From bb070a8b83d38694cdbc06403abfc8f4782c7b7a Mon Sep 17 00:00:00 2001
From: Victor Shyba <victor1984@riseup.net>
Date: Thu, 20 Apr 2017 05:21:50 -0300
Subject: [feature] sanitize resource arguments
_validate will check if user_id and blob_id are letter, numbers, dashes
and underscores. It is called on render_GET and render_POST, validating
incoming arguments before handling on backend.
- Resolves: #8832
---
server/src/leap/soledad/server/_blobs.py | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
(limited to 'server/src/leap')
diff --git a/server/src/leap/soledad/server/_blobs.py b/server/src/leap/soledad/server/_blobs.py
index 3dd4ccb4..9dc4b9e7 100644
--- a/server/src/leap/soledad/server/_blobs.py
+++ b/server/src/leap/soledad/server/_blobs.py
@@ -27,6 +27,7 @@ environments.
import os
import base64
import json
+import re
from twisted.logger import Logger
from twisted.web import static
@@ -195,7 +196,7 @@ class BlobsResource(resource.Resource):
def render_GET(self, request):
logger.info("http get: %s" % request.path)
- user, blob_id = request.postpath
+ user, blob_id = self._validate(request)
if not blob_id:
return self._handler.list_blobs(user, request)
self._handler.tag_header(user, blob_id, request)
@@ -203,7 +204,7 @@ class BlobsResource(resource.Resource):
def render_PUT(self, request):
logger.info("http put: %s" % request.path)
- user, blob_id = request.postpath
+ user, blob_id = self._validate(request)
d = self._handler.write_blob(user, blob_id, request)
d.addCallback(lambda _: request.finish())
d.addErrback(self._error, request)
@@ -214,6 +215,12 @@ class BlobsResource(resource.Resource):
request.setResponseCode(500)
request.finish()
+ def _validate(self, request):
+ for arg in request.postpath:
+ if arg and not re.match('^[a-zA-Z0-9_-]+$', arg):
+ raise Exception('Invalid blob resource argument: %s' % arg)
+ return request.postpath
+
if __name__ == '__main__':
# A dummy blob server
--
cgit v1.2.3