From bb070a8b83d38694cdbc06403abfc8f4782c7b7a Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Thu, 20 Apr 2017 05:21:50 -0300 Subject: [feature] sanitize resource arguments _validate will check if user_id and blob_id are letter, numbers, dashes and underscores. It is called on render_GET and render_POST, validating incoming arguments before handling on backend. - Resolves: #8832 --- server/src/leap/soledad/server/_blobs.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'server/src') diff --git a/server/src/leap/soledad/server/_blobs.py b/server/src/leap/soledad/server/_blobs.py index 3dd4ccb4..9dc4b9e7 100644 --- a/server/src/leap/soledad/server/_blobs.py +++ b/server/src/leap/soledad/server/_blobs.py @@ -27,6 +27,7 @@ environments. import os import base64 import json +import re from twisted.logger import Logger from twisted.web import static @@ -195,7 +196,7 @@ class BlobsResource(resource.Resource): def render_GET(self, request): logger.info("http get: %s" % request.path) - user, blob_id = request.postpath + user, blob_id = self._validate(request) if not blob_id: return self._handler.list_blobs(user, request) self._handler.tag_header(user, blob_id, request) @@ -203,7 +204,7 @@ class BlobsResource(resource.Resource): def render_PUT(self, request): logger.info("http put: %s" % request.path) - user, blob_id = request.postpath + user, blob_id = self._validate(request) d = self._handler.write_blob(user, blob_id, request) d.addCallback(lambda _: request.finish()) d.addErrback(self._error, request) @@ -214,6 +215,12 @@ class BlobsResource(resource.Resource): request.setResponseCode(500) request.finish() + def _validate(self, request): + for arg in request.postpath: + if arg and not re.match('^[a-zA-Z0-9_-]+$', arg): + raise Exception('Invalid blob resource argument: %s' % arg) + return request.postpath + if __name__ == '__main__': # A dummy blob server -- cgit v1.2.3