From 74e4ce83cb72681c0e2a98ba574d5557f2e0a032 Mon Sep 17 00:00:00 2001 From: xdrm-brackets Date: Fri, 28 Sep 2018 08:54:04 +0200 Subject: [PATCH] restrict parameter names in config + ignore parameter names in received requests --- internal/config/controller.go | 5 +++++ internal/request/dataset.go | 24 ++++++++++++++++++++++++ internal/request/utils.go | 6 ++++++ 3 files changed, 35 insertions(+) diff --git a/internal/config/controller.go b/internal/config/controller.go index 3f4f512..7398262 100644 --- a/internal/config/controller.go +++ b/internal/config/controller.go @@ -145,6 +145,11 @@ func (c *Controller) format(controllerName string) error { /* check parameters */ for pName, pData := range method.Ptr.Parameters { + // check name + if strings.Trim(pName, "_") != pName { + return fmt.Errorf("Invalid name '%s' must not begin/end with '_'", pName) + } + if len(pData.Rename) < 1 { pData.Rename = pName } diff --git a/internal/request/dataset.go b/internal/request/dataset.go index 114b089..8abd470 100644 --- a/internal/request/dataset.go +++ b/internal/request/dataset.go @@ -62,6 +62,12 @@ func (i *DataSet) fetchGet(req *http.Request) { for name, value := range req.URL.Query() { + // prevent invalid names + if !validName(name) { + log.Printf("invalid variable name: '%s'\n", name) + continue + } + // prevent injections if nameInjection(name) { log.Printf("get.injection: '%s'\n", name) @@ -131,6 +137,12 @@ func (i *DataSet) parseJSON(req *http.Request) { // else store values 'parsed' values for name, value := range parsed { + // prevent invalid names + if !validName(name) { + log.Printf("invalid variable name: '%s'\n", name) + continue + } + // prevent injections if nameInjection(name) { log.Printf("post.injection: '%s'\n", name) @@ -162,6 +174,12 @@ func (i *DataSet) parseUrlencoded(req *http.Request) { for name, value := range req.PostForm { + // prevent invalid names + if !validName(name) { + log.Printf("invalid variable name: '%s'\n", name) + continue + } + // prevent injections if nameInjection(name) { log.Printf("post.injection: '%s'\n", name) @@ -200,6 +218,12 @@ func (i *DataSet) parseMultipart(req *http.Request) { /* (3) Store data into 'Form' and 'Set */ for name, data := range mpr.Data { + // prevent invalid names + if !validName(name) { + log.Printf("invalid variable name: '%s'\n", name) + continue + } + // prevent injections if nameInjection(name) { log.Printf("post.injection: '%s'\n", name) diff --git a/internal/request/utils.go b/internal/request/utils.go index 6af5abb..f8c1853 100644 --- a/internal/request/utils.go +++ b/internal/request/utils.go @@ -34,6 +34,12 @@ func nameInjection(pName string) bool { return strings.HasPrefix(pName, "GET@") || strings.HasPrefix(pName, "URL#") } +// validName returns whether a parameter name (without the GET@ or URL# prefix) is valid +// if fails if the name begins/ends with underscores +func validName(pName string) bool { + return strings.Trim(pName, "_") == pName +} + // parseParameter parses http GET/POST data // - []string // - size = 1 : return json of first element