Welcome Guest, Not a member yet? Register   Sign In
Routing pre 4.2 to post 4.2
#1

Ok, so I've read several posts and the upgrade notes and the docs. All of which aren't helpful.

I get that autorouting is turned off because of filters and something about get requests and security. (which has something to do with a GET request skipping filters to bypass things).

What I don't see is how to actually upgrade my v4.1.1 to v4.4.3 code.  I see "change index to getIndex" which has got to be the $&!tyist idea I've ever seen.  I've got 20ish controllers (each is a separate app, all under one login). I have got anywhere from 10 to 30 methods in each controller. We will need to test each and every single application and every single method to ensure the upgrade didn't foul it up with routing. If I can get it working.

What I'm gathering is codeigniter is so insecure, I need to manually write the routes to each of these and overload the methods I have variable parameters to to compensate for this massive security hole that is being band-aided over instead of fundamentally fixed?  I mean I think that is what I need to do because the docs are barely there.  I can turn on the autorouting (which I tried) and there was a comment I could get back to legacy routing (with no comment on HOW to do that) - but the autorouting is throwing errors: Controller or its method is not found: \App\Controllers\Bsptraining:: which seems like I need to rename the index file still - not entirely clear there. Which isn't the legacy way, so I'm sort of stuck with a broken installation right now (on a branch and all, so not stopping the application, but I'm stuck).

I've been with CI since v1, this is frustrating for me, the auto routing was always one of the key selling points for me - and - what I've used to "sell" people on CI for the past decade+.

I've added the getIndex to my Bsptraining controller and I get the index now, but any link is throwing: The param count in the URI are greater than the controller method params. Handler:\App\Controllers\Bsptraining::getIndex, URI:bsptraining/enter_bsp which makes me think I will need to rewrite every. single. damn. controller.  Or create routes for every single method, including the overloaded URL parameter ones I made.

I really hope I'm missing something or some setting as, if I have to rewrite everything, we will likely have to stay with v4.1.1 or switch to something else.
Reply
#2

(This post was last modified: 12-06-2023, 07:47 AM by ozornick.)

I don't remember the last time I used autorouting. The explicitly specified routes look more convenient and customizable.
I just went into the documentation and created a new project.
Create .env file with:
Code:
CI_ENVIRONMENT = development

app.baseURL = 'http://localhost:8080/'
routing.autoRoute = true
feature.autoRoutesImproved = true

Create App/Controllers/Product.php


PHP Code:
<?php

namespace App\Controllers;

use 
CodeIgniter\HTTP\ResponseInterface;

class 
Product extends BaseController
{
    /**
    * Not use default method in URI (without /index)
    *
    * @see http://localhost:8080/product
    */
    public function getIndex(): ResponseInterface
    
{
        return response()->setBody('Product::getIndex loaded');
    }

    /**
    * @see http://localhost:8080/product/all
    */
    public function getAll(): ResponseInterface
    
{
        return response()->setBody('Product::getAll loaded');
    }

    /**
    * @see http://localhost:8080/product/one/12312
    */
    public function getOne(int $id): ResponseInterface
    
{
        return response()->setBody('Product::getOne with ID=' $id ' loaded');
    }

    /**
    * Set default params or empty
    *
    * @see http://localhost:8080/product/hash
    * @see http://localhost:8080/product/hash/loremipsun
    */
    public function getHash(string $hash 'default'): ResponseInterface
    
{
        return response()->setBody('Product::getHash with Hash=' $hash ' loaded');
    }

    /**
    * Send POST request from Postman, wget, curl...
    *
    * @see http://localhost:8080/product/store
    */
    public function postStore(): ResponseInterface
    
{
        return response()->setBody('Product::postStore with Data=' $this->request->getBody() . ' loaded');
    }

    /**
    * @see http://localhost:8080/product/dashed_url
    */
    public function getDashed_Url(): ResponseInterface
    
{
        return response()->setBody('Product::getDashed_Url loaded');
    }


Run in console ./spark serve

https://imgbox.com/ePSSDJQA POST example from Postman
Profit!  What kind of problems are there?
Reply
#3

If you upgrade CodeIgniter, Auto Routing Legacy is enabled.
So your app should work without changing about routing configuration.

To enable Auto Routing Legacy, see
https://codeigniter4.github.io/CodeIgnit...ing-legacy

You don't need to use Auto Routing Improved or defined routes.
Because you have been already using Auto Routing Legacy.
But just you might have security issues with Auto Routing Legacy on your app.
Of course you may have no security issues on your app.
Reply
#4

(This post was last modified: 12-06-2023, 07:53 PM by kenjis.)

(12-06-2023, 06:27 AM)Kaosweaver Wrote: What I'm gathering is codeigniter is so insecure, I need to manually write the routes to each of these and overload the methods I have variable parameters to to compensate for this massive security hole that is being band-aided over instead of fundamentally fixed? 

No. CI4 is quite secure especially the latest version.
But apps with Auto Routing Legacy may be insecure if developers wrote insecure code.

Alternatively, it could be argued that Auto Routing Legacy was unsafe from the start.
Writing safe code requires a high level of skills.

However, to write a safe application, you only need to make sure that it will not work if controllers are requested with an unexpected HTTP method or an unexpected URI. If you do not use Controller Filters at all, it is not that difficult.
Reply
#5

(This post was last modified: 12-07-2023, 02:35 PM by Kaosweaver.)

(12-06-2023, 07:50 PM)kenjis Wrote:
(12-06-2023, 06:27 AM)Kaosweaver Wrote: What I'm gathering is codeigniter is so insecure, I need to manually write the routes to each of these and overload the methods I have variable parameters to to compensate for this massive security hole that is being band-aided over instead of fundamentally fixed? 

No. CI4 is quite secure especially the latest version.
But apps with Auto Routing Legacy may be insecure if developers wrote insecure code.

Alternatively, it could be argued that Auto Routing Legacy was unsafe from the start.
Writing safe code requires a high level of skills.

However, to write a safe application, you only need to make sure that it will not work if controllers are requested with an unexpected HTTP method or an unexpected URI. If you do not use Controller Filters at all, it is not that difficult.

We use filters, for 2FA and Casban permissions.

When I point management to the 4.20 upgrade notes and they see what's written, they're not exactly confident in CI and the security. Who wants a potential security risk that, if it is not changed now, someone may in the future use a filter (unaware of this issue) and introduce it. So, we have to update the code. (even if it is working now). I've spent the last few days talking to the clients I've said CI is the way, now telling them they need to spend money on updating the routing because of this issue - and the fix being completely not compatible with what's worked in CI since v1. (for auto routing).

(12-06-2023, 03:18 PM)kenjis Wrote: You don't need to use Auto Routing Improved or defined routes.
Because you have been already using Auto Routing Legacy.
But just you might have security issues with Auto Routing Legacy on your app.
Of course you may have no security issues on your app.

You do understand how that would sound if you were telling your boss/client that, right?
Reply
#6

Thank you for your feedback.

Probably you are correct. If your organization or developers are not confident that your app is safe (and will be safe) on this matter,
changing to defined routes or auto routing improved is recommended.
It is true there is risk, so we decided to disable auto routing legacy by default.

The real risk on this matter is that a specific controller can be accessed by an HTTP method or URL that the developer does not expect,
thereby bypassing the filter. I can't say that there are absolutely no other attack vector, but I can't think of any at the moment.

If you use `php spark routes`, you can see the current all routes. And with the information, you can easily define the routes.
Reply
#7

(12-07-2023, 02:31 PM)Kaosweaver Wrote: You do understand how that would sound if you were telling your boss/client that, right?

Don't get it wrong. I did not say to boss/client.
I did not say that you should say like that.

I want to say, I don't know your app is safe or not.
To check it is not my job, and impossible.
Reply
#8

(This post was last modified: 12-07-2023, 03:48 PM by Kaosweaver.)

(12-07-2023, 03:13 PM)kenjis Wrote: If you use `php spark routes`, you can see the current all routes. And with the information, you can easily define the routes.

Thanks, I was all going to assign a developer the task of writing a script to pull all of the functions from all of the controllers and write a routes script for the installations we have.

(12-07-2023, 03:19 PM)kenjis Wrote:
(12-07-2023, 02:31 PM)Kaosweaver Wrote: You do understand how that would sound if you were telling your boss/client that, right?

Don't get it wrong. I did not say to boss/client.
I did not say that you should say like that.

I want to say, I don't know your app is safe or not.
To check it is not my job, and impossible.

You said it to the world. As the owner of CodeIgniter.

Wasn't asking you to check the code, I full well know it isn't your job. (although my client did offer to pay for support, so it could have been)
Reply
#9

I'm NOT the owner. I'm one of contributors, NOT a member of CodeIgniter Foundation.

I can say that it is possible to develop a vulnerable application using any framework,
and it is impossible to prevent it completely now.

So I cannot tell you if an app someone creates with CI4 is secure or not.
However, the latest version of CI4 is quite secure in its default state.
Reply
#10

For those who do not yet understand the issue of auto routing legacy.
Even if you disable auto routing and define all routes, using the $routes->add() method still leaves you at risk.
This method should not be used.
https://codeigniter4.github.io/CodeIgnit...http-verbs
Reply




Theme © iAndrew 2016 - Forum software by © MyBB