update format get -> 'GET@...', url -> 'URL#...' + prevent parameter name injection (if begin with 'GET@' or 'URL#' in POST or GET)

This commit is contained in:
Adrien Marquès 2018-05-22 09:28:30 +02:00
parent 32520a1591
commit b0002a034d
2 changed files with 35 additions and 3 deletions

View File

@ -24,11 +24,30 @@ func buildRequest(req *http.Request) (*Request, error) {
}
inst.ControllerUri = make([]string, 0, len(inst.Uri))
/* (2) Fill 'Data' with all data */
/* (2) Fill 'Data' with GET data */
for name, data := range inst.GetData {
inst.Data[fmt.Sprintf("GET_%s", name)] = data
// prevent injections
if isParameterNameInjection(name) {
log.Printf("get.name_injection: '%s'\n", name)
delete(inst.GetData, name)
continue
}
// add into data
inst.Data[fmt.Sprintf("GET@%s", name)] = data
}
/* (3) Fill 'Data' with POST data */
for name, data := range inst.FormData {
// prevent injections
if isParameterNameInjection(name) {
log.Printf("post.name_injection: '%s'\n", name)
delete(inst.FormData, name)
continue
}
// add into data
inst.Data[name] = data
}
@ -122,3 +141,11 @@ func FetchFormData(req *http.Request) map[string]interface{} {
return res
}
// isParameterNameInjection returns whether there is
// a parameter name injection:
// - inferred GET parameters
// - inferred URL parameters
func isParameterNameInjection(pName string) bool {
return strings.HasPrefix(pName, "GET@") || strings.HasPrefix(pName, "URL#")
}

View File

@ -51,7 +51,7 @@ func (s Server) route(res http.ResponseWriter, req *http.Request) {
/* (4) Store them as Data */
for i, data := range uriParams {
request.UrlData[i] = data
request.Data[fmt.Sprintf("URL%d", i)] = data
request.Data[fmt.Sprintf("URL#%d", i)] = data
}
/* (3) Check method
@ -94,6 +94,11 @@ func (s Server) route(res http.ResponseWriter, req *http.Request) {
/* (4) Check arguments
---------------------------------------------------------*/
for name, data := range request.Data {
fmt.Printf("- %s: %v\n", name, data)
}
fmt.Printf("\n")
fmt.Printf("OK\nplugin: '%si.so'\n", strings.Join(request.ControllerUri, "/"))
return
}