Bug fixes to secure against Server-Side Request Forgery (SSRF) vulnerabilities

Author: basoro

plugins/api/Admin.php

@@ -266,8 +266,15 @@ public function postKirimWA()
         }
 
         $url = $waapiserver."/wagateway/kirimpesan";
+        if (!filter_var($url, FILTER_VALIDATE_URL) || !preg_match('/^https:\/\//i', $url)) {
+             echo json_encode(['status' => false, 'msg' => 'Invalid or insecure WA Gateway URL']);
+             exit();
+        }
         $curlHandle = curl_init();
         curl_setopt($curlHandle, CURLOPT_URL, $url);
+        curl_setopt($curlHandle, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
+        curl_setopt($curlHandle, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
+        curl_setopt($curlHandle, CURLOPT_FOLLOWLOCATION, false);
         curl_setopt($curlHandle, CURLOPT_POSTFIELDS, http_build_query([
             'type' => 'text',
             'sender' => $waapiphonenumber,
@@ -279,7 +286,7 @@ public function postKirimWA()
         curl_setopt($curlHandle, CURLOPT_RETURNTRANSFER, 1);
         curl_setopt($curlHandle, CURLOPT_TIMEOUT, 30);
         curl_setopt($curlHandle, CURLOPT_POST, 1);
-        curl_setopt($curlHandle, CURLOPT_SSL_VERIFYPEER, false);
+        curl_setopt($curlHandle, CURLOPT_SSL_VERIFYPEER, true);
 
         $response = curl_exec($curlHandle);
 
@@ -316,14 +323,21 @@ public function postKirimWAMedia()
         $waapiphonenumber = $this->settings->get('wagateway.phonenumber');
         $waapiserver = $this->settings->get('wagateway.server');
         $url = $waapiserver."/wagateway/kirimgambar";
+        if (!filter_var($url, FILTER_VALIDATE_URL) || !preg_match('/^https:\/\//i', $url)) {
+             echo json_encode(['status' => false, 'msg' => 'Invalid or insecure WA Gateway URL']);
+             exit();
+        }
         $curlHandle = curl_init();
         curl_setopt($curlHandle, CURLOPT_URL, $url);
+        curl_setopt($curlHandle, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
+        curl_setopt($curlHandle, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
+        curl_setopt($curlHandle, CURLOPT_FOLLOWLOCATION, false);
         curl_setopt($curlHandle, CURLOPT_POSTFIELDS,"type=image&sender=".$waapiphonenumber."&number=".$_POST['number']."&message=".$_POST['message']."&url=".$_POST['file']."&api_key=".$waapitoken);
         curl_setopt($curlHandle, CURLOPT_HEADER, 0);
         curl_setopt($curlHandle, CURLOPT_RETURNTRANSFER, 1);
         curl_setopt($curlHandle, CURLOPT_TIMEOUT,30);
         curl_setopt($curlHandle, CURLOPT_POST, 1);
-        curl_setopt($curlHandle, CURLOPT_SSL_VERIFYPEER, false);
+        curl_setopt($curlHandle, CURLOPT_SSL_VERIFYPEER, true);
         $response = curl_exec($curlHandle);
         curl_close($curlHandle);
         echo $response;
@@ -336,14 +350,21 @@ public function postKirimWADocument()
         $waapiphonenumber = $this->settings->get('wagateway.phonenumber');
         $waapiserver = $this->settings->get('wagateway.server');
         $url = $waapiserver."/wagateway/kirimfile";
+        if (!filter_var($url, FILTER_VALIDATE_URL) || !preg_match('/^https:\/\//i', $url)) {
+             echo json_encode(['status' => false, 'msg' => 'Invalid or insecure WA Gateway URL']);
+             exit();
+        }
         $curlHandle = curl_init();
         curl_setopt($curlHandle, CURLOPT_URL, $url);
+        curl_setopt($curlHandle, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
+        curl_setopt($curlHandle, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
+        curl_setopt($curlHandle, CURLOPT_FOLLOWLOCATION, false);
         curl_setopt($curlHandle, CURLOPT_POSTFIELDS,"type=document&sender=".$waapiphonenumber."&number=".$_POST['number']."&message=".$_POST['message']."&url=".$_POST['file']."&api_key=".$waapitoken);
         curl_setopt($curlHandle, CURLOPT_HEADER, 0);
         curl_setopt($curlHandle, CURLOPT_RETURNTRANSFER, 1);
         curl_setopt($curlHandle, CURLOPT_TIMEOUT,30);
         curl_setopt($curlHandle, CURLOPT_POST, 1);
-        curl_setopt($curlHandle, CURLOPT_SSL_VERIFYPEER, false);
+        curl_setopt($curlHandle, CURLOPT_SSL_VERIFYPEER, true);
         $response = curl_exec($curlHandle);
         curl_close($curlHandle);
         echo $response;

plugins/api/Site.php

@@ -567,7 +567,7 @@ public function getApam()
                     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                     curl_setopt($ch, CURLOPT_TIMEOUT,30);
                     curl_setopt($ch, CURLOPT_POST, 1);
-                    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+                    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
                     $response = curl_exec($ch);
                     curl_close($ch);
                   }
@@ -999,7 +999,7 @@ public function getApam()
                       'Content-Type: application/json',
                       'Content-Length: ' . strlen($params_string))
                   );
-                  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
+                  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
 
                   //execute post
                   $request = curl_exec($ch);
@@ -1032,7 +1032,7 @@ public function getApam()
                     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                     curl_setopt($ch, CURLOPT_TIMEOUT,30);
                     curl_setopt($ch, CURLOPT_POST, 1);
-                    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+                    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
                     $response = curl_exec($ch);
                     curl_close($ch);
                   }

plugins/farmasi/Admin.php

@@ -555,7 +555,7 @@ public function postDetailpemberianobatData()
         $totalRecordwithFilter = $records['allcount'];
 
         ## Fetch records
-        $sel = $this->db()->pdo()->prepare("select * from detail_pemberian_obat WHERE 1 ".$searchQuery." order by ".$columnName." ".$columnSortOrder." limit ".intval($row1).",".intval($rowperpage));
+        $sel = $this->db()->pdo()->prepare("select * from detail_pemberian_obat WHERE 1 ".$searchQuery." order by ".$columnName." ".$columnSortOrder." limit ".(int)$row1.",".(int)$rowperpage);
         $sel->execute($params);
         $result = $sel->fetchAll(\PDO::FETCH_ASSOC);
 
@@ -668,7 +668,7 @@ public function postRiwayatbarangmedisData()
         $totalRecordwithFilter = $records['allcount'];
 
         ## Fetch records
-        $sel = $this->db()->pdo()->prepare("select * from riwayat_barang_medis WHERE 1 ".$searchQuery." order by ".$columnName." ".$columnSortOrder." limit ".intval($row1).",".intval($rowperpage));
+        $sel = $this->db()->pdo()->prepare("select * from riwayat_barang_medis WHERE 1 ".$searchQuery." order by ".$columnName." ".$columnSortOrder." limit ".(int)$row1.",".(int)$rowperpage);
         $sel->execute($params);
         $result = $sel->fetchAll(\PDO::FETCH_ASSOC);
 

plugins/igd/Admin.php

@@ -1731,7 +1731,11 @@ public function postTriaseIgdSave()
                 // Build INSERT query manually to avoid framework interference
                 $fields = array_keys($data_to_save);
                 $placeholders = ':' . implode(', :', $fields);
-                $sql = "INSERT INTO mlite_triase_igd (" . implode(', ', array_map(function($f){return "`$f`";}, $fields)) . ") VALUES (" . $placeholders . ")";
+                $escaped_fields = [];
+                foreach ($fields as $f) {
+                    $escaped_fields[] = "`$f`";
+                }
+                $sql = "INSERT INTO mlite_triase_igd (" . implode(', ', $escaped_fields) . ") VALUES (" . $placeholders . ")";
 
                 error_log('DEBUG: Direct SQL: ' . $sql);
                 error_log('DEBUG: SQL Data: ' . print_r($data_to_save, true));

plugins/master/src/JnsPerawatanLab.php

@@ -184,7 +184,7 @@ public function postData()
         $totalRecords = $records['allcount'];
 
         $stmt = $this->db()->pdo()->prepare("SELECT COUNT(*) AS allcount FROM jns_perawatan_lab WHERE 1=1 $searchQuery");
-        if (!empty($search_text)) {
+        if (!empty($search_text) && in_array($search_field, $allowedColumns)) {
             $stmt->bindValue(':search_text', "%$search_text%", \PDO::PARAM_STR);
         }
         $stmt->execute();

plugins/master/src/Poliklinik.php

@@ -165,10 +165,8 @@ public function postData()
         $totalRecordwithFilter = $records['allcount'];
 
         // Data paginated
-        $sql = "SELECT * FROM poliklinik WHERE 1=1 $searchQuery ORDER BY `$columnName` $columnSortOrder LIMIT :row1, :rowperpage";
+        $sql = "SELECT * FROM poliklinik WHERE 1=1 $searchQuery ORDER BY `$columnName` $columnSortOrder LIMIT ".(int)$row1.", ".(int)$rowperpage;
         $stmt = $this->core->db()->pdo()->prepare($sql);
-        $stmt->bindValue(':row1', intval($row1), \PDO::PARAM_INT);
-        $stmt->bindValue(':rowperpage', intval($rowperpage), \PDO::PARAM_INT);
         foreach ($params as $key => $val) {
             $stmt->bindValue($key, $val);
         }
@@ -329,11 +327,10 @@ public function getChart($type = '', $column = '')
             $datasets = json_encode(array_column($datasets, "COUNT($column)"));
         }
 
-        $database = DBNAME;
         $nama_table = 'poliklinik';
 
-        $stmt = $this->core->db()->pdo()->prepare("SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA=? AND TABLE_NAME=?");
-        $stmt->execute([$database, $nama_table]);
+        $stmt = $this->core->db()->pdo()->prepare("SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA=DATABASE() AND TABLE_NAME=?");
+        $stmt->execute([$nama_table]);
         $result = $stmt->fetchAll();
 
         return [

plugins/mlite_api_key/Admin.php

@@ -58,12 +58,10 @@ public function postData()
         }
         $stmt->execute();
         $records = $stmt->fetch();
-        $totalRecordwithFilter = $records['allcount'];
+        $totalRecordwithFilter = $records['allcount'] ?? 0;
 
-        $sql = "SELECT * FROM mlite_api_key WHERE 1=1 $searchQuery ORDER BY `$columnName` $columnSortOrder LIMIT :row1, :rowperpage";
+        $sql = "SELECT * FROM mlite_api_key WHERE 1=1 $searchQuery ORDER BY `$columnName` $columnSortOrder LIMIT ".(int)$row1.", ".(int)$rowperpage;
         $stmt = $this->db()->pdo()->prepare($sql);
-        $stmt->bindValue(':row1', intval($row1), \PDO::PARAM_INT);
-        $stmt->bindValue(':rowperpage', intval($rowperpage), \PDO::PARAM_INT);
         if (!empty($search_text) && in_array($search_field, $allowedColumns)) {
             $stmt->bindValue(':search_text', "%$search_text%", \PDO::PARAM_STR);
         }
@@ -235,8 +233,8 @@ public function getChart($type = '', $column = '')
         $database = DBNAME;
         $nama_table = 'mlite_api_key';
 
-        $stmt = $this->db()->pdo()->prepare("SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA=? AND TABLE_NAME=?");
-        $stmt->execute([$database, $nama_table]);
+        $stmt = $this->db()->pdo()->prepare("SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA=DATABASE() AND TABLE_NAME=?");
+        $stmt->execute([$nama_table]);
         $result = $stmt->fetchAll();
 
         echo $this->draw('chart.html', ['type' => $type, 'column' => htmlspecialchars_array($result), 'labels' => $labels, 'datasets' => $datasets, 'slug' => $slug]);

plugins/mlite_logs/Admin.php

@@ -55,12 +55,10 @@ public function postData()
         }
         $stmt->execute();
         $records = $stmt->fetch();
-        $totalRecordwithFilter = $records['allcount'];
+        $totalRecordwithFilter = $records['allcount'] ?? 0;
 
-        $sql = "SELECT * FROM mlite_query_logs WHERE 1=1 $searchQuery ORDER BY `$columnName` $columnSortOrder LIMIT :row1, :rowperpage";
+        $sql = "SELECT * FROM mlite_query_logs WHERE 1=1 $searchQuery ORDER BY `$columnName` $columnSortOrder LIMIT ".(int)$row1.", ".(int)$rowperpage;
         $stmt = $this->db()->pdo()->prepare($sql);
-        $stmt->bindValue(':row1', intval($row1), \PDO::PARAM_INT);
-        $stmt->bindValue(':rowperpage', intval($rowperpage), \PDO::PARAM_INT);
         if (!empty($search_text) && in_array($search_field, $allowedColumns)) {
             $stmt->bindValue(':search_text', "%$search_text%", \PDO::PARAM_STR);
         }

plugins/orthanc/Admin.php

@@ -58,8 +58,21 @@ public function postTestOpenai()
       }
 
       if($result) {
+        // SSRF protection: validate ai_api_url is a public https URL
+        $url_parts = parse_url($orthanc['ai_api_url']);
+        if (!filter_var($orthanc['ai_api_url'], FILTER_VALIDATE_URL) || 
+            !isset($url_parts['scheme']) || 
+            strtolower($url_parts['scheme']) !== 'https') {
+             $output = array('message' => 'error', 'code' => '400', 'desc' => 'Invalid or insecure API URL');
+             echo json_encode(htmlspecialchars_array($output));
+             exit();
+        }
+
         $curl = curl_init();
         curl_setopt ($curl, CURLOPT_URL, $orthanc['ai_api_url']);
+        curl_setopt($curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
+        curl_setopt($curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
+        curl_setopt($curl, CURLOPT_FOLLOWLOCATION, false);
         curl_setopt($curl, CURLOPT_HTTPHEADER, array(
           'Content-Type: application/json',
           'Authorization: Bearer ' . $orthanc['ai_api_key']
@@ -221,20 +234,15 @@ public function postSavePACS()
             // --- Validasi URL ---
             $valid = false;
             if (filter_var($url, FILTER_VALIDATE_URL)) {
-                $valid = true;
-            } else {
-                // Fallback validasi Docker container host
                 $parts = parse_url($url);
-                if (
-                    $parts &&
-                    !empty($parts['scheme']) &&
-                    in_array($parts['scheme'], ['http','https'], true) &&
-                    !empty($parts['host']) &&
-                    (
-                        preg_match('/^[a-zA-Z0-9\-_]+$/', $parts['host']) || 
-                        filter_var($parts['host'], FILTER_VALIDATE_IP)
-                    )
-                ) {
+                // Require HTTP/HTTPS, but strictly validate host to prevent SSRF if this is external
+                // Assuming orthanc server is the only allowed host
+                $orthanc_server = $this->settings->get('orthanc.server');
+                $orthanc_parts = parse_url($orthanc_server);
+                
+                if (isset($parts['scheme']) && in_array(strtolower($parts['scheme']), ['http','https']) &&
+                    isset($parts['host']) && isset($orthanc_parts['host']) && 
+                    strtolower($parts['host']) === strtolower($orthanc_parts['host'])) {
                     $valid = true;
                 }
             }
@@ -670,7 +678,7 @@ public function postTestConnection()
         curl_setopt($curl, CURLOPT_USERPWD, $orthanc['username'].":".$orthanc['password']);
         curl_setopt($curl, CURLOPT_TIMEOUT, 10);
         curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 5);
-        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
+        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);
         curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
 
         $resp = curl_exec($curl);
@@ -801,7 +809,7 @@ private function setupCurl($url, $orthanc, $options = [])
         curl_setopt($curl, CURLOPT_USERPWD, $orthanc['username'].":".$orthanc['password']);
         curl_setopt($curl, CURLOPT_TIMEOUT, 30);
         curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 10);
-        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
+        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);
         curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
 
         // Apply additional options
@@ -1203,7 +1211,7 @@ private function downloadSeriesStream($seriesId, $orthanc)
         curl_setopt($curl, CURLOPT_FILE, $fp);
         curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
         curl_setopt($curl, CURLOPT_TIMEOUT, 300);
-        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
+        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);
         curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
 
         $result = curl_exec($curl);
@@ -1891,7 +1899,7 @@ public function postAiinterpretasi()
                 'Content-Type: application/json',
                 'Authorization: Bearer ' . $apiKey
             ]);
-            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
             curl_setopt($ch, CURLOPT_TIMEOUT, 60);
 
             $response = curl_exec($ch);

plugins/pasien/Admin.php

@@ -498,17 +498,31 @@ public function postHapusBerkasDigital()
 
     public function getDownloadBerkasDigital()
     {
-      $file = explode('/', $_GET['lokasi_file']);
-      $file_name = $file['2'];
-      $file_url = WEBAPPS_URL.'/berkasrawat/' . $_GET['lokasi_file'];
+      $file_path_param = $_GET['lokasi_file'];
+      
+      // Basic validation to prevent directory traversal
+      if (strpos($file_path_param, '..') !== false || strpos($file_path_param, '/') !== false || strpos($file_path_param, '\\') !== false) {
+          echo 'Akses ditolak.';
+          exit();
+      }
+      
+      $file_name = $file_path_param;
+      $file_url = WEBAPPS_URL.'/berkasrawat/' . $file_name;
+      
+      // Validate that the file exists and is within the allowed directory
+      $real_path = realpath(UPLOADS.'/berkasrawat/' . $file_name);
+      if ($real_path === false || strpos($real_path, realpath(UPLOADS.'/berkasrawat/')) !== 0) {
+          echo 'File tidak ditemukan.';
+          exit();
+      }
 
       // Configure.
       header('Content-Type: application/octet-stream');
       header("Content-Transfer-Encoding: Binary"); 
       header("Content-disposition: attachment; filename=\"".$file_name."\"");
 
       // Actual download.
-      readfile($file_url);
+      readfile($real_path);
 
       exit();
     }