FormDefinitionValidationService.php

Go to the documentation of this file.

<?php
declare(strict_types = 1);
namespace ‪TYPO3\CMS\Form\Domain\Configuration;
 
/*
 * This file is part of the TYPO3 CMS project.
 *
 * It is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License, either version 2
 * of the License, or any later version.
 *
 * For the full copyright and license information, please read the
 * LICENSE.txt file that was distributed with this source code.
 *
 * The TYPO3 project - inspiring people to share!
 */
 
use ‪TYPO3\CMS\Core\SingletonInterface;
use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
use ‪TYPO3\CMS\Extbase\Object\ObjectManager;
use ‪TYPO3\CMS\Form\Domain\Configuration\ArrayProcessing\ArrayProcessing;
use ‪TYPO3\CMS\Form\Domain\Configuration\ArrayProcessing\ArrayProcessor;
use ‪TYPO3\CMS\Form\Domain\Configuration\Exception\PropertyException;
use ‪TYPO3\CMS\Form\Domain\Configuration\FormDefinition\Validators\CreatableFormElementPropertiesValidator;
use ‪TYPO3\CMS\Form\Domain\Configuration\FormDefinition\Validators\CreatablePropertyCollectionElementPropertiesValidator;
use ‪TYPO3\CMS\Form\Domain\Configuration\FormDefinition\Validators\FormElementHmacDataValidator;
use ‪TYPO3\CMS\Form\Domain\Configuration\FormDefinition\Validators\PropertyCollectionElementHmacDataValidator;
use ‪TYPO3\CMS\Form\Domain\Configuration\FormDefinition\Validators\ValidationDto;
 
class ‪FormDefinitionValidationService implements ‪SingletonInterface
{
 
    protected ‪$configurationService;
 
    public function ‪validateFormDefinitionProperties(
        array $currentFormElement,
        string $prototypeName,
        string $sessionToken
    ): void {
        $renderables = $currentFormElement['renderables'] ?? [];
        $propertyCollectionElements = $currentFormElement['finishers'] ?? $currentFormElement['validators'] ?? [];
        $propertyCollectionName = $currentFormElement['type'] === 'Form' ? 'finishers' : 'validators';
        unset($currentFormElement['renderables'], $currentFormElement['finishers'], $currentFormElement['validators']);
 
        $validationDto = GeneralUtility::makeInstance(
            ValidationDto::class,
            $prototypeName,
            $currentFormElement['type'],
            $currentFormElement['identifier'],
            null,
            $propertyCollectionName
        );
 
        if ($this->‪getConfigurationService()->isFormElementTypeCreatableByFormEditor($validationDto)) {
            $this->‪validateAllPropertyValuesFromCreatableFormElement(
                $currentFormElement,
                $sessionToken,
                $validationDto
            );
 
            foreach ($propertyCollectionElements as $propertyCollectionElement) {
                $validationDto = $validationDto->withPropertyCollectionElementIdentifier(
                    $propertyCollectionElement['identifier']
                );
 
                if ($this->‪getConfigurationService()->isPropertyCollectionElementIdentifierCreatableByFormEditor($validationDto)) {
                    $this->‪validateAllPropertyValuesFromCreatablePropertyCollectionElement(
                        $propertyCollectionElement,
                        $sessionToken,
                        $validationDto
                    );
                } else {
                    $this->‪validateAllPropertyCollectionElementValuesByHmac(
                        $propertyCollectionElement,
                        $sessionToken,
                        $validationDto
                    );
                }
            }
        } else {
            $this->‪validateAllFormElementPropertyValuesByHmac($currentFormElement, $sessionToken, $validationDto);
 
            foreach ($propertyCollectionElements as $propertyCollectionElement) {
                $this->‪validateAllPropertyCollectionElementValuesByHmac(
                    $propertyCollectionElement,
                    $sessionToken,
                    $validationDto
                );
            }
        }
 
        foreach ($renderables as $renderable) {
            $this->‪validateFormDefinitionProperties($renderable, $prototypeName, $sessionToken);
        }
    }
 
    public function ‪isPropertyValueEqualToHistoricalValue(
        array $hmacContent,
        $propertyValue,
        array $hmacData,
        string $sessionToken
    ): bool {
        $this->‪checkHmacDataIntegrity($hmacData, $hmacContent, $sessionToken);
        $hmacContent[] = $propertyValue;
 
        $expectedHash = GeneralUtility::hmac(serialize($hmacContent), $sessionToken);
        return hash_equals($expectedHash, $hmacData['hmac']);
    }
 
    protected function ‪checkHmacDataIntegrity(array $hmacData, array $hmacContent, string $sessionToken)
    {
        $hmac = $hmacData['hmac'] ?? null;
        if (empty($hmac)) {
            throw new ‪PropertyException('Hmac must not be empty. #1528538222', 1528538222);
        }
 
        $hmacContent[] = $hmacData['value'] ?? '';
        $expectedHash = GeneralUtility::hmac(serialize($hmacContent), $sessionToken);
 
        if (!hash_equals($expectedHash, $hmac)) {
            throw new ‪PropertyException('Unauthorized modification of historical data. #1528538252', 1528538252);
        }
    }
 
    protected function ‪validateAllFormElementPropertyValuesByHmac(
        array $currentElement,
        $sessionToken,
        ‪ValidationDto $validationDto
    ): void {
        GeneralUtility::makeInstance(ArrayProcessor::class, $currentElement)->forEach(
            GeneralUtility::makeInstance(
                ArrayProcessing::class,
                'validateProperties',
                '^(?!(_orig_.*|.*\._orig_.*)$).*',
                GeneralUtility::makeInstance(
                    FormElementHmacDataValidator::class,
                    $currentElement,
                    $sessionToken,
                    $validationDto
                )
            )
        );
    }
 
    protected function ‪validateAllPropertyCollectionElementValuesByHmac(
        array $currentElement,
        $sessionToken,
        ‪ValidationDto $validationDto
    ): void {
        GeneralUtility::makeInstance(ArrayProcessor::class, $currentElement)->forEach(
            GeneralUtility::makeInstance(
                ArrayProcessing::class,
                'validateProperties',
                '^(?!(_orig_.*|.*\._orig_.*)$).*',
                GeneralUtility::makeInstance(
                    PropertyCollectionElementHmacDataValidator::class,
                    $currentElement,
                    $sessionToken,
                    $validationDto
                )
            )
        );
    }
 
    protected function ‪validateAllPropertyValuesFromCreatableFormElement(
        array $currentElement,
        $sessionToken,
        ‪ValidationDto $validationDto
    ): void {
        GeneralUtility::makeInstance(ArrayProcessor::class, $currentElement)->forEach(
            GeneralUtility::makeInstance(
                ArrayProcessing::class,
                'validateProperties',
                '^(?!(_orig_.*|.*\._orig_.*|type|identifier)$).*',
                GeneralUtility::makeInstance(
                    CreatableFormElementPropertiesValidator::class,
                    $currentElement,
                    $sessionToken,
                    $validationDto
                )
            )
        );
    }
 
    protected function ‪validateAllPropertyValuesFromCreatablePropertyCollectionElement(
        array $currentElement,
        $sessionToken,
        ‪ValidationDto $validationDto
    ): void {
        GeneralUtility::makeInstance(ArrayProcessor::class, $currentElement)->forEach(
            GeneralUtility::makeInstance(
                ArrayProcessing::class,
                'validateProperties',
                '^(?!(_orig_.*|.*\._orig_.*|identifier)$).*',
                GeneralUtility::makeInstance(
                    CreatablePropertyCollectionElementPropertiesValidator::class,
                    $currentElement,
                    $sessionToken,
                    $validationDto
                )
            )
        );
    }
 
    protected function ‪getConfigurationService(): ‪ConfigurationService
    {
        if (!($this->configurationService instanceof ‪ConfigurationService)) {
            $this->configurationService = $this->‪getObjectManager()->‪get(ConfigurationService::class);
        }
        return ‪$this->configurationService;
    }
 
    protected function ‪getObjectManager(): ‪ObjectManager
    {
        return GeneralUtility::makeInstance(ObjectManager::class);
    }
}