Merge pull request #28 from LiilyZhang/zhangl/invalidCharCheck

Issue 1137 - prevent <> in put body
open-horizon · Aug 20, 2019 · ff53afe · ff53afe
2 parents a2d357e + fd6363f
commit ff53afe
Show file tree

Hide file tree

Showing 4 changed files with 124 additions and 93 deletions.
diff --git a/common/common.go b/common/common.go
@@ -781,6 +781,21 @@ func BlockUntilNoRunningGoRoutines() {
 // IsValidName checks if the string only contains letters, digits, and !@#%^*-_.~
 var IsValidName = regexp.MustCompile(`^[a-zA-Z0-9|!|@|#|$|^|*|\-|_|.|~]+$`).MatchString
 
+// ValidateDestinationListInput checks if destinationsList contains < or >, to avoid injecting html like tags from user
+func ValidateDestinationListInput(destinationsList []string) (bool, SyncServiceError) {
+	if len(destinationsList) == 0 {
+		return true, nil
+	}
+
+	for _, destination := range destinationsList {
+		if strings.ContainsAny(destination, "<") || strings.ContainsAny(destination, ">") {
+			message := fmt.Sprintf("destinationsList contains unsupported char: < or > (%+v)", destination)
+			return false, &InvalidRequest{Message: message}
+		}
+	}
+	return true, nil
+}
+
 func init() {
 	Version.Major = 1
 	Version.Minor = 0

diff --git a/core/base/apiModule.go b/core/base/apiModule.go
@@ -87,6 +87,9 @@ func UpdateObject(orgID string, objectType string, objectID string, metaData com
 	if metaData.DestinationsList != nil && metaData.DestType != "" {
 		return &common.InvalidRequest{Message: "Both destinations list and destination type are specified"}
 	}
+	if validatedDestList, _ := common.ValidateDestinationListInput(metaData.DestinationsList); validatedDestList == false {
+		return &common.InvalidRequest{Message: "Unsupported char <, > in destinationsList."}
+	}
 
 	if metaData.DestinationPolicy != nil {
 		if metaData.DestType != "" {

diff --git a/core/base/apiServer.go b/core/base/apiServer.go
@@ -1291,12 +1291,15 @@ func handleObjectDestinations(orgID string, objectType string, objectID string,
 		}
 		var destinationsList []string
 		err := json.NewDecoder(request.Body).Decode(&destinationsList)
-		if err == nil {
+		inputValidated, validateErr := common.ValidateDestinationListInput(destinationsList)
+		if inputValidated && err == nil {
 			if err := UpdateObjectDestinations(orgID, objectType, objectID, destinationsList); err == nil {
 				writer.WriteHeader(http.StatusNoContent)
 			} else {
 				communications.SendErrorResponse(writer, err, "", 0)
 			}
+		} else if !inputValidated {
+			communications.SendErrorResponse(writer, validateErr, "Unsupported char in destinationsList. Error: ", http.StatusBadRequest)
 		} else {
 			communications.SendErrorResponse(writer, err, "Invalid JSON for update. Error: ", http.StatusBadRequest)
 		}