Merge pull request #2467 from suvajit-sarkar/develop

fix(indy): add func to prevent injection in indy identity gen script

platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator.py

@@ -5,6 +5,7 @@
 import string
 import ujson as json
 import base58
+import re
 
 from crypto.bls.bls_crypto import BlsGroupParamsLoader
 from crypto.bls.bls_factory import BlsFactoryCrypto
@@ -256,7 +257,7 @@ def process_data(self, vault_paths, headers):
 
     def send_data(self, url, data, headers):
         print('url: {}'.format(url))
-        requests.post(url=url, headers=headers, data=json.dumps(data), verify=False)
+        requests.post(url=url, headers=headers, data=json.dumps(data), verify=True)
         print('=====================')
 
     def read_data(self, url, headers):
@@ -281,16 +282,36 @@ def path_iteration(dictionary, path):
 
 class IdentityCreator:
 
+    def prevent_injections(input_string):
+        # Regex pattern to prevent SQL injection
+        sql_injection_pattern = re.compile(r"\b(?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|CREATE|ALTER|EXEC|--)\b", re.IGNORECASE)
+
+        # Regex pattern to prevent HTML injection
+        html_injection_pattern = re.compile(r"<[a-z][\s\S]*>", re.IGNORECASE)
+
+        # Check for SQL injection
+        if sql_injection_pattern.search(input_string):
+            raise ValueError("Invalid input. Detected potential SQL injection attempt.")
+
+        # Check for HTML injection
+        if html_injection_pattern.search(input_string):
+            raise ValueError("Invalid input. Detected potential HTML injection attempt.")
+
+        # HTML escape the input
+        escaped_string = html.escape(input_string)
+
+        return escaped_string
+
     @classmethod
     def process(cls):
         parser = argparse.ArgumentParser(description="Generate pool transactions")
-        parser.add_argument('--identity_name', required=True,
+        parser.add_argument('--identity_name', type=prevent_injections, required=True,
                             help='Identity name')
-        parser.add_argument('--vault_path', required=True,
+        parser.add_argument('--vault_path', type=prevent_injections, required=True,
                             help='Vault path')
-        parser.add_argument('--target', required=False, default='console',
+        parser.add_argument('--target', type=prevent_injections, required=False, default='console',
                             help='Output type for identity.')
-        parser.add_argument('--vault_address', required=False, default='http://vault:8200',
+        parser.add_argument('--vault_address', type=prevent_injections, required=False, default='https://localhost:8200',
                             help='Address for vault server.')
 
         args = parser.parse_args()

platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator_v2.py

@@ -5,6 +5,7 @@
 import string
 import ujson as json
 import base58
+import re
 
 from crypto.bls.bls_crypto import BlsGroupParamsLoader
 from crypto.bls.bls_factory import BlsFactoryCrypto
@@ -258,7 +259,7 @@ def process_data(self, vault_paths, headers):
 
     def send_data(self, url, data, headers):
         print('url: {}'.format(url))
-        requests.post(url=url, headers=headers, data=json.dumps(data), verify=False)
+        requests.post(url=url, headers=headers, data=json.dumps(data), verify=True)
         print('=====================')
 
     def read_data(self, url, headers):
@@ -287,19 +288,39 @@ def path_iteration(dictionary, path):
 
 
 class IdentityCreatorV2:
+
+    def prevent_injections(input_string):
+        # Regex pattern to prevent SQL injection
+        sql_injection_pattern = re.compile(r"\b(?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|CREATE|ALTER|EXEC|--)\b", re.IGNORECASE)
+
+        # Regex pattern to prevent HTML injection
+        html_injection_pattern = re.compile(r"<[a-z][\s\S]*>", re.IGNORECASE)
+
+        # Check for SQL injection
+        if sql_injection_pattern.search(input_string):
+            raise ValueError("Invalid input. Detected potential SQL injection attempt.")
+
+        # Check for HTML injection
+        if html_injection_pattern.search(input_string):
+            raise ValueError("Invalid input. Detected potential HTML injection attempt.")
+
+        # HTML escape the input
+        escaped_string = html.escape(input_string)
+
+        return escaped_string
 
     @classmethod
     def process(cls):
         parser = argparse.ArgumentParser(description="Generate pool transactions")
-        parser.add_argument('--identity_name', required=True,
+        parser.add_argument('--identity_name', type=prevent_injections, required=True,
                             help='Identity name')
-        parser.add_argument('--vault_path', required=True,
+        parser.add_argument('--vault_path', type=prevent_injections, required=True,
                             help='Vault path')
-        parser.add_argument('--target', required=False, default='console',
+        parser.add_argument('--target', type=prevent_injections, required=False, default='console',
                             help='Output type for identity.')
-        parser.add_argument('--vault_address', required=False, default='http://localhost:8200',
+        parser.add_argument('--vault_address', type=prevent_injections, required=False, default='https://localhost:8200',
                             help='Address for vault server.')
-        parser.add_argument('--version', required=False, default='1',
+        parser.add_argument('--version', type=prevent_injections, required=False, default='1',
                             help='Vault KV version')
 
         args = parser.parse_args()