Merge pull request #24 from queueit/Fix-for-QueueItToken-url-vulnerability

Improve exception handling when validating queueit token

Author: usazqueueit

KnownUser.php

@@ -10,6 +10,7 @@
 
 class KnownUser
 {
+    const QueueItTokenKey = "queueittoken";
     const QueueITAjaxHeaderKey = "x-queueit-ajaxpageurl";    
 
     //used for unittest

QueueITHelpers.php

@@ -6,7 +6,7 @@ class Utils
 {
     public static function isNullOrEmptyString($value)
     {
-        return (!isset($value) || trim($value) === '');
+        return (!isset($value) || !is_string($value) || trim($value) === '');
     }
 
     public static function boolToString($value)
@@ -17,6 +17,19 @@ public static function boolToString($value)
 
         return $value ? "true" : "false";
     }
+
+    public static function getParameterByName($url, $name)
+    {
+        $name = preg_quote($name, '/');
+        $pattern = '/[?&]' . $name . '(=([^&#]*)|&|#|$)/';
+        if (preg_match($pattern, $url, $matches)) {
+            if (!isset($matches[2])) return "";
+            $response = urldecode(str_replace('+', ' ', $matches[2]));
+            return $response;
+        }
+    
+        return null;
+    }
 }
 
 class QueueUrlParams
@@ -47,65 +60,72 @@ public static function extractQueueParams($queueitToken)
             return null;
         }
 
-        $result = new QueueUrlParams();
-        $result->queueITToken = $queueitToken;
-        $paramsNameValueList = explode(QueueUrlParams::KeyValueSeparatorGroupChar, $result->queueITToken);
-
-        foreach ($paramsNameValueList as $pNameValue) {
-            $paramNameValueArr = explode(QueueUrlParams::KeyValueSeparatorChar, $pNameValue);
-
-            if (count($paramNameValueArr) != 2) {
-                continue;
-            }
-
-            switch ($paramNameValueArr[0]) {
-                case QueueUrlParams::TimeStampKey: {
-                        if (is_numeric($paramNameValueArr[1])) {
-                            $result->timeStamp = intval($paramNameValueArr[1]);
-                        } else {
-                            $result->timeStamp = 0;
+        try{
+            
+            $result = new QueueUrlParams();
+            $result->queueITToken = $queueitToken;
+            $paramsNameValueList = explode(QueueUrlParams::KeyValueSeparatorGroupChar, $result->queueITToken);
+
+            foreach ($paramsNameValueList as $pNameValue) {
+                $paramNameValueArr = explode(QueueUrlParams::KeyValueSeparatorChar, $pNameValue);
+
+                if (count($paramNameValueArr) != 2) {
+                    continue;
+                }
+
+                switch ($paramNameValueArr[0]) {
+                    case QueueUrlParams::TimeStampKey: {
+                            if (is_numeric($paramNameValueArr[1])) {
+                                $result->timeStamp = intval($paramNameValueArr[1]);
+                            } else {
+                                $result->timeStamp = 0;
+                            }
+                            break;
+                        }
+                    case QueueUrlParams::CookieValidityMinutesKey: {
+                            if (is_numeric($paramNameValueArr[1])) {
+                                $result->cookieValidityMinutes = intval($paramNameValueArr[1]);
+                            }
+                            break;
                         }
-                        break;
-                    }
-                case QueueUrlParams::CookieValidityMinutesKey: {
-                        if (is_numeric($paramNameValueArr[1])) {
-                            $result->cookieValidityMinutes = intval($paramNameValueArr[1]);
+                    case QueueUrlParams::EventIdKey: {
+                            $result->eventId = $paramNameValueArr[1];
+                            break;
                         }
-                        break;
-                    }
-                case QueueUrlParams::EventIdKey: {
-                        $result->eventId = $paramNameValueArr[1];
-                        break;
-                    }
-                case QueueUrlParams::ExtendableCookieKey: {
-                        $result->extendableCookie = $paramNameValueArr[1] === 'True' || $paramNameValueArr[1] === 'true';
-                        break;
-                    }
-                case QueueUrlParams::HashKey: {
-                        $result->hashCode = $paramNameValueArr[1];
-                        break;
-                    }
-                case QueueUrlParams::QueueIdKey: {
-                        $result->queueId = $paramNameValueArr[1];
-                        break;
-                    }
-                case QueueUrlParams::RedirectTypeKey: {
-                        $result->redirectType = $paramNameValueArr[1];
-                        break;
-                    }
+                    case QueueUrlParams::ExtendableCookieKey: {
+                            $result->extendableCookie = $paramNameValueArr[1] === 'True' || $paramNameValueArr[1] === 'true';
+                            break;
+                        }
+                    case QueueUrlParams::HashKey: {
+                            $result->hashCode = $paramNameValueArr[1];
+                            break;
+                        }
+                    case QueueUrlParams::QueueIdKey: {
+                            $result->queueId = $paramNameValueArr[1];
+                            break;
+                        }
+                    case QueueUrlParams::RedirectTypeKey: {
+                            $result->redirectType = $paramNameValueArr[1];
+                            break;
+                        }
+                }
             }
-        }
 
-        $result->queueITTokenWithoutHash = str_replace(
-            QueueUrlParams::KeyValueSeparatorGroupChar
-                . QueueUrlParams::HashKey
-                . QueueUrlParams::KeyValueSeparatorChar
-                . $result->hashCode,
-            "",
-            $result->queueITToken
-        );
+            $result->queueITTokenWithoutHash = str_replace(
+                QueueUrlParams::KeyValueSeparatorGroupChar
+                    . QueueUrlParams::HashKey
+                    . QueueUrlParams::KeyValueSeparatorChar
+                    . $result->hashCode,
+                "",
+                $result->queueITToken
+            );
 
-        return $result;
+            return $result;
+        }
+        catch (\Exception $e) 
+        {
+            return null;
+        }        
     }
 }
 

README.md

@@ -15,21 +15,21 @@ the following method is all that is needed to validate that a user has been thro
 ```php
 require_once( __DIR__ .'Models.php');
 require_once( __DIR__ .'KnownUser.php');
+require_once( __DIR__ .'Utils.php');
 
 $configText = file_get_contents('integrationconfig.json');
 $customerID = ""; //Your Queue-it customer ID
 $secretKey = ""; //Your 72 char secret key as specified in Go Queue-it self-service platform
 
-$queueittoken = isset( $_GET["queueittoken"] )? $_GET["queueittoken"] :'';
-
 try
 {
     $fullUrl = getFullRequestUri();
+    $queueittoken = Utils::getParameterByName($fullUrl, KnownUser::QueueItTokenKey);
     $currentUrlWithoutQueueitToken = preg_replace("/([\\?&])("."queueittoken"."=[^&]*)/i", "", $fullUrl);
 
     //Verify if the user has been through the queue
-    $result = QueueIT\KnownUserV3\SDK\KnownUser::validateRequestByIntegrationConfig(
-       $currentUrlWithoutQueueitToken, $queueittoken, $configText, $customerID, $secretKey);
+    $result = QueueIT\KnownUserV3\SDK\KnownUser::validateRequestByIntegrationConfig($currentUrlWithoutQueueitToken, 
+			$queueittoken, $configText, $customerID, $secretKey);
 
     if($result->doRedirect())
     {
@@ -98,6 +98,7 @@ The following is an example of how to specify the configuration in code:
 ```php
 require_once( __DIR__ .'Models.php');
 require_once( __DIR__ .'KnownUser.php');
+require_once( __DIR__ .'Utils.php');
 
 $customerID = ""; //Your Queue-it customer ID
 $secretKey = ""; //Your 72 char secret key as specified in Go Queue-it self-service platform
@@ -111,16 +112,15 @@ $eventConfig->extendCookieValidity = true; //Should the Queue-it session cookie
 //$eventConfig->culture = "da-DK"; //Optional - Culture of the queue layout in the format specified here: https://msdn.microsoft.com/en-us/library/ee825488(v=cs.20).aspx. If unspecified then settings from Event will be used.
 // $eventConfig->layoutName = "NameOfYourCustomLayout"; //Optional - Name of the queue layout. If unspecified then settings from Event will be used.
 
-$queueittoken = isset( $_GET["queueittoken"] )? $_GET["queueittoken"] :'';
-
 try
-{
+{    
     $fullUrl = getFullRequestUri();
+    $queueittoken = Utils::getParameterByName($fullUrl, KnownUser::QueueItTokenKey);
     $currentUrlWithoutQueueitToken = preg_replace("/([\\?&])("."queueittoken"."=[^&]*)/i", "", $fullUrl);
 
     //Verify if the user has been through the queue
-    $result = QueueIT\KnownUserV3\SDK\KnownUser::resolveQueueRequestByLocalConfig(
-       $currentUrlWithoutQueueitToken, $queueittoken, $eventConfig, $customerID, $secretKey);
+    $result = QueueIT\KnownUserV3\SDK\KnownUser::validateRequestByLocalEventConfig($currentUrlWithoutQueueitToken, 
+			$queueittoken, $eventConfig, $customerID, $secretKey);
 
     if($result->doRedirect())
     {

UserInQueueService.php

@@ -41,7 +41,7 @@ class UserInQueueService implements IUserInQueueService
 {
     public static function getSDKVersion()
     {
-        return "v3-php-" . "3.7.1";
+        return "v3-php-" . "3.7.2";
     }
 
     private $userInQueueStateRepository;
@@ -90,17 +90,18 @@ public function validateQueueRequest(
         $requestValidationResult = null;
         $isTokenValid = false;
 
-        if ($queueParams != null) {
+        if($queueParams == null){
+            $requestValidationResult = $this->getQueueResult($targetUrl, $config, $customerId);
+        }
+        else{
             $tokenValidationResult = $this->validateToken($config, $queueParams, $secretKey);
-            $isTokenValid = $tokenValidationResult->isValid;
-
-            if ($isTokenValid) {
+            if($tokenValidationResult == null){
+                $requestValidationResult = $this->getQueueResult($targetUrl, $config, $customerId);
+            } elseif ($tokenValidationResult->isValid) {
                 $requestValidationResult = $this->getValidTokenResult($config, $queueParams, $secretKey);
             } else {
                 $requestValidationResult = $this->getErrorResult($customerId, $targetUrl, $config, $queueParams, $tokenValidationResult->errorCode);
             }
-        } else {
-            $requestValidationResult = $this->getQueueResult($targetUrl, $config, $customerId);
         }
 
         if ($state->isFound && !$isTokenValid)
@@ -297,21 +298,25 @@ private function validateToken(
         QueueUrlParams $queueParams,
         $secretKey
     ) {
-        $calculatedHash = hash_hmac('sha256', $queueParams->queueITTokenWithoutHash, $secretKey);
+        try{
+            $calculatedHash = hash_hmac('sha256', $queueParams->queueITTokenWithoutHash, $secretKey);
 
-        if (strtoupper($calculatedHash) != strtoupper($queueParams->hashCode)) {
-            return new TokenValidationResult(false, "hash");
-        }
+            if (strtoupper($calculatedHash) != strtoupper($queueParams->hashCode)) {
+                return new TokenValidationResult(false, "hash");
+            }
 
-        if (strtoupper($queueParams->eventId) != strtoupper($config->eventId)) {
-            return new TokenValidationResult(false, "eventid");
-        }
+            if (strtoupper($queueParams->eventId) != strtoupper($config->eventId)) {
+                return new TokenValidationResult(false, "eventid");
+            }
 
-        if ($queueParams->timeStamp < time()) {
-            return new TokenValidationResult(false, "timestamp");
-        }
+            if ($queueParams->timeStamp < time()) {
+                return new TokenValidationResult(false, "timestamp");
+            }
 
-        return new TokenValidationResult(true, null);
+            return new TokenValidationResult(true, null);
+        }catch(\Exception $e) {
+            null;
+        }        
     }
 }