FormDefinitionValidationService.php

Go to the documentation of this file.

<?php
 
declare(strict_types=1);
 
/*
 * This file is part of the TYPO3 CMS project.
 *
 * It is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License, either version 2
 * of the License, or any later version.
 *
 * For the full copyright and license information, please read the
 * LICENSE.txt file that was distributed with this source code.
 *
 * The TYPO3 project - inspiring people to share!
 */
 
namespace ‪TYPO3\CMS\Form\Domain\Configuration;
 
use ‪TYPO3\CMS\Core\SingletonInterface;
use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
use ‪TYPO3\CMS\Form\Domain\Configuration\ArrayProcessing\ArrayProcessing;
use ‪TYPO3\CMS\Form\Domain\Configuration\ArrayProcessing\ArrayProcessor;
use ‪TYPO3\CMS\Form\Domain\Configuration\Exception\PropertyException;
use ‪TYPO3\CMS\Form\Domain\Configuration\FormDefinition\Validators\CreatableFormElementPropertiesValidator;
use ‪TYPO3\CMS\Form\Domain\Configuration\FormDefinition\Validators\CreatablePropertyCollectionElementPropertiesValidator;
use ‪TYPO3\CMS\Form\Domain\Configuration\FormDefinition\Validators\FormElementHmacDataValidator;
use ‪TYPO3\CMS\Form\Domain\Configuration\FormDefinition\Validators\PropertyCollectionElementHmacDataValidator;
use ‪TYPO3\CMS\Form\Domain\Configuration\FormDefinition\Validators\ValidationDto;
 
class ‪FormDefinitionValidationService implements ‪SingletonInterface
{
    public function ‪validateFormDefinitionProperties(
        array $currentFormElement,
        string $prototypeName,
        string $sessionToken
    ): void {
        $renderables = $currentFormElement['renderables'] ?? [];
        $propertyCollectionElements = $currentFormElement['finishers'] ?? $currentFormElement['validators'] ?? [];
        $propertyCollectionName = $currentFormElement['type'] === 'Form' ? 'finishers' : 'validators';
        unset($currentFormElement['renderables'], $currentFormElement['finishers'], $currentFormElement['validators']);
 
        $validationDto = GeneralUtility::makeInstance(
            ValidationDto::class,
            $prototypeName,
            $currentFormElement['type'],
            $currentFormElement['identifier'],
            null,
            $propertyCollectionName
        );
 
        $configurationService = GeneralUtility::makeInstance(ConfigurationService::class);
        if ($configurationService->isFormElementTypeCreatableByFormEditor($validationDto)) {
            $this->‪validateAllPropertyValuesFromCreatableFormElement(
                $currentFormElement,
                $sessionToken,
                $validationDto
            );
 
            foreach ($propertyCollectionElements as $propertyCollectionElement) {
                $validationDto = $validationDto->withPropertyCollectionElementIdentifier(
                    $propertyCollectionElement['identifier']
                );
 
                if ($configurationService->isPropertyCollectionElementIdentifierCreatableByFormEditor($validationDto)) {
                    $this->‪validateAllPropertyValuesFromCreatablePropertyCollectionElement(
                        $propertyCollectionElement,
                        $sessionToken,
                        $validationDto
                    );
                } else {
                    $this->‪validateAllPropertyCollectionElementValuesByHmac(
                        $propertyCollectionElement,
                        $sessionToken,
                        $validationDto
                    );
                }
            }
        } else {
            $this->‪validateAllFormElementPropertyValuesByHmac($currentFormElement, $sessionToken, $validationDto);
 
            foreach ($propertyCollectionElements as $propertyCollectionElement) {
                $this->‪validateAllPropertyCollectionElementValuesByHmac(
                    $propertyCollectionElement,
                    $sessionToken,
                    $validationDto
                );
            }
        }
 
        foreach ($renderables as $renderable) {
            $this->‪validateFormDefinitionProperties($renderable, $prototypeName, $sessionToken);
        }
    }
 
    public function ‪isPropertyValueEqualToHistoricalValue(
        array $hmacContent,
        $propertyValue,
        array $hmacData,
        string $sessionToken
    ): bool {
        $this->‪checkHmacDataIntegrity($hmacData, $hmacContent, $sessionToken);
        $hmacContent[] = $propertyValue;
 
        $expectedHash = GeneralUtility::hmac(serialize($hmacContent), $sessionToken);
        return hash_equals($expectedHash, $hmacData['hmac']);
    }
 
    protected function ‪checkHmacDataIntegrity(array $hmacData, array $hmacContent, string $sessionToken)
    {
        $hmac = $hmacData['hmac'] ?? null;
        if (empty($hmac)) {
            throw new ‪PropertyException('Hmac must not be empty. #1528538222', 1528538222);
        }
 
        $hmacContent[] = $hmacData['value'] ?? '';
        $expectedHash = GeneralUtility::hmac(serialize($hmacContent), $sessionToken);
 
        if (!hash_equals($expectedHash, $hmac)) {
            throw new ‪PropertyException('Unauthorized modification of historical data. #1528538252', 1528538252);
        }
    }
 
    protected function ‪validateAllFormElementPropertyValuesByHmac(
        array $currentElement,
        $sessionToken,
        ‪ValidationDto $validationDto
    ): void {
        GeneralUtility::makeInstance(ArrayProcessor::class, $currentElement)->forEach(
            GeneralUtility::makeInstance(
                ArrayProcessing::class,
                'validateProperties',
                '^(?!(_orig_.*|.*\._orig_.*)$).*',
                GeneralUtility::makeInstance(
                    FormElementHmacDataValidator::class,
                    $currentElement,
                    $sessionToken,
                    $validationDto
                )
            )
        );
    }
 
    protected function ‪validateAllPropertyCollectionElementValuesByHmac(
        array $currentElement,
        $sessionToken,
        ‪ValidationDto $validationDto
    ): void {
        GeneralUtility::makeInstance(ArrayProcessor::class, $currentElement)->forEach(
            GeneralUtility::makeInstance(
                ArrayProcessing::class,
                'validateProperties',
                '^(?!(_orig_.*|.*\._orig_.*)$).*',
                GeneralUtility::makeInstance(
                    PropertyCollectionElementHmacDataValidator::class,
                    $currentElement,
                    $sessionToken,
                    $validationDto
                )
            )
        );
    }
 
    protected function ‪validateAllPropertyValuesFromCreatableFormElement(
        array $currentElement,
        $sessionToken,
        ‪ValidationDto $validationDto
    ): void {
        GeneralUtility::makeInstance(ArrayProcessor::class, $currentElement)->forEach(
            GeneralUtility::makeInstance(
                ArrayProcessing::class,
                'validateProperties',
                '^(?!(_orig_.*|.*\._orig_.*|type|identifier)$).*',
                GeneralUtility::makeInstance(
                    CreatableFormElementPropertiesValidator::class,
                    $currentElement,
                    $sessionToken,
                    $validationDto
                )
            )
        );
    }
 
    protected function ‪validateAllPropertyValuesFromCreatablePropertyCollectionElement(
        array $currentElement,
        $sessionToken,
        ‪ValidationDto $validationDto
    ): void {
        GeneralUtility::makeInstance(ArrayProcessor::class, $currentElement)->forEach(
            GeneralUtility::makeInstance(
                ArrayProcessing::class,
                'validateProperties',
                '^(?!(_orig_.*|.*\._orig_.*|identifier)$).*',
                GeneralUtility::makeInstance(
                    CreatablePropertyCollectionElementPropertiesValidator::class,
                    $currentElement,
                    $sessionToken,
                    $validationDto
                )
            )
        );
    }
}