Home Explore Help
Sign In
idleman
/
kiss
2
1
Fork 0
Files Issues 1 Pull Requests 0 Wiki
Branch: feature/refactor-customiser
Branches Tags
kiss
/
plugin
/
statistic
/
element
/
Treatment.class.php

Treatment.class.php 4.2 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162 
  1. <?php
    2. 

  2. require_once(__DIR__.SLASH.'..'.SLASH.'WidgetElement.class.php');
    3. 

  3. class Treatment extends WidgetElement{
    4. 

  4. 	public $source;
    5. 

  5. 	public $TABLE_NAME = 'statistic_treatment';
    6. 

  6. 	public $javascript = 'function(){stats_element_init("treatment");}';
    7. 

  7. 	public $icon = 'fas fa-code';
    8. 

  8. 	public $typeLabel = 'Code';
    9. 

  9. 

  10. 	function __construct(){
    11. 

  11. 		parent::__construct();
    12. 

  12. 		$this->fields['source'] = 'longstring';
    13. 

  13. 		$this->fieldMapping = $this->field_mapping($this->fields);
    14. 

  14. 	}
    15. 

  15. 

  16. 	
    17. 

  17. 

  18. 	function editor(){
    19. 

  19. 		if($this->source == '') $this->source = '//tableau des données du précédent élement'.PHP_EOL.'return $data; ';
    20. 

  20. 		$html = '<label>
    21. 

  21. 					<i class="fas fa-code"></i> Code
    22. 

  22. 				</label> - <small>Données disponibles dans <strong>$data</strong>, filtres dans <strong>$filters</strong></small>
    23. 

  23. 				<div class="prev-custom-treatment float-right btn btn-small mb-2 ml-2" onclick="stats_element_preview(this,function(){$(\'#output-tab\').click()});"><i class="fas fa-play-circle"></i> Exécuter</div>
    24. 

  24. 				<div id="server-status" class="d-inline-block float-right"></div>
    25. 

  25. 				<div class="clear"></div>
    26. 

  26. 				<textarea id="source">'.$this->source.'</textarea>';
    27. 

  27. 		return $html;
    28. 

  28. 	}
    29. 

  29. 

  30. 

  31. 	function preview($data = array(),$filters = array()){
    32. 

  32. 		$response = array('data'=>array());
    33. 

  33. 

  34. 		ob_start();
    35. 

  35. 		$source = html_entity_decode($this->source,ENT_QUOTES);
    36. 

  36. 		$forbidden = self::forbidden($source);
    37. 

  37. 		if(count($forbidden)!=0) throw new Exception("Mot clés interdits: ".implode(',',$forbidden));
    38. 

  38. 		
    39. 

  39. 			eval('$method = function($data,$filters){'.$source.'};');
    40. 

  40. 	    	
    41. 

  41. 	    $output = ob_get_clean();
    42. 

  42. 	    if($output!='') throw new Exception(strip_tags($output));
    43. 

  43. 	    
    44. 

  44. 		$response['data'] = $method($data,$filters);
    45. 

  45. 		
    46. 

  46. 		return $response;
    47. 

  47. 	}
    48. 

  48. 

  49. 	//Fonction de sécurisation du eval, evite toutes les fonctions non spécifiées ci dessous et toutes les intrcutions type include, class...
    50. 

  50. 

  51. 	public static function forbidden($source){
    52. 

  52. 		
    53. 

  53. 		$ignore_terms = array();
    54. 

  54. 		////Ajoute des fonctions autorisées dans les traitements statistiques ex : 	$ignore_terms[] = 'Plugin::need'; $ignore_terms[] = 'Business::amount';
    55. 

  55. 		Plugin::callHook('statistic_allowed_macro',array(&$ignore_terms));
    56. 

  56. 		$source = str_replace($ignore_terms,'',$source);
    57. 

  57. 		
    58. 

  58. 		$tokens = token_get_all('<?php '.$source.' ?>');
    59. 

  59. 		
    60. 

  60. 		$forbiddens = array();
    61. 

  61. 

  62. 		$allowed_functions_generic = array(
    63. 

  63. 		    'ucfirst',
    64. 

  64. 		    'strto.*',
    65. 

  65. 		    'str_.*',
    66. 

  66. 		    'date',
    67. 

  67. 		    'intval',
    68. 

  68. 		    'count',
    69. 

  69. 		    'time',
    70. 

  70. 		    'array_.*',
    71. 

  71. 		    'base64_*',
    72. 

  72. 		    '.sort',
    73. 

  73. 		    'asort',
    74. 

  74. 		    'sort',
    75. 

  75. 		    'addslashes',    
    76. 

  76. 		    'json_decode',
    77. 

  77. 		    'json_encode',
    78. 

  78. 		    'implode',
    79. 

  79. 		    'explode',
    80. 

  80. 		    'utf8_decode',
    81. 

  81. 		    'utf8_encode',
    82. 

  82. 		    'html_entity_decode',
    83. 

  83. 		    'htmlspecialchars',
    84. 

  84. 		    'strip_tags',
    85. 

  85. 		    'is_null',
    86. 

  86. 		    'is_int',
    87. 

  87. 		    'substr',
    88. 

  88. 		    'max',
    89. 

  89. 		    'true',
    90. 

  90. 		    'false',
    91. 

  91. 		    'null',
    92. 

  92. 		    'strlen',
    93. 

  93. 		    'round',
    94. 

  94. 		    'in_array',
    95. 

  95. 		    'is_numeric'
    96. 

  96. 		);
    97. 

  97. 

  98. 		$allowed_functions_specific = array(
    99. 

  99. 		    '__ROOT__',
    100. 

  100. 		    'PLUGIN_PATH',
    101. 

  101. 		    'SLASH',
    102. 

  102. 		    'html_decode_utf8',
    103. 

  103. 		    'Dictionary',
    104. 

  104. 		    'fullName',
    105. 

  105. 		    'loadAll',
    106. 

  106. 		    'getById',
    107. 

  107. 		    'bySlug',
    108. 

  108. 		    'slugToArray',
    109. 

  109. 		    'id',            
    110. 

  110. 		    'label',        
    111. 

  111. 		    'value',
    112. 

  112. 		    'color',
    113. 

  113. 		    'Partner',
    114. 

  114. 		    'Product',
    115. 

  115. 		    'number_format',
    116. 

  116. 		    'display_price',
    117. 

  117. 		    'ranking',
    118. 

  118. 		    'function'
    119. 

  119. 		);
    120. 

  120. 

  121. 		$allowed_functions = array_merge($allowed_functions_generic, $allowed_functions_specific);
    122. 

  122. 

  123. 		
    124. 

  124. 		foreach($tokens as $i=>$token){
    125. 

  125. 

  126. 			if(is_string($token))continue;   
    127. 

  127. 		  	list($id, $text,$line) = $token;
    128. 

  128. 		 
    129. 

  129. 		  	if(in_array($id, array(T_FUNCTION,T_FUNC_C,T_EVAL,T_STRING))){
    130. 

  130. 		  		$allowed = false;
    131. 

  131. 		  		foreach ($allowed_functions as $function) {
    132. 

  132. 		  			preg_match('/'.$function.'/i', $text, $matches);
    133. 

  133. 		  			if(count($matches)!=0){
    134. 

  134. 		  				$allowed = true;
    135. 

  135. 		  				break;
    136. 

  136. 		  			}
    137. 

  137. 		  		}
    138. 

  138. 		  		if(!$allowed) $forbiddens[] = $text.' L'.$line.token_name($id);
    139. 

  139. 		    }
    140. 

  140. 

  141. 		    if(in_array($id, array(
    142. 

  142. 			    	T_INCLUDE,
    143. 

  143. 			    	T_EXTENDS,
    144. 

  144. 			    	T_CLONE,
    145. 

  145. 			    	T_EXIT,
    146. 

  146. 			    	T_GLOBAL,
    147. 

  147. 			    	T_HALT_COMPILER,
    148. 

  148. 			    	T_IMPLEMENTS,
    149. 

  149. 			    	T_INCLUDE_ONCE,
    150. 

  150. 			    	T_REQUIRE,
    151. 

  151. 			    	//T_REQUIRE_ONCE,
    152. 

  152. 			    	T_IMPLEMENTS
    153. 

  153. 			    )
    154. 

  154. 			)){
    155. 

  155.    				$forbiddens[] = $text.' L'.$line;
    156. 

  156. 		    }
    157. 

  157. 		}
    158. 

  158. 		return $forbiddens;
    159. 

  159. 	}
    160. 

  160. }
    161. 

  161. 

  162. ?>
    163.