restrict parameter names in config + ignore parameter names in received requests

2018-09-28 08:54:04 +02:00 · 2018-09-28 08:54:04 +02:00 · 74e4ce83cb
parent f5800900b0
commit 74e4ce83cb
3 changed files with 35 additions and 0 deletions
--- a/internal/config/controller.go
+++ b/internal/config/controller.go
@ -145,6 +145,11 @@ func (c *Controller) format(controllerName string) error {
 		/* check parameters */
 		for pName, pData := range method.Ptr.Parameters {

+			// check name
+			if strings.Trim(pName, "_") != pName {
+				return fmt.Errorf("Invalid name '%s' must not begin/end with '_'", pName)
+			}
+
 			if len(pData.Rename) < 1 {
 				pData.Rename = pName
 			}
--- a/internal/request/dataset.go
+++ b/internal/request/dataset.go
@ -62,6 +62,12 @@ func (i *DataSet) fetchGet(req *http.Request) {

 	for name, value := range req.URL.Query() {

+		// prevent invalid names
+		if !validName(name) {
+			log.Printf("invalid variable name: '%s'\n", name)
+			continue
+		}
+
 		// prevent injections
 		if nameInjection(name) {
 			log.Printf("get.injection: '%s'\n", name)
@ -131,6 +137,12 @@ func (i *DataSet) parseJSON(req *http.Request) {
 	// else store values 'parsed' values
 	for name, value := range parsed {

+		// prevent invalid names
+		if !validName(name) {
+			log.Printf("invalid variable name: '%s'\n", name)
+			continue
+		}
+
 		// prevent injections
 		if nameInjection(name) {
 			log.Printf("post.injection: '%s'\n", name)
@ -162,6 +174,12 @@ func (i *DataSet) parseUrlencoded(req *http.Request) {

 	for name, value := range req.PostForm {

+		// prevent invalid names
+		if !validName(name) {
+			log.Printf("invalid variable name: '%s'\n", name)
+			continue
+		}
+
 		// prevent injections
 		if nameInjection(name) {
 			log.Printf("post.injection: '%s'\n", name)
@ -200,6 +218,12 @@ func (i *DataSet) parseMultipart(req *http.Request) {
 	/* (3) Store data into 'Form' and 'Set */
 	for name, data := range mpr.Data {

+		// prevent invalid names
+		if !validName(name) {
+			log.Printf("invalid variable name: '%s'\n", name)
+			continue
+		}
+
 		// prevent injections
 		if nameInjection(name) {
 			log.Printf("post.injection: '%s'\n", name)
--- a/internal/request/utils.go
+++ b/internal/request/utils.go
@ -34,6 +34,12 @@ func nameInjection(pName string) bool {
 	return strings.HasPrefix(pName, "GET@") || strings.HasPrefix(pName, "URL#")
 }

+// validName returns whether a parameter name (without the GET@ or URL# prefix) is valid
+// if fails if the name begins/ends with underscores
+func validName(pName string) bool {
+	return strings.Trim(pName, "_") == pName
+}
+
 // parseParameter parses http GET/POST data
 // - []string
 //		- size = 1 : return json of first element