Merge pull request from GHSA-mrqx-mjc4-vfh3

AnnotationController: fix improper authorization vulnerability

src/Wallabag/AnnotationBundle/Controller/WallabagAnnotationController.php

@@ -3,9 +3,9 @@
 namespace Wallabag\AnnotationBundle\Controller;
 
 use FOS\RestBundle\Controller\FOSRestController;
-use Sensio\Bundle\FrameworkExtraBundle\Configuration\ParamConverter;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use Wallabag\AnnotationBundle\Entity\Annotation;
 use Wallabag\AnnotationBundle\Form\EditAnnotationType;
 use Wallabag\AnnotationBundle\Form\NewAnnotationType;
@@ -25,7 +25,7 @@ class WallabagAnnotationController extends FOSRestController
         $annotationRows = $this
             ->getDoctrine()
             ->getRepository('WallabagAnnotationBundle:Annotation')
-            ->findAnnotationsByPageId($entry->getId(), $this->getUser()->getId());
+            ->findByEntryIdAndUserId($entry->getId(), $this->getUser()->getId());
         $total = \count($annotationRows);
         $annotations = ['total' => $total, 'rows' => $annotationRows];
 
@@ -72,31 +72,35 @@ class WallabagAnnotationController extends FOSRestController
      *
      * @see Wallabag\ApiBundle\Controller\WallabagRestController
      *
-     * @ParamConverter("annotation", class="WallabagAnnotationBundle:Annotation")
-     *
      * @return JsonResponse
      */
-    public function putAnnotationAction(Annotation $annotation, Request $request)
+    public function putAnnotationAction(Request $request, int $annotation)
     {
-        $data = json_decode($request->getContent(), true);
+        try {
+            $annotation = $this->validateAnnotation($annotation, $this->getUser()->getId());
 
-        $form = $this->get('form.factory')->createNamed('', EditAnnotationType::class, $annotation, [
-            'csrf_protection' => false,
-            'allow_extra_fields' => true,
-        ]);
-        $form->submit($data);
+            $data = json_decode($request->getContent(), true, 512, \JSON_THROW_ON_ERROR);
 
-        if ($form->isValid()) {
-            $em = $this->getDoctrine()->getManager();
-            $em->persist($annotation);
-            $em->flush();
+            $form = $this->get('form.factory')->createNamed('', EditAnnotationType::class, $annotation, [
+                'csrf_protection' => false,
+                'allow_extra_fields' => true,
+            ]);
+            $form->submit($data);
 
-            $json = $this->get('jms_serializer')->serialize($annotation, 'json');
+            if ($form->isValid()) {
+                $em = $this->getDoctrine()->getManager();
+                $em->persist($annotation);
+                $em->flush();
 
-            return JsonResponse::fromJsonString($json);
+                $json = $this->get('jms_serializer')->serialize($annotation, 'json');
+
+                return JsonResponse::fromJsonString($json);
+            }
+
+            return $form;
+        } catch (\InvalidArgumentException $e) {
+            throw new NotFoundHttpException($e);
         }
-
-        return $form;
     }
 
     /**
@@ -104,18 +108,35 @@ class WallabagAnnotationController extends FOSRestController
      *
      * @see Wallabag\ApiBundle\Controller\WallabagRestController
      *
-     * @ParamConverter("annotation", class="WallabagAnnotationBundle:Annotation")
-     *
      * @return JsonResponse
      */
-    public function deleteAnnotationAction(Annotation $annotation)
+    public function deleteAnnotationAction(int $annotation)
+    {
+        try {
+            $annotation = $this->validateAnnotation($annotation, $this->getUser()->getId());
+
+            $em = $this->getDoctrine()->getManager();
+            $em->remove($annotation);
+            $em->flush();
+
+            $json = $this->get('jms_serializer')->serialize($annotation, 'json');
+
+            return (new JsonResponse())->setJson($json);
+        } catch (\InvalidArgumentException $e) {
+            throw new NotFoundHttpException($e);
+        }
+    }
+
+    private function validateAnnotation(int $annotationId, int $userId)
     {
         $em = $this->getDoctrine()->getManager();
-        $em->remove($annotation);
-        $em->flush();
 
-        $json = $this->get('jms_serializer')->serialize($annotation, 'json');
+        $annotation = $em->getRepository('WallabagAnnotationBundle:Annotation')->findOneByIdAndUserId($annotationId, $userId);
 
-        return (new JsonResponse())->setJson($json);
+        if (null === $annotation) {
+            throw new NotFoundHttpException();
+        }
+
+        return $annotation;
     }
 }

src/Wallabag/AnnotationBundle/DataFixtures/AnnotationFixtures.php

@@ -34,6 +34,15 @@ class AnnotationFixtures extends Fixture implements DependentFixtureInterface
 
         $this->addReference('annotation2', $annotation2);
 
+        $annotation3 = new Annotation($this->getReference('bob-user'));
+        $annotation3->setEntry($this->getReference('entry3'));
+        $annotation3->setText('This is my first annotation !');
+        $annotation3->setQuote('content');
+
+        $manager->persist($annotation3);
+
+        $this->addReference('annotation3', $annotation3);
+
         $manager->flush();
     }
 

src/Wallabag/AnnotationBundle/Repository/AnnotationRepository.php

@@ -41,6 +41,24 @@ class AnnotationRepository extends EntityRepository
         ;
     }
 
+    /**
+     * Find annotation by id and user.
+     *
+     * @param int $annotationId
+     * @param int $userId
+     *
+     * @return Annotation
+     */
+    public function findOneByIdAndUserId($annotationId, $userId)
+    {
+        return $this->createQueryBuilder('a')
+                    ->where('a.id = :annotationId')->setParameter('annotationId', $annotationId)
+                    ->andWhere('a.user = :userId')->setParameter('userId', $userId)
+                    ->setMaxResults(1)
+                    ->getQuery()
+                    ->getOneOrNullResult();
+    }
+
     /**
      * Find annotations for entry id.
      *
@@ -49,7 +67,7 @@ class AnnotationRepository extends EntityRepository
      *
      * @return array
      */
-    public function findAnnotationsByPageId($entryId, $userId)
+    public function findByEntryIdAndUserId($entryId, $userId)
     {
         return $this->createQueryBuilder('a')
             ->where('a.entry = :entryId')->setParameter('entryId', $entryId)
@@ -66,7 +84,7 @@ class AnnotationRepository extends EntityRepository
      *
      * @return array
      */
-    public function findLastAnnotationByPageId($entryId, $userId)
+    public function findLastAnnotationByUserId($entryId, $userId)
     {
         return $this->createQueryBuilder('a')
             ->where('a.entry = :entryId')->setParameter('entryId', $entryId)

src/Wallabag/ApiBundle/Controller/AnnotationRestController.php

@@ -3,7 +3,6 @@
 namespace Wallabag\ApiBundle\Controller;
 
 use Nelmio\ApiDocBundle\Annotation\ApiDoc;
-use Sensio\Bundle\FrameworkExtraBundle\Configuration\ParamConverter;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Wallabag\AnnotationBundle\Entity\Annotation;
@@ -63,11 +62,9 @@ class AnnotationRestController extends WallabagRestController
      *      }
      * )
      *
-     * @ParamConverter("annotation", class="WallabagAnnotationBundle:Annotation")
-     *
      * @return JsonResponse
      */
-    public function putAnnotationAction(Annotation $annotation, Request $request)
+    public function putAnnotationAction(int $annotation, Request $request)
     {
         $this->validateAuthentication();
 
@@ -86,11 +83,9 @@ class AnnotationRestController extends WallabagRestController
      *      }
      * )
      *
-     * @ParamConverter("annotation", class="WallabagAnnotationBundle:Annotation")
-     *
      * @return JsonResponse
      */
-    public function deleteAnnotationAction(Annotation $annotation)
+    public function deleteAnnotationAction(int $annotation)
     {
         $this->validateAuthentication();