|
|
}
|
|
}
|
|
|
|
if ($object['operator'] == "less_or_equal") {
|
|
if ($condition == "AND") {
|
|
$this->db->where($object['field'] . ' <=', $object['value']);
|
|
} else {
|
|
$this->db->or_where($object['field'] . ' <=', $object['value']);
|
|
}
|
|
}
|
|
|
|
if ($object['operator'] == "greater") {
|
|
if ($condition == "AND") {
|
|
$this->db->where($object['field'] . ' >', $object['value']);
|
|
} else {
|
|
$this->db->or_where($object['field'] . ' >', $object['value']);
|
|
}
|
|
}
|
|
|
|
if ($object['operator'] == "greater_or_equal") {
|
|
if ($condition == "AND") {
|
|
$this->db->where($object['field'] . ' >=', $object['value']);
|
|
} else {
|
|
$this->db->or_where($object['field'] . ' >=', $object['value']);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
function fetchQueryResult($json, $returnquery) {
|
|
$search_items = json_decode($json, true);
|
|
|
|
$this->db->select($this->config->item('table_name').'.*, station_profile.station_profile_name, station_profile.station_gridsquare, station_profile.station_city, station_profile.station_iota, station_profile.station_callsign, station_profile.station_sota, station_profile.station_wwff, station_profile.station_dxcc, station_profile.station_pota, station_profile.station_cq, station_profile.station_itu, station_profile.station_sig, station_profile.station_sig_info, station_profile.station_cnty, station_profile.county, station_profile.state, dxcc_entities.name as station_country');
|
|
|
|
$this->db->group_start();
|
|
$this->buildWhere($search_items);
|
|
$this->db->group_end();
|
|
|
|
$this->db->order_by('COL_TIME_ON', 'DESC');
|
|
$this->db->join('station_profile', 'station_profile.station_id = '.$this->config->item('table_name').'.station_id');
|
|
$this->db->join('dxcc_entities', 'station_profile.station_dxcc = dxcc_entities.adif', 'left');
|
|
$this->db->where('station_profile.user_id', $this->session->userdata('user_id'));
|
|
$this->db->limit(5000);
|
|
|
|
if ($returnquery) {
|
|
$query = $this->db->get_compiled_select($this->config->item('table_name'));
|
|
} else {
|
|
$query = $this->db->get($this->config->item('table_name'));
|
|
}
|
|
return $query;
|
|
}
|
|
|
|
/**
|
|
* Validates that query only accesses allowed tables
|
|
* Prevents SQL injection via UNION-based attacks on other tables
|
|
*
|
|
* @param string $sql The SQL query to validate
|
|
* @return bool TRUE if query only uses allowed tables, FALSE otherwise
|
|
*/
|
|
private function _validate_query_tables($sql) {
|
|
// Whitelist of allowed tables - users can only query these
|
|
$allowed_tables = [
|
|
$this->config->item('table_name'), // Main logbook table (e.g., TABLE_HRD_CONTACTS_V01)
|
|
'station_profile',
|
|
'dxcc_entities',
|
|
'lotw_users',
|
|
'queries'
|
|
];
|
|
|
|
// Convert to lowercase for case-insensitive comparison
|
|
$allowed_tables_lower = array_map('strtolower', $allowed_tables);
|
|
$main_table_lower = strtolower($this->config->item('table_name'));
|
|
|
|
// Normalize the SQL: remove newlines and extra spaces for easier parsing
|
|
$normalized_sql = preg_replace('/\s+/', ' ', trim($sql));
|
|
|
|
// Pattern 1: Check for UNION/INTO OUTFILE/LOAD FILE - these are always blocked
|
|
if (preg_match('/\bunion\b.*?\bselect.*?\bfrom\s+(\w+)/i', $normalized_sql, $matches)) {
|
|
$union_table = strtolower($matches[1]);
|
|
if (!in_array($union_table, $allowed_tables_lower)) {
|
|
log_message('error', "Search query blocked: UNION with unauthorized table - '$union_table'");
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
// Pattern 2: Extract all table names after FROM and JOIN keywords
|
|
// This handles: FROM `table`, JOIN `table`, FROM table, JOIN table
|
|
preg_match_all('/\b(?:FROM|JOIN)\s+`?(\w+)`?/i', $normalized_sql, $from_join_matches);
|
|
$found_tables = $from_join_matches[1];
|
|
|
|
// Pattern 3: Extract table.column references that are NOT in the whitelist
|
|
// This catches things like "users.password" or "admin.secret"
|
|
preg_match_all('/(\w+)\.\w+/i', $normalized_sql, $column_refs);
|
|
foreach ($column_refs[1] as $potential_table) {
|
|
$potential_table_lower = strtolower($potential_table);
|
|
// Only add if it's not a SQL keyword and not the main table
|
|
$sql_keywords = ['select', 'where', 'order', 'group', 'having', 'limit', 'offset',
|
|
'and', 'or', 'not', 'null', 'like', 'in', 'between', 'exists', 'case',
|
|
'when', 'then', 'else', 'end', 'as', 'on', 'desc', 'asc', 'left', 'right', 'inner', 'outer'];
|
|
if (!in_array($potential_table_lower, $sql_keywords) && $potential_table_lower !== $main_table_lower) {
|
|
$found_tables[] = $potential_table;
|
|
}
|
|
}
|
|
|
|
// Check all found tables are in whitelist
|
|
$found_tables = array_unique($found_tables);
|
|
foreach ($found_tables as $table) {
|
|
if (empty($table)) {
|
|
continue;
|
|
}
|
|
|
|
$table_lower = strtolower($table);
|
|
|
|
// Skip common SQL keywords that might match
|
|
$sql_keywords = ['select', 'where', 'order', 'group', 'having', 'limit', 'offset',
|
|
'and', 'or', 'not', 'null', 'like', 'in', 'between', 'exists', 'case',
|
|
'when', 'then', 'else', 'end', 'as', 'on', 'desc', 'asc', 'left', 'right', 'inner', 'outer'];
|
|
if (in_array($table_lower, $sql_keywords)) {
|
|
continue;
|
|
}
|
|
|
|
if (!in_array($table_lower, $allowed_tables_lower)) {
|
|
log_message('error', "Search query blocked: unauthorized table access detected - '$table'");
|
|
log_message('error', "Full query: $sql");
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
}
|