From b0002a034daa00a7c063b76d40ca05a8b7fc6a26 Mon Sep 17 00:00:00 2001
From: xdrm-brackets <xdrm.brackets.dev@gmail.com>
Date: Tue, 22 May 2018 09:28:30 +0200
Subject: [PATCH] update format get -> 'GET@...', url -> 'URL#...' + prevent
 parameter name injection (if begin with 'GET@' or 'URL#' in POST or GET)

---
 request_builder.go | 31 +++++++++++++++++++++++++++++--
 router.go          |  7 ++++++-
 2 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/request_builder.go b/request_builder.go
index b911541..f8f5514 100644
--- a/request_builder.go
+++ b/request_builder.go
@@ -24,11 +24,30 @@ func buildRequest(req *http.Request) (*Request, error) {
 	}
 	inst.ControllerUri = make([]string, 0, len(inst.Uri))
 
-	/* (2) Fill 'Data' with all data */
+	/* (2) Fill 'Data' with GET data */
 	for name, data := range inst.GetData {
-		inst.Data[fmt.Sprintf("GET_%s", name)] = data
+		// prevent injections
+		if isParameterNameInjection(name) {
+			log.Printf("get.name_injection:  '%s'\n", name)
+			delete(inst.GetData, name)
+			continue
+		}
+
+		// add into data
+		inst.Data[fmt.Sprintf("GET@%s", name)] = data
 	}
+
+	/* (3) Fill 'Data' with POST data */
 	for name, data := range inst.FormData {
+
+		// prevent injections
+		if isParameterNameInjection(name) {
+			log.Printf("post.name_injection: '%s'\n", name)
+			delete(inst.FormData, name)
+			continue
+		}
+
+		// add into data
 		inst.Data[name] = data
 	}
 
@@ -122,3 +141,11 @@ func FetchFormData(req *http.Request) map[string]interface{} {
 
 	return res
 }
+
+// isParameterNameInjection returns whether there is
+// a parameter name injection:
+// - inferred GET parameters
+// - inferred URL parameters
+func isParameterNameInjection(pName string) bool {
+	return strings.HasPrefix(pName, "GET@") || strings.HasPrefix(pName, "URL#")
+}
diff --git a/router.go b/router.go
index 2b1b4c4..202a879 100644
--- a/router.go
+++ b/router.go
@@ -51,7 +51,7 @@ func (s Server) route(res http.ResponseWriter, req *http.Request) {
 	/* (4) Store them as Data */
 	for i, data := range uriParams {
 		request.UrlData[i] = data
-		request.Data[fmt.Sprintf("URL%d", i)] = data
+		request.Data[fmt.Sprintf("URL#%d", i)] = data
 	}
 
 	/* (3) Check method
@@ -94,6 +94,11 @@ func (s Server) route(res http.ResponseWriter, req *http.Request) {
 
 	/* (4) Check arguments
 	---------------------------------------------------------*/
+	for name, data := range request.Data {
+		fmt.Printf("- %s: %v\n", name, data)
+	}
+	fmt.Printf("\n")
+
 	fmt.Printf("OK\nplugin: '%si.so'\n", strings.Join(request.ControllerUri, "/"))
 	return
 }