@@ -93,6 +93,11 @@ class ApiController {
9393 log. debug CONTROLLER_NAME + " #${ API_CALL} "
9494 log. debug request. getParameterMap(). toMapString()
9595
96+ // sanitizeInput
97+ params. each {
98+ key, value -> params[key] = sanitizeInput(value)
99+ }
100+
96101 // BEGIN - backward compatibility
97102 if (StringUtils . isEmpty(params. checksum)) {
98103 invalid(" checksumError" , " You did not pass the checksum security check" )
@@ -175,6 +180,11 @@ class ApiController {
175180 log. debug CONTROLLER_NAME + " #${ API_CALL} "
176181 ApiErrors errors = new ApiErrors ()
177182
183+ // sanitizeInput
184+ params. each {
185+ key, value -> params[key] = sanitizeInput(value)
186+ }
187+
178188 // BEGIN - backward compatibility
179189 if (StringUtils . isEmpty(params. checksum)) {
180190 invalid(" checksumError" , " You did not pass the checksum security check" , REDIRECT_RESPONSE )
@@ -244,9 +254,6 @@ class ApiController {
244254
245255 // Do we have a name for the user joining? If none, complain.
246256 if (! StringUtils . isEmpty(params. fullName)) {
247- params. fullName = StringUtils . strip(params. fullName);
248- // remove control characters ( sanitize )
249- params. fullName = params. fullName. replaceAll(" \\ p{Cntrl}" , " " );
250257 if (StringUtils . isEmpty(params. fullName)) {
251258 errors. missingParamError(" fullName" );
252259 }
@@ -558,6 +565,11 @@ class ApiController {
558565 String API_CALL = ' isMeetingRunning'
559566 log. debug CONTROLLER_NAME + " #${ API_CALL} "
560567
568+ // sanitizeInput
569+ params. each {
570+ key, value -> params[key] = sanitizeInput(value)
571+ }
572+
561573 // BEGIN - backward compatibility
562574 if (StringUtils . isEmpty(params. checksum)) {
563575 invalid(" checksumError" , " You did not pass the checksum security check" )
@@ -634,9 +646,13 @@ class ApiController {
634646 ************************************/
635647 def end = {
636648 String API_CALL = " end"
637-
638649 log. debug CONTROLLER_NAME + " #${ API_CALL} "
639650
651+ // sanitizeInput
652+ params. each {
653+ key, value -> params[key] = sanitizeInput(value)
654+ }
655+
640656 // BEGIN - backward compatibility
641657 if (StringUtils . isEmpty(params. checksum)) {
642658 invalid(" checksumError" , " You did not pass the checksum security check" )
@@ -759,6 +775,11 @@ class ApiController {
759775 String API_CALL = " getMeetingInfo"
760776 log. debug CONTROLLER_NAME + " #${ API_CALL} "
761777
778+ // sanitizeInput
779+ params. each {
780+ key, value -> params[key] = sanitizeInput(value)
781+ }
782+
762783 // BEGIN - backward compatibility
763784 if (StringUtils . isEmpty(params. checksum)) {
764785 invalid(" checksumError" , " You did not pass the checksum security check" )
@@ -842,6 +863,11 @@ class ApiController {
842863 String API_CALL = " getMeetings"
843864 log. debug CONTROLLER_NAME + " #${ API_CALL} "
844865
866+ // sanitizeInput
867+ params. each {
868+ key, value -> params[key] = sanitizeInput(value)
869+ }
870+
845871 // BEGIN - backward compatibility
846872 if (StringUtils . isEmpty(params. checksum)) {
847873 invalid(" checksumError" , " You did not pass the checksum security check" )
@@ -900,6 +926,11 @@ class ApiController {
900926 String API_CALL = " getSessions"
901927 log. debug CONTROLLER_NAME + " #${ API_CALL} "
902928
929+ // sanitizeInput
930+ params. each {
931+ key, value -> params[key] = sanitizeInput(value)
932+ }
933+
903934 // BEGIN - backward compatibility
904935 if (StringUtils . isEmpty(params. checksum)) {
905936 invalid(" checksumError" , " You did not pass the checksum security check" )
@@ -975,6 +1006,11 @@ class ApiController {
9751006 String API_CALL = " setPollXML"
9761007 log. debug CONTROLLER_NAME + " #${ API_CALL} "
9771008
1009+ // sanitizeInput
1010+ params. each {
1011+ key, value -> params[key] = sanitizeInput(value)
1012+ }
1013+
9781014 if (StringUtils . isEmpty(params. checksum)) {
9791015 invalid(" checksumError" , " You did not pass the checksum security check" )
9801016 return
@@ -1061,6 +1097,11 @@ class ApiController {
10611097 String API_CALL = " setConfigXML"
10621098 log. debug CONTROLLER_NAME + " #${ API_CALL} "
10631099
1100+ // sanitizeInput
1101+ params. each {
1102+ key, value -> params[key] = sanitizeInput(value)
1103+ }
1104+
10641105 if (StringUtils . isEmpty(params. checksum)) {
10651106 invalid(" checksumError" , " You did not pass the checksum security check" )
10661107 return
@@ -1140,6 +1181,11 @@ class ApiController {
11401181 String API_CALL = " getDefaultConfigXML"
11411182 ApiErrors errors = new ApiErrors ();
11421183
1184+ // sanitizeInput
1185+ params. each {
1186+ key, value -> params[key] = sanitizeInput(value)
1187+ }
1188+
11431189 // BEGIN - backward compatibility
11441190 if (StringUtils . isEmpty(params. checksum)) {
11451191 invalid(" checksumError" , " You did not pass the checksum security check" )
@@ -1179,6 +1225,11 @@ class ApiController {
11791225 String API_CALL = ' configXML'
11801226 log. debug CONTROLLER_NAME + " #${ API_CALL} "
11811227
1228+ // sanitizeInput
1229+ params. each {
1230+ key, value -> params[key] = sanitizeInput(value)
1231+ }
1232+
11821233 String logoutUrl = paramsProcessorUtil. getDefaultLogoutUrl()
11831234 boolean reject = false
11841235 String sessionToken = sanitizeSessionToken(params. sessionToken)
@@ -1226,6 +1277,12 @@ class ApiController {
12261277 def guestWaitHandler = {
12271278 String API_CALL = ' guestWait'
12281279 log. debug CONTROLLER_NAME + " #${ API_CALL} "
1280+
1281+ // sanitizeInput
1282+ params. each {
1283+ key, value -> params[key] = sanitizeInput(value)
1284+ }
1285+
12291286 ApiErrors errors = new ApiErrors ()
12301287 boolean reject = false ;
12311288 String sessionToken = sanitizeSessionToken(params. sessionToken)
@@ -1369,6 +1426,14 @@ class ApiController {
13691426 * ENTER API
13701427 ***********************************************/
13711428 def enter = {
1429+ String API_CALL = ' enter'
1430+ log. debug CONTROLLER_NAME + " #${ API_CALL} "
1431+
1432+ // sanitizeInput
1433+ params. each {
1434+ key, value -> params[key] = sanitizeInput(value)
1435+ }
1436+
13721437 boolean reject = false ;
13731438
13741439 String sessionToken = sanitizeSessionToken(params. sessionToken)
@@ -1511,6 +1576,14 @@ class ApiController {
15111576 * STUN/TURN API
15121577 ***********************************************/
15131578 def stuns = {
1579+ String API_CALL = ' stuns'
1580+ log. debug CONTROLLER_NAME + " #${ API_CALL} "
1581+
1582+ // sanitizeInput
1583+ params. each {
1584+ key, value -> params[key] = sanitizeInput(value)
1585+ }
1586+
15141587 boolean reject = false ;
15151588
15161589 String sessionToken = sanitizeSessionToken(params. sessionToken)
@@ -1582,6 +1655,13 @@ class ApiController {
15821655 * SIGNOUT API
15831656 *************************************************/
15841657 def signOut = {
1658+ String API_CALL = ' signOut'
1659+ log. debug CONTROLLER_NAME + " #${ API_CALL} "
1660+
1661+ // sanitizeInput
1662+ params. each {
1663+ key, value -> params[key] = sanitizeInput(value)
1664+ }
15851665
15861666 String sessionToken = sanitizeSessionToken(params. sessionToken)
15871667
@@ -1628,6 +1708,11 @@ class ApiController {
16281708 String API_CALL = " getRecordings"
16291709 log. debug CONTROLLER_NAME + " #${ API_CALL} "
16301710
1711+ // sanitizeInput
1712+ params. each {
1713+ key, value -> params[key] = sanitizeInput(value)
1714+ }
1715+
16311716 // BEGIN - backward compatibility
16321717 if (StringUtils . isEmpty(params. checksum)) {
16331718 invalid(" checksumError" , " You did not pass the checksum security check" )
@@ -1702,6 +1787,11 @@ class ApiController {
17021787 String API_CALL = " publishRecordings"
17031788 log. debug CONTROLLER_NAME + " #${ API_CALL} "
17041789
1790+ // sanitizeInput
1791+ params. each {
1792+ key, value -> params[key] = sanitizeInput(value)
1793+ }
1794+
17051795 // BEGIN - backward compatibility
17061796 if (StringUtils . isEmpty(params. checksum)) {
17071797 invalid(" checksumError" , " You did not pass the checksum security check" )
@@ -1783,6 +1873,11 @@ class ApiController {
17831873 String API_CALL = " deleteRecordings"
17841874 log. debug CONTROLLER_NAME + " #${ API_CALL} "
17851875
1876+ // sanitizeInput
1877+ params. each {
1878+ key, value -> params[key] = sanitizeInput(value)
1879+ }
1880+
17861881 // BEGIN - backward compatibility
17871882 if (StringUtils . isEmpty(params. checksum)) {
17881883 invalid(" checksumError" , " You did not pass the checksum security check" )
@@ -1853,6 +1948,11 @@ class ApiController {
18531948 String API_CALL = " updateRecordings"
18541949 log. debug CONTROLLER_NAME + " #${ API_CALL} "
18551950
1951+ // sanitizeInput
1952+ params. each {
1953+ key, value -> params[key] = sanitizeInput(value)
1954+ }
1955+
18561956 // BEGIN - backward compatibility
18571957 if (StringUtils . isEmpty(params. checksum)) {
18581958 invalid(" checksumError" , " You did not pass the checksum security check" )
@@ -1924,6 +2024,11 @@ class ApiController {
19242024 def uploadDocuments (conf ) { //
19252025 log. debug(" ApiController#uploadDocuments(${ conf.getInternalId()} )" );
19262026
2027+ // sanitizeInput
2028+ params. each {
2029+ key, value -> params[key] = sanitizeInput(value)
2030+ }
2031+
19272032 String requestBody = request. inputStream == null ? null : request. inputStream. text;
19282033 requestBody = StringUtils . isEmpty(requestBody) ? null : requestBody;
19292034
@@ -2112,6 +2217,16 @@ class ApiController {
21122217 return us
21132218 }
21142219
2220+ private def sanitizeInput (input ) {
2221+ if (input == null )
2222+ return
2223+
2224+ if (! (" java.lang.String" . equals(input. getClass(). getName())))
2225+ return input
2226+
2227+ StringUtils . strip(input. replaceAll(" \\ p{Cntrl}" , " " ));
2228+ }
2229+
21152230 def sanitizeSessionToken (param ) {
21162231 if (param == null ) {
21172232 log. info(" sanitizeSessionToken: token is null" )
0 commit comments