restrict parameter names in config + ignore parameter names in received requests

This commit is contained in:
Adrien Marquès 2018-09-28 08:54:04 +02:00
parent f5800900b0
commit 74e4ce83cb
3 changed files with 35 additions and 0 deletions

View File

@ -145,6 +145,11 @@ func (c *Controller) format(controllerName string) error {
/* check parameters */ /* check parameters */
for pName, pData := range method.Ptr.Parameters { for pName, pData := range method.Ptr.Parameters {
// check name
if strings.Trim(pName, "_") != pName {
return fmt.Errorf("Invalid name '%s' must not begin/end with '_'", pName)
}
if len(pData.Rename) < 1 { if len(pData.Rename) < 1 {
pData.Rename = pName pData.Rename = pName
} }

View File

@ -62,6 +62,12 @@ func (i *DataSet) fetchGet(req *http.Request) {
for name, value := range req.URL.Query() { for name, value := range req.URL.Query() {
// prevent invalid names
if !validName(name) {
log.Printf("invalid variable name: '%s'\n", name)
continue
}
// prevent injections // prevent injections
if nameInjection(name) { if nameInjection(name) {
log.Printf("get.injection: '%s'\n", name) log.Printf("get.injection: '%s'\n", name)
@ -131,6 +137,12 @@ func (i *DataSet) parseJSON(req *http.Request) {
// else store values 'parsed' values // else store values 'parsed' values
for name, value := range parsed { for name, value := range parsed {
// prevent invalid names
if !validName(name) {
log.Printf("invalid variable name: '%s'\n", name)
continue
}
// prevent injections // prevent injections
if nameInjection(name) { if nameInjection(name) {
log.Printf("post.injection: '%s'\n", name) log.Printf("post.injection: '%s'\n", name)
@ -162,6 +174,12 @@ func (i *DataSet) parseUrlencoded(req *http.Request) {
for name, value := range req.PostForm { for name, value := range req.PostForm {
// prevent invalid names
if !validName(name) {
log.Printf("invalid variable name: '%s'\n", name)
continue
}
// prevent injections // prevent injections
if nameInjection(name) { if nameInjection(name) {
log.Printf("post.injection: '%s'\n", name) log.Printf("post.injection: '%s'\n", name)
@ -200,6 +218,12 @@ func (i *DataSet) parseMultipart(req *http.Request) {
/* (3) Store data into 'Form' and 'Set */ /* (3) Store data into 'Form' and 'Set */
for name, data := range mpr.Data { for name, data := range mpr.Data {
// prevent invalid names
if !validName(name) {
log.Printf("invalid variable name: '%s'\n", name)
continue
}
// prevent injections // prevent injections
if nameInjection(name) { if nameInjection(name) {
log.Printf("post.injection: '%s'\n", name) log.Printf("post.injection: '%s'\n", name)

View File

@ -34,6 +34,12 @@ func nameInjection(pName string) bool {
return strings.HasPrefix(pName, "GET@") || strings.HasPrefix(pName, "URL#") return strings.HasPrefix(pName, "GET@") || strings.HasPrefix(pName, "URL#")
} }
// validName returns whether a parameter name (without the GET@ or URL# prefix) is valid
// if fails if the name begins/ends with underscores
func validName(pName string) bool {
return strings.Trim(pName, "_") == pName
}
// parseParameter parses http GET/POST data // parseParameter parses http GET/POST data
// - []string // - []string
// - size = 1 : return json of first element // - size = 1 : return json of first element