Merge pull request #2177 from pi-hole/bulk_delete_groups

Allow delete multiple items - Group pages
2026-04-24 10:50:23 +01:00 · 2022-05-07 21:06:01 +02:00
parent c3b2004378 f0bd5d725e
commit 042b54675c
11 changed files with 668 additions and 235 deletions
--- a/scripts/pi-hole/php/groups.php
+++ b/scripts/pi-hole/php/groups.php
@@ -51,6 +51,20 @@ function JSON_error($message = null)
    echo json_encode($response);
 }

+function verify_ID_array($arr)
+{
+    if (!is_array($arr)) {
+        throw new Exception('Invalid payload: id is not an array');
+    }
+
+    // Exploit prevention: Ensure all entries in the ID array are integers
+    foreach ($arr as $value) {
+        if (!is_numeric($value)) {
+            throw new Exception('Invalid payload: id contains non-numeric entries');
+        }
+    }
+}
+
 if ($_POST['action'] == 'get_groups') {
    // List all available groups
    try {
@@ -153,21 +167,23 @@ if ($_POST['action'] == 'get_groups') {
 } elseif ($_POST['action'] == 'delete_group') {
    // Delete group identified by ID
    try {
-        $table_name = ['domainlist_by_group', 'client_by_group', 'adlist_by_group', 'group'];
+        $ids = json_decode($_POST['id']);
+
+        // Exploit prevention: Ensure all entries in the ID array are integers
+        verify_ID_array($ids);
+
+        $table_name = ['domainlist_by_group', 'client_by_group', 'adlist_by_group', '"group"']; //quote reserved word
        $table_keys = ['group_id', 'group_id', 'group_id', 'id'];
+
        for ($i = 0; $i < count($table_name); $i++) {
            $table = $table_name[$i];
            $key = $table_keys[$i];

-            $stmt = $db->prepare("DELETE FROM \"$table\" WHERE $key = :id;");
+            $stmt = $db->prepare("DELETE FROM ".$table." WHERE ".$key." IN (".implode(",",$ids).")");
            if (!$stmt) {
                throw new Exception("While preparing DELETE FROM $table statement: " . $db->lastErrorMsg());
            }

-            if (!$stmt->bindValue(':id', intval($_POST['id']), SQLITE3_INTEGER)) {
-                throw new Exception("While binding id to DELETE FROM $table statement: " . $db->lastErrorMsg());
-            }
-
            if (!$stmt->execute()) {
                throw new Exception("While executing DELETE FROM $table statement: " . $db->lastErrorMsg());
            }
@@ -463,30 +479,29 @@ if ($_POST['action'] == 'get_groups') {
 } elseif ($_POST['action'] == 'delete_client') {
    // Delete client identified by ID
    try {
+        $ids = json_decode($_POST['id']);
+
+        // Exploit prevention: Ensure all entries in the ID array are integers
+        verify_ID_array($ids);
+
        $db->query('BEGIN TRANSACTION;');

-        $stmt = $db->prepare('DELETE FROM client_by_group WHERE client_id=:id');
+        // Delete from: client_by_group
+        $stmt = $db->prepare('DELETE FROM client_by_group WHERE client_id IN ('.implode(",",$ids).')');
        if (!$stmt) {
            throw new Exception('While preparing client_by_group statement: ' . $db->lastErrorMsg());
        }

-        if (!$stmt->bindValue(':id', intval($_POST['id']), SQLITE3_INTEGER)) {
-            throw new Exception('While binding id to client_by_group statement: ' . $db->lastErrorMsg());
-        }
-
        if (!$stmt->execute()) {
            throw new Exception('While executing client_by_group statement: ' . $db->lastErrorMsg());
        }

-        $stmt = $db->prepare('DELETE FROM client WHERE id=:id');
+        // Delete from: client
+        $stmt = $db->prepare('DELETE FROM client WHERE id IN ('.implode(",",$ids).')');
        if (!$stmt) {
            throw new Exception('While preparing client statement: ' . $db->lastErrorMsg());
        }

-        if (!$stmt->bindValue(':id', intval($_POST['id']), SQLITE3_INTEGER)) {
-            throw new Exception('While binding id to client statement: ' . $db->lastErrorMsg());
-        }
-
        if (!$stmt->execute()) {
            throw new Exception('While executing client statement: ' . $db->lastErrorMsg());
        }
@@ -847,30 +862,29 @@ if ($_POST['action'] == 'get_groups') {
 } elseif ($_POST['action'] == 'delete_domain') {
    // Delete domain identified by ID
    try {
+        $ids = json_decode($_POST['id']);
+
+        // Exploit prevention: Ensure all entries in the ID array are integers
+        verify_ID_array($ids);
+
        $db->query('BEGIN TRANSACTION;');

-        $stmt = $db->prepare('DELETE FROM domainlist_by_group WHERE domainlist_id=:id');
+        // Delete from: domainlist_by_group
+        $stmt = $db->prepare('DELETE FROM domainlist_by_group WHERE domainlist_id IN ('.implode(",",$ids).')');
        if (!$stmt) {
            throw new Exception('While preparing domainlist_by_group statement: ' . $db->lastErrorMsg());
        }

-        if (!$stmt->bindValue(':id', intval($_POST['id']), SQLITE3_INTEGER)) {
-            throw new Exception('While binding id to domainlist_by_group statement: ' . $db->lastErrorMsg());
-        }
-
        if (!$stmt->execute()) {
            throw new Exception('While executing domainlist_by_group statement: ' . $db->lastErrorMsg());
        }

-        $stmt = $db->prepare('DELETE FROM domainlist WHERE id=:id');
+        // Delete from: domainlist
+        $stmt = $db->prepare('DELETE FROM domainlist WHERE id IN ('.implode(",",$ids).')');
        if (!$stmt) {
            throw new Exception('While preparing domainlist statement: ' . $db->lastErrorMsg());
        }

-        if (!$stmt->bindValue(':id', intval($_POST['id']), SQLITE3_INTEGER)) {
-            throw new Exception('While binding id to domainlist statement: ' . $db->lastErrorMsg());
-        }
-
        if (!$stmt->execute()) {
            throw new Exception('While executing domainlist statement: ' . $db->lastErrorMsg());
        }
@@ -1128,30 +1142,31 @@ if ($_POST['action'] == 'get_groups') {
 } elseif ($_POST['action'] == 'delete_adlist') {
    // Delete adlist identified by ID
    try {
+        // Accept only an array
+        $ids = json_decode($_POST['id']);
+
+        // Exploit prevention: Ensure all entries in the ID array are integers
+        verify_ID_array($ids);
+
        $db->query('BEGIN TRANSACTION;');

-        $stmt = $db->prepare('DELETE FROM adlist_by_group WHERE adlist_id=:id');
+        // Delete from: adlists_by_group
+        $stmt = $db->prepare('DELETE FROM adlist_by_group WHERE adlist_id IN ('.implode(",",$ids).')');
+
        if (!$stmt) {
            throw new Exception('While preparing adlist_by_group statement: ' . $db->lastErrorMsg());
        }

-        if (!$stmt->bindValue(':id', intval($_POST['id']), SQLITE3_INTEGER)) {
-            throw new Exception('While binding id to adlist_by_group statement: ' . $db->lastErrorMsg());
-        }
-
        if (!$stmt->execute()) {
            throw new Exception('While executing adlist_by_group statement: ' . $db->lastErrorMsg());
        }

-        $stmt = $db->prepare('DELETE FROM adlist WHERE id=:id');
+        // Delete from: adlists
+        $stmt = $db->prepare('DELETE FROM adlist WHERE id IN ('.implode(",",$ids).')');
        if (!$stmt) {
            throw new Exception('While preparing adlist statement: ' . $db->lastErrorMsg());
        }

-        if (!$stmt->bindValue(':id', intval($_POST['id']), SQLITE3_INTEGER)) {
-            throw new Exception('While binding id to adlist statement: ' . $db->lastErrorMsg());
-        }
-
        if (!$stmt->execute()) {
            throw new Exception('While executing adlist statement: ' . $db->lastErrorMsg());
        }