From ff7d9c255a40d38e2690efd9bd25c28e1af32840 Mon Sep 17 00:00:00 2001
From: David Cook <dcook@prosentient.com.au>
Date: Thu, 25 Jul 2024 06:56:18 +0000
Subject: [PATCH] Bug 37464: Validate "type" sent to barcode/svc

This change validates the "type" sent to the barcode/svc. Without this
change, we pass the user input directly to GD::Barcode, which passes
the input into an eval{} block without any validation of its own.

Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=bad&barcode=123456
3. Note that a Code39 barcode is provided for an invalid type
4. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=Code39&barcode=123456
5. Note that a Code39 barcode is provided
6. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=UPCE&barcode=123456
7. Note that a non-Code39 barcode is provided (presumably UPCE)

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 svc/barcode | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/svc/barcode b/svc/barcode
index df6be31404..e54e6e6d17 100755
--- a/svc/barcode
+++ b/svc/barcode
@@ -89,6 +89,21 @@ below the scannable barcode.
 
 =cut
 
+my %type_mapping = (
+    Code39         => 1,
+    UPCE           => 1,
+    UPCA           => 1,
+    QRcode         => 1,
+    NW7            => 1,
+    Matrix2of5     => 1,
+    ITF            => 1,
+    Industrial2of5 => 1,
+    IATA2of5       => 1,
+    EAN8           => 1,
+    EAN13          => 1,
+    COOP2of5       => 1,
+);
+
 my $input = CGI->new;
 
 my ( $auth_status ) = check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => '*' } );
@@ -99,13 +114,18 @@ if ( $auth_status ne "ok" ) {
 
 binmode(STDOUT);
 
-my $type = $input->param('type') || 'Code39';
+my $type = $input->param('type') || '';
 my $barcode = $input->param('barcode');
 my $notext = $input->param('notext') ? 1 : 0;
 my $height = $input->param('height') || 50;
 my $qrcode_modulesize = $input->param('modulesize') || "5"; # 1+
 my $image;
 
+# Validate the barcode type. Default to Code39 if no type or unsupported type sent.
+if ( !$type_mapping{$type} ) {
+    $type = 'Code39';
+}
+
 if ( $type eq 'Code39' ) {
     $barcode = '*' . $barcode unless $barcode =~ /^\*/;
     $barcode = $barcode . '*' unless $barcode =~ /\*$/;
@@ -115,6 +135,7 @@ eval {
     if( $type eq "QRcode" ){
         $image = GD::Barcode->new('QRcode', $barcode, { Ecc => "M", ModuleSize => $qrcode_modulesize } )->plot->png();
     } else {
+        # BZ 37464 - $type must be validated as GD::Barcode unsafely passes this argument directly to an eval{} block
         $image = GD::Barcode->new( $type, $barcode )->plot( NoText => $notext, Height => $height )->png();
     }
 };
-- 
2.39.5