From d2cad5f0ae0da394942a80fd874f4a712d1d6e9e Mon Sep 17 00:00:00 2001 From: Patrick Figel Date: Tue, 18 Feb 2020 21:54:05 +0100 Subject: [PATCH] security/core#73 - Fix Contact.getquick API key exposure This fixes an issue where API keys can be exposed via the field_name parameter of the Contact.getquick API. Since there is no valid use-case for requesting API keys via getquick, the fix simply triggers an API error if the API key is requested. --- api/v3/Contact.php | 4 ++++ tests/phpunit/api/v3/ContactTest.php | 17 +++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/api/v3/Contact.php b/api/v3/Contact.php index ba581e5794..bbbf007576 100644 --- a/api/v3/Contact.php +++ b/api/v3/Contact.php @@ -765,6 +765,10 @@ function civicrm_api3_contact_getquick($params) { // If we are doing quicksearch by a field other than name, make sure that field is added to results if (!empty($params['field_name'])) { $field_name = CRM_Utils_String::munge($params['field_name']); + // there is no good reason to request api_key via getquick + if ($field_name == 'api_key') { + throw new API_Exception('Illegal value "api_key" for parameter "field_name"'); + } // Unique name contact_id = id if ($field_name == 'contact_id') { $field_name = 'id'; diff --git a/tests/phpunit/api/v3/ContactTest.php b/tests/phpunit/api/v3/ContactTest.php index 90f0e22e82..55bf505535 100644 --- a/tests/phpunit/api/v3/ContactTest.php +++ b/tests/phpunit/api/v3/ContactTest.php @@ -3479,6 +3479,23 @@ class api_v3_ContactTest extends CiviUnitTestCase { $this->assertEquals('C Bobby, Bobby :: Whanganui', $result['values'][1]['data']); } + /** + * Test that getquick doesn't work with field_name=api_key + * + * @throws \CRM_Core_Exception + */ + public function testGetQuickApiKey() { + $this->callAPISuccess('Contact', 'create', [ + 'contact_type' => 'Individual', + 'email' => 'apiuser@example.com', + 'api_key' => 'hunter2', + ]); + $result = $this->callAPIFailure('Contact', 'getquick', [ + 'name' => '%', + 'field_name' => 'api_key', + ], 'Illegal value "api_key" for parameter "field_name"'); + } + /** * Set up some sample data for testing quicksearch. */ -- 2.25.1