Skip to content
Permalink
Browse files Browse the repository at this point in the history
Sanitize all received parameters
  • Loading branch information
TiagoJacobs committed Nov 13, 2020
1 parent 5c911dd commit e59bcd0
Showing 1 changed file with 119 additions and 4 deletions.
Expand Up @@ -93,6 +93,11 @@ class ApiController {
log.debug CONTROLLER_NAME + "#${API_CALL}"
log.debug request.getParameterMap().toMapString()

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
Expand Down Expand Up @@ -175,6 +180,11 @@ class ApiController {
log.debug CONTROLLER_NAME + "#${API_CALL}"
ApiErrors errors = new ApiErrors()

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check", REDIRECT_RESPONSE)
Expand Down Expand Up @@ -244,9 +254,6 @@ class ApiController {

// Do we have a name for the user joining? If none, complain.
if (!StringUtils.isEmpty(params.fullName)) {
params.fullName = StringUtils.strip(params.fullName);
// remove control characters ( sanitize )
params.fullName = params.fullName.replaceAll("\\p{Cntrl}", "");
if (StringUtils.isEmpty(params.fullName)) {
errors.missingParamError("fullName");
}
Expand Down Expand Up @@ -558,6 +565,11 @@ class ApiController {
String API_CALL = 'isMeetingRunning'
log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
Expand Down Expand Up @@ -634,9 +646,13 @@ class ApiController {
************************************/
def end = {
String API_CALL = "end"

log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
Expand Down Expand Up @@ -759,6 +775,11 @@ class ApiController {
String API_CALL = "getMeetingInfo"
log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
Expand Down Expand Up @@ -842,6 +863,11 @@ class ApiController {
String API_CALL = "getMeetings"
log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
Expand Down Expand Up @@ -900,6 +926,11 @@ class ApiController {
String API_CALL = "getSessions"
log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
Expand Down Expand Up @@ -975,6 +1006,11 @@ class ApiController {
String API_CALL = "setPollXML"
log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
return
Expand Down Expand Up @@ -1061,6 +1097,11 @@ class ApiController {
String API_CALL = "setConfigXML"
log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
return
Expand Down Expand Up @@ -1140,6 +1181,11 @@ class ApiController {
String API_CALL = "getDefaultConfigXML"
ApiErrors errors = new ApiErrors();

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
Expand Down Expand Up @@ -1179,6 +1225,11 @@ class ApiController {
String API_CALL = 'configXML'
log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

String logoutUrl = paramsProcessorUtil.getDefaultLogoutUrl()
boolean reject = false
String sessionToken = sanitizeSessionToken(params.sessionToken)
Expand Down Expand Up @@ -1226,6 +1277,12 @@ class ApiController {
def guestWaitHandler = {
String API_CALL = 'guestWait'
log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

ApiErrors errors = new ApiErrors()
boolean reject = false;
String sessionToken = sanitizeSessionToken(params.sessionToken)
Expand Down Expand Up @@ -1369,6 +1426,14 @@ class ApiController {
* ENTER API
***********************************************/
def enter = {
String API_CALL = 'enter'
log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

boolean reject = false;

String sessionToken = sanitizeSessionToken(params.sessionToken)
Expand Down Expand Up @@ -1511,6 +1576,14 @@ class ApiController {
* STUN/TURN API
***********************************************/
def stuns = {
String API_CALL = 'stuns'
log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

boolean reject = false;

String sessionToken = sanitizeSessionToken(params.sessionToken)
Expand Down Expand Up @@ -1582,6 +1655,13 @@ class ApiController {
* SIGNOUT API
*************************************************/
def signOut = {
String API_CALL = 'signOut'
log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

String sessionToken = sanitizeSessionToken(params.sessionToken)

Expand Down Expand Up @@ -1628,6 +1708,11 @@ class ApiController {
String API_CALL = "getRecordings"
log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
Expand Down Expand Up @@ -1702,6 +1787,11 @@ class ApiController {
String API_CALL = "publishRecordings"
log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
Expand Down Expand Up @@ -1783,6 +1873,11 @@ class ApiController {
String API_CALL = "deleteRecordings"
log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
Expand Down Expand Up @@ -1853,6 +1948,11 @@ class ApiController {
String API_CALL = "updateRecordings"
log.debug CONTROLLER_NAME + "#${API_CALL}"

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
Expand Down Expand Up @@ -1924,6 +2024,11 @@ class ApiController {
def uploadDocuments(conf) { //
log.debug("ApiController#uploadDocuments(${conf.getInternalId()})");

//sanitizeInput
params.each {
key, value -> params[key] = sanitizeInput(value)
}

String requestBody = request.inputStream == null ? null : request.inputStream.text;
requestBody = StringUtils.isEmpty(requestBody) ? null : requestBody;

Expand Down Expand Up @@ -2112,6 +2217,16 @@ class ApiController {
return us
}

private def sanitizeInput (input) {
if(input == null)
return

if(!("java.lang.String".equals(input.getClass().getName())))
return input

StringUtils.strip(input.replaceAll("\\p{Cntrl}", ""));
}

def sanitizeSessionToken(param) {
if (param == null) {
log.info("sanitizeSessionToken: token is null")
Expand Down

0 comments on commit e59bcd0

Please sign in to comment.