From: Patrick Figel <pfigel@greenpeace.org>
Date: Tue, 18 Feb 2020 20:54:05 +0000 (+0100)
Subject: security/core#73 - Fix Contact.getquick API key exposure
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=d2cad5f0ae0da394942a80fd874f4a712d1d6e9e;hp=c7d4e44e2b4fa253412aca3a9e14d3e53118a8af;p=civicrm-core.git

security/core#73 - Fix Contact.getquick API key exposure

This fixes an issue where API keys can be exposed via the field_name
parameter of the Contact.getquick API. Since there is no valid use-case
for requesting API keys via getquick, the fix simply triggers an API
error if the API key is requested.
---

diff --git a/api/v3/Contact.php b/api/v3/Contact.php
index ba581e5794..bbbf007576 100644
--- a/api/v3/Contact.php
+++ b/api/v3/Contact.php
@@ -765,6 +765,10 @@ function civicrm_api3_contact_getquick($params) {
   // If we are doing quicksearch by a field other than name, make sure that field is added to results
   if (!empty($params['field_name'])) {
     $field_name = CRM_Utils_String::munge($params['field_name']);
+    // there is no good reason to request api_key via getquick
+    if ($field_name == 'api_key') {
+      throw new API_Exception('Illegal value "api_key" for parameter "field_name"');
+    }
     // Unique name contact_id = id
     if ($field_name == 'contact_id') {
       $field_name = 'id';
diff --git a/tests/phpunit/api/v3/ContactTest.php b/tests/phpunit/api/v3/ContactTest.php
index 90f0e22e82..55bf505535 100644
--- a/tests/phpunit/api/v3/ContactTest.php
+++ b/tests/phpunit/api/v3/ContactTest.php
@@ -3479,6 +3479,23 @@ class api_v3_ContactTest extends CiviUnitTestCase {
     $this->assertEquals('C Bobby, Bobby :: Whanganui', $result['values'][1]['data']);
   }
 
+  /**
+   * Test that getquick doesn't work with field_name=api_key
+   *
+   * @throws \CRM_Core_Exception
+   */
+  public function testGetQuickApiKey() {
+    $this->callAPISuccess('Contact', 'create', [
+      'contact_type' => 'Individual',
+      'email' => 'apiuser@example.com',
+      'api_key' => 'hunter2',
+    ]);
+    $result = $this->callAPIFailure('Contact', 'getquick', [
+      'name' => '%',
+      'field_name' => 'api_key',
+    ], 'Illegal value "api_key" for parameter "field_name"');
+  }
+
   /**
    * Set up some sample data for testing quicksearch.
    */