Skip to content

Commit e59bcd0

Browse files
committed
Sanitize all received parameters
1 parent 5c911dd commit e59bcd0

File tree

1 file changed

+119
-4
lines changed

1 file changed

+119
-4
lines changed

Diff for: bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy

+119-4
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,11 @@ class ApiController {
9393
log.debug CONTROLLER_NAME + "#${API_CALL}"
9494
log.debug request.getParameterMap().toMapString()
9595

96+
//sanitizeInput
97+
params.each {
98+
key, value -> params[key] = sanitizeInput(value)
99+
}
100+
96101
// BEGIN - backward compatibility
97102
if (StringUtils.isEmpty(params.checksum)) {
98103
invalid("checksumError", "You did not pass the checksum security check")
@@ -175,6 +180,11 @@ class ApiController {
175180
log.debug CONTROLLER_NAME + "#${API_CALL}"
176181
ApiErrors errors = new ApiErrors()
177182

183+
//sanitizeInput
184+
params.each {
185+
key, value -> params[key] = sanitizeInput(value)
186+
}
187+
178188
// BEGIN - backward compatibility
179189
if (StringUtils.isEmpty(params.checksum)) {
180190
invalid("checksumError", "You did not pass the checksum security check", REDIRECT_RESPONSE)
@@ -244,9 +254,6 @@ class ApiController {
244254

245255
// Do we have a name for the user joining? If none, complain.
246256
if (!StringUtils.isEmpty(params.fullName)) {
247-
params.fullName = StringUtils.strip(params.fullName);
248-
// remove control characters ( sanitize )
249-
params.fullName = params.fullName.replaceAll("\\p{Cntrl}", "");
250257
if (StringUtils.isEmpty(params.fullName)) {
251258
errors.missingParamError("fullName");
252259
}
@@ -558,6 +565,11 @@ class ApiController {
558565
String API_CALL = 'isMeetingRunning'
559566
log.debug CONTROLLER_NAME + "#${API_CALL}"
560567

568+
//sanitizeInput
569+
params.each {
570+
key, value -> params[key] = sanitizeInput(value)
571+
}
572+
561573
// BEGIN - backward compatibility
562574
if (StringUtils.isEmpty(params.checksum)) {
563575
invalid("checksumError", "You did not pass the checksum security check")
@@ -634,9 +646,13 @@ class ApiController {
634646
************************************/
635647
def end = {
636648
String API_CALL = "end"
637-
638649
log.debug CONTROLLER_NAME + "#${API_CALL}"
639650

651+
//sanitizeInput
652+
params.each {
653+
key, value -> params[key] = sanitizeInput(value)
654+
}
655+
640656
// BEGIN - backward compatibility
641657
if (StringUtils.isEmpty(params.checksum)) {
642658
invalid("checksumError", "You did not pass the checksum security check")
@@ -759,6 +775,11 @@ class ApiController {
759775
String API_CALL = "getMeetingInfo"
760776
log.debug CONTROLLER_NAME + "#${API_CALL}"
761777

778+
//sanitizeInput
779+
params.each {
780+
key, value -> params[key] = sanitizeInput(value)
781+
}
782+
762783
// BEGIN - backward compatibility
763784
if (StringUtils.isEmpty(params.checksum)) {
764785
invalid("checksumError", "You did not pass the checksum security check")
@@ -842,6 +863,11 @@ class ApiController {
842863
String API_CALL = "getMeetings"
843864
log.debug CONTROLLER_NAME + "#${API_CALL}"
844865

866+
//sanitizeInput
867+
params.each {
868+
key, value -> params[key] = sanitizeInput(value)
869+
}
870+
845871
// BEGIN - backward compatibility
846872
if (StringUtils.isEmpty(params.checksum)) {
847873
invalid("checksumError", "You did not pass the checksum security check")
@@ -900,6 +926,11 @@ class ApiController {
900926
String API_CALL = "getSessions"
901927
log.debug CONTROLLER_NAME + "#${API_CALL}"
902928

929+
//sanitizeInput
930+
params.each {
931+
key, value -> params[key] = sanitizeInput(value)
932+
}
933+
903934
// BEGIN - backward compatibility
904935
if (StringUtils.isEmpty(params.checksum)) {
905936
invalid("checksumError", "You did not pass the checksum security check")
@@ -975,6 +1006,11 @@ class ApiController {
9751006
String API_CALL = "setPollXML"
9761007
log.debug CONTROLLER_NAME + "#${API_CALL}"
9771008

1009+
//sanitizeInput
1010+
params.each {
1011+
key, value -> params[key] = sanitizeInput(value)
1012+
}
1013+
9781014
if (StringUtils.isEmpty(params.checksum)) {
9791015
invalid("checksumError", "You did not pass the checksum security check")
9801016
return
@@ -1061,6 +1097,11 @@ class ApiController {
10611097
String API_CALL = "setConfigXML"
10621098
log.debug CONTROLLER_NAME + "#${API_CALL}"
10631099

1100+
//sanitizeInput
1101+
params.each {
1102+
key, value -> params[key] = sanitizeInput(value)
1103+
}
1104+
10641105
if (StringUtils.isEmpty(params.checksum)) {
10651106
invalid("checksumError", "You did not pass the checksum security check")
10661107
return
@@ -1140,6 +1181,11 @@ class ApiController {
11401181
String API_CALL = "getDefaultConfigXML"
11411182
ApiErrors errors = new ApiErrors();
11421183

1184+
//sanitizeInput
1185+
params.each {
1186+
key, value -> params[key] = sanitizeInput(value)
1187+
}
1188+
11431189
// BEGIN - backward compatibility
11441190
if (StringUtils.isEmpty(params.checksum)) {
11451191
invalid("checksumError", "You did not pass the checksum security check")
@@ -1179,6 +1225,11 @@ class ApiController {
11791225
String API_CALL = 'configXML'
11801226
log.debug CONTROLLER_NAME + "#${API_CALL}"
11811227

1228+
//sanitizeInput
1229+
params.each {
1230+
key, value -> params[key] = sanitizeInput(value)
1231+
}
1232+
11821233
String logoutUrl = paramsProcessorUtil.getDefaultLogoutUrl()
11831234
boolean reject = false
11841235
String sessionToken = sanitizeSessionToken(params.sessionToken)
@@ -1226,6 +1277,12 @@ class ApiController {
12261277
def guestWaitHandler = {
12271278
String API_CALL = 'guestWait'
12281279
log.debug CONTROLLER_NAME + "#${API_CALL}"
1280+
1281+
//sanitizeInput
1282+
params.each {
1283+
key, value -> params[key] = sanitizeInput(value)
1284+
}
1285+
12291286
ApiErrors errors = new ApiErrors()
12301287
boolean reject = false;
12311288
String sessionToken = sanitizeSessionToken(params.sessionToken)
@@ -1369,6 +1426,14 @@ class ApiController {
13691426
* ENTER API
13701427
***********************************************/
13711428
def enter = {
1429+
String API_CALL = 'enter'
1430+
log.debug CONTROLLER_NAME + "#${API_CALL}"
1431+
1432+
//sanitizeInput
1433+
params.each {
1434+
key, value -> params[key] = sanitizeInput(value)
1435+
}
1436+
13721437
boolean reject = false;
13731438

13741439
String sessionToken = sanitizeSessionToken(params.sessionToken)
@@ -1511,6 +1576,14 @@ class ApiController {
15111576
* STUN/TURN API
15121577
***********************************************/
15131578
def stuns = {
1579+
String API_CALL = 'stuns'
1580+
log.debug CONTROLLER_NAME + "#${API_CALL}"
1581+
1582+
//sanitizeInput
1583+
params.each {
1584+
key, value -> params[key] = sanitizeInput(value)
1585+
}
1586+
15141587
boolean reject = false;
15151588

15161589
String sessionToken = sanitizeSessionToken(params.sessionToken)
@@ -1582,6 +1655,13 @@ class ApiController {
15821655
* SIGNOUT API
15831656
*************************************************/
15841657
def signOut = {
1658+
String API_CALL = 'signOut'
1659+
log.debug CONTROLLER_NAME + "#${API_CALL}"
1660+
1661+
//sanitizeInput
1662+
params.each {
1663+
key, value -> params[key] = sanitizeInput(value)
1664+
}
15851665

15861666
String sessionToken = sanitizeSessionToken(params.sessionToken)
15871667

@@ -1628,6 +1708,11 @@ class ApiController {
16281708
String API_CALL = "getRecordings"
16291709
log.debug CONTROLLER_NAME + "#${API_CALL}"
16301710

1711+
//sanitizeInput
1712+
params.each {
1713+
key, value -> params[key] = sanitizeInput(value)
1714+
}
1715+
16311716
// BEGIN - backward compatibility
16321717
if (StringUtils.isEmpty(params.checksum)) {
16331718
invalid("checksumError", "You did not pass the checksum security check")
@@ -1702,6 +1787,11 @@ class ApiController {
17021787
String API_CALL = "publishRecordings"
17031788
log.debug CONTROLLER_NAME + "#${API_CALL}"
17041789

1790+
//sanitizeInput
1791+
params.each {
1792+
key, value -> params[key] = sanitizeInput(value)
1793+
}
1794+
17051795
// BEGIN - backward compatibility
17061796
if (StringUtils.isEmpty(params.checksum)) {
17071797
invalid("checksumError", "You did not pass the checksum security check")
@@ -1783,6 +1873,11 @@ class ApiController {
17831873
String API_CALL = "deleteRecordings"
17841874
log.debug CONTROLLER_NAME + "#${API_CALL}"
17851875

1876+
//sanitizeInput
1877+
params.each {
1878+
key, value -> params[key] = sanitizeInput(value)
1879+
}
1880+
17861881
// BEGIN - backward compatibility
17871882
if (StringUtils.isEmpty(params.checksum)) {
17881883
invalid("checksumError", "You did not pass the checksum security check")
@@ -1853,6 +1948,11 @@ class ApiController {
18531948
String API_CALL = "updateRecordings"
18541949
log.debug CONTROLLER_NAME + "#${API_CALL}"
18551950

1951+
//sanitizeInput
1952+
params.each {
1953+
key, value -> params[key] = sanitizeInput(value)
1954+
}
1955+
18561956
// BEGIN - backward compatibility
18571957
if (StringUtils.isEmpty(params.checksum)) {
18581958
invalid("checksumError", "You did not pass the checksum security check")
@@ -1924,6 +2024,11 @@ class ApiController {
19242024
def uploadDocuments(conf) { //
19252025
log.debug("ApiController#uploadDocuments(${conf.getInternalId()})");
19262026

2027+
//sanitizeInput
2028+
params.each {
2029+
key, value -> params[key] = sanitizeInput(value)
2030+
}
2031+
19272032
String requestBody = request.inputStream == null ? null : request.inputStream.text;
19282033
requestBody = StringUtils.isEmpty(requestBody) ? null : requestBody;
19292034

@@ -2112,6 +2217,16 @@ class ApiController {
21122217
return us
21132218
}
21142219

2220+
private def sanitizeInput (input) {
2221+
if(input == null)
2222+
return
2223+
2224+
if(!("java.lang.String".equals(input.getClass().getName())))
2225+
return input
2226+
2227+
StringUtils.strip(input.replaceAll("\\p{Cntrl}", ""));
2228+
}
2229+
21152230
def sanitizeSessionToken(param) {
21162231
if (param == null) {
21172232
log.info("sanitizeSessionToken: token is null")

0 commit comments

Comments
 (0)