search

pluginsGLPI / datainjection

Plugin to import CSV files into GLPI
http://plugins.glpi-project.org/#/plugin/datainjection
GNU General Public License v2.0
53 stars 50 forks source link

User injection corrupt password #405

Open achillebnt opened 2 months ago

achillebnt commented 2 months ago

I create a simple model to import/update users, using username and phone as fields associated respectively to login and phone but when i do the import for some reason the password was changed to sha1 hash.

Doing a little debug i found this: writing a text password in database glpi_users.password for example pippo when i do the import that word will be converted to sha1 hash: d012f68144ed0f121d3cc330a17eec528c2e7d59

In the debug mode there is trace of sql query.

glpi_2024-07-09_16-42

stonebuzz commented 2 months ago

Hi @achillebnt

This is the desired and functional behaviour

GLPI is compatible with passwords in sha1 format

as soon as the user updates his password (which is recommended) GLPI will encrypt it with sodium

Best regards

achillebnt commented 2 months ago

It's not a desired and functional behaviour... initially i do it only to update phone number of users and after i had to restore the database because no one can access to the portal.

stonebuzz commented 2 months ago

Ok I had misunderstood the context of the injection

Can you past here your mapping ?

achillebnt commented 2 months ago

Here the mapping

image

I do my test and i think function processAfterInsertOrUpdate in inc/userinjection.class.php has to be reviewed because this part of code every time you save it take the value in database and rehash it.

I comment out that query commit and my problem was gone.

stonebuzz commented 2 months ago

Can you apply this patch, enable GLPI debug mode and reduo a CSV import ?

diff --git a/inc/userinjection.class.php b/inc/userinjection.class.php
index 9447426..af2bd72 100644
--- a/inc/userinjection.class.php
+++ b/inc/userinjection.class.php
@@ -174,6 +174,7 @@ class PluginDatainjectionUserInjection extends User implements PluginDatainjecti
             }
         }

+        toolbox::logDebug($values['User']);
         if (isset($values['User']['password']) && ($values['User']['password'] != '')) {
            //We use an SQL request because updating the password is unesasy
            //(self reset password process in $user->prepareInputForUpdate())

Then check php-errors.log file (/glpi/files/_log/php-errors.log)

you should see what this call gets

achillebnt commented 2 months ago

Here the return log:


[2024-07-11 13:33:00] glpiphplog.DEBUG: PluginDatainjectionUserInjection::processAfterInsertOrUpdate() in /var/www/html/glpi-test/marketplace/datainjection/inc/userinjection.class.php line 177
Array
  (
      [name] => user.test
      [mobile] => 12345678
      [entities_id] => 0
      [id] => 10
      [password] => 6f851c48ba4b5592aa5340aaea956e3d102eb7b4
      [password_last_update] => NULL
      [phone] => NULL
      [phone2] => NULL
      [realname] => NULL
      [firstname] => NULL
      [locations_id] => 0
      [language] => NULL
      [use_mode] => 0
      [list_limit] => NULL
      [is_active] => 1
      [comment] => NULL
      [auths_id] => 0
      [authtype] => 1
      [last_login] => NULL
      [date_mod] => 2024-07-11 11:18:06
      [date_sync] => NULL
      [is_deleted] => 0
      [profiles_id] => 0
      [usertitles_id] => 0
      [usercategories_id] => 0
      [date_format] => NULL
      [number_format] => NULL
      [names_format] => NULL
      [csv_delimiter] => NULL
      [is_ids_visible] => NULL
      [use_flat_dropdowntree] => NULL
      [show_jobs_at_login] => NULL
      [priority_1] => NULL
      [priority_2] => NULL
      [priority_3] => NULL
      [priority_4] => NULL
      [priority_5] => NULL
      [priority_6] => NULL
      [followup_private] => NULL
      [task_private] => NULL
      [default_requesttypes_id] => NULL
      [password_forget_token] => NULL
      [password_forget_token_date] => NULL
      [user_dn] => NULL
      [user_dn_hash] => NULL
      [registration_number] => NULL
      [show_count_on_tabs] => NULL
      [refresh_views] => NULL
      [set_default_tech] => NULL
      [personal_token] => NULL
      [personal_token_date] => NULL
      [api_token] => NULL
      [api_token_date] => NULL
      [cookie_token] => NULL
      [cookie_token_date] => NULL
      [display_count_on_home] => NULL
      [notification_to_myself] => NULL
      [duedateok_color] => NULL
      [duedatewarning_color] => NULL
      [duedatecritical_color] => NULL
      [duedatewarning_less] => NULL
      [duedatecritical_less] => NULL
      [duedatewarning_unit] => NULL
      [duedatecritical_unit] => NULL
      [display_options] => NULL
      [is_deleted_ldap] => 0
      [pdffont] => NULL
      [picture] => NULL
      [begin_date] => NULL
      [end_date] => NULL
      [keep_devices_when_purging_item] => NULL
      [privatebookmarkorder] => NULL
      [backcreated] => NULL
      [task_state] => NULL
      [palette] => NULL
      [page_layout] => NULL
      [fold_menu] => NULL
      [fold_search] => NULL
      [savedsearches_pinned] => NULL
      [timeline_order] => NULL
      [itil_layout] => NULL
      [richtext_layout] => NULL
      [set_default_requester] => NULL
      [lock_autolock_mode] => NULL
      [lock_directunlock_notification] => NULL
      [date_creation] => 2024-07-11 11:17:41
      [highcontrast_css] => NULL
      [plannings] => NULL
      [sync_field] => NULL
      [groups_id] => 0
      [users_id_supervisor] => 0
      [timezone] => NULL
      [default_dashboard_central] => NULL
      [default_dashboard_assets] => NULL
      [default_dashboard_helpdesk] => NULL
      [default_dashboard_mini_ticket] => NULL
      [default_central_tab] => NULL
      [nickname] => NULL
      [timeline_action_btn_layout] => NULL
      [timeline_date_format] => NULL
      [use_flat_dropdowntree_on_search_result] => NULL
  )
~~~