restrict parameter names in config + ignore parameter names in received requests
This commit is contained in:
parent
f5800900b0
commit
74e4ce83cb
|
@ -145,6 +145,11 @@ func (c *Controller) format(controllerName string) error {
|
|||
/* check parameters */
|
||||
for pName, pData := range method.Ptr.Parameters {
|
||||
|
||||
// check name
|
||||
if strings.Trim(pName, "_") != pName {
|
||||
return fmt.Errorf("Invalid name '%s' must not begin/end with '_'", pName)
|
||||
}
|
||||
|
||||
if len(pData.Rename) < 1 {
|
||||
pData.Rename = pName
|
||||
}
|
||||
|
|
|
@ -62,6 +62,12 @@ func (i *DataSet) fetchGet(req *http.Request) {
|
|||
|
||||
for name, value := range req.URL.Query() {
|
||||
|
||||
// prevent invalid names
|
||||
if !validName(name) {
|
||||
log.Printf("invalid variable name: '%s'\n", name)
|
||||
continue
|
||||
}
|
||||
|
||||
// prevent injections
|
||||
if nameInjection(name) {
|
||||
log.Printf("get.injection: '%s'\n", name)
|
||||
|
@ -131,6 +137,12 @@ func (i *DataSet) parseJSON(req *http.Request) {
|
|||
// else store values 'parsed' values
|
||||
for name, value := range parsed {
|
||||
|
||||
// prevent invalid names
|
||||
if !validName(name) {
|
||||
log.Printf("invalid variable name: '%s'\n", name)
|
||||
continue
|
||||
}
|
||||
|
||||
// prevent injections
|
||||
if nameInjection(name) {
|
||||
log.Printf("post.injection: '%s'\n", name)
|
||||
|
@ -162,6 +174,12 @@ func (i *DataSet) parseUrlencoded(req *http.Request) {
|
|||
|
||||
for name, value := range req.PostForm {
|
||||
|
||||
// prevent invalid names
|
||||
if !validName(name) {
|
||||
log.Printf("invalid variable name: '%s'\n", name)
|
||||
continue
|
||||
}
|
||||
|
||||
// prevent injections
|
||||
if nameInjection(name) {
|
||||
log.Printf("post.injection: '%s'\n", name)
|
||||
|
@ -200,6 +218,12 @@ func (i *DataSet) parseMultipart(req *http.Request) {
|
|||
/* (3) Store data into 'Form' and 'Set */
|
||||
for name, data := range mpr.Data {
|
||||
|
||||
// prevent invalid names
|
||||
if !validName(name) {
|
||||
log.Printf("invalid variable name: '%s'\n", name)
|
||||
continue
|
||||
}
|
||||
|
||||
// prevent injections
|
||||
if nameInjection(name) {
|
||||
log.Printf("post.injection: '%s'\n", name)
|
||||
|
|
|
@ -34,6 +34,12 @@ func nameInjection(pName string) bool {
|
|||
return strings.HasPrefix(pName, "GET@") || strings.HasPrefix(pName, "URL#")
|
||||
}
|
||||
|
||||
// validName returns whether a parameter name (without the GET@ or URL# prefix) is valid
|
||||
// if fails if the name begins/ends with underscores
|
||||
func validName(pName string) bool {
|
||||
return strings.Trim(pName, "_") == pName
|
||||
}
|
||||
|
||||
// parseParameter parses http GET/POST data
|
||||
// - []string
|
||||
// - size = 1 : return json of first element
|
||||
|
|
Loading…
Reference in New Issue