Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(indy): add func to prevent injection in indy identity gen script #2467

Merged
merged 2 commits into from Jan 4, 2024
Merged

fix(indy): add func to prevent injection in indy identity gen script #2467

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6e44876
add prevent injection func to indy identity gen script
suvajit-sarkar Jan 4, 2024
caf85bd
Merge branch 'develop' into develop
suvajit-sarkar Jan 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
31 changes: 26 additions & 5 deletions platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator.py
View file
Open in desktop
Expand Up @@ -5,6 +5,7 @@
import string
import ujson as json
import base58
import re

from crypto.bls.bls_crypto import BlsGroupParamsLoader
from crypto.bls.bls_factory import BlsFactoryCrypto
Expand Down Expand Up @@ -256,7 +257,7 @@ def process_data(self, vault_paths, headers):

def send_data(self, url, data, headers):
print('url: {}'.format(url))
requests.post(url=url, headers=headers, data=json.dumps(data), verify=False)
requests.post(url=url, headers=headers, data=json.dumps(data), verify=True)
print('=====================')

def read_data(self, url, headers):
Expand All @@ -281,16 +282,36 @@ def path_iteration(dictionary, path):

class IdentityCreator:

def prevent_injections(input_string):
# Regex pattern to prevent SQL injection
sql_injection_pattern = re.compile(r"\b(?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|CREATE|ALTER|EXEC|--)\b", re.IGNORECASE)

# Regex pattern to prevent HTML injection
html_injection_pattern = re.compile(r"<[a-z][\s\S]*>", re.IGNORECASE)

# Check for SQL injection
if sql_injection_pattern.search(input_string):
raise ValueError("Invalid input. Detected potential SQL injection attempt.")

# Check for HTML injection
if html_injection_pattern.search(input_string):
raise ValueError("Invalid input. Detected potential HTML injection attempt.")

# HTML escape the input
escaped_string = html.escape(input_string)

return escaped_string

@classmethod
def process(cls):
parser = argparse.ArgumentParser(description="Generate pool transactions")
parser.add_argument('--identity_name', required=True,
parser.add_argument('--identity_name', type=prevent_injections, required=True,
help='Identity name')
parser.add_argument('--vault_path', required=True,
parser.add_argument('--vault_path', type=prevent_injections, required=True,
help='Vault path')
parser.add_argument('--target', required=False, default='console',
parser.add_argument('--target', type=prevent_injections, required=False, default='console',
help='Output type for identity.')
parser.add_argument('--vault_address', required=False, default='http://vault:8200',
parser.add_argument('--vault_address', type=prevent_injections, required=False, default='https://localhost:8200',
help='Address for vault server.')

args = parser.parse_args()
Expand Down
33 changes: 27 additions & 6 deletions platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator_v2.py
View file
Open in desktop
Expand Up @@ -5,6 +5,7 @@
import string
import ujson as json
import base58
import re

from crypto.bls.bls_crypto import BlsGroupParamsLoader
from crypto.bls.bls_factory import BlsFactoryCrypto
Expand Down Expand Up @@ -258,7 +259,7 @@ def process_data(self, vault_paths, headers):

def send_data(self, url, data, headers):
print('url: {}'.format(url))
requests.post(url=url, headers=headers, data=json.dumps(data), verify=False)
requests.post(url=url, headers=headers, data=json.dumps(data), verify=True)
print('=====================')

def read_data(self, url, headers):
Expand Down Expand Up @@ -287,19 +288,39 @@ def path_iteration(dictionary, path):


class IdentityCreatorV2:

def prevent_injections(input_string):
# Regex pattern to prevent SQL injection
sql_injection_pattern = re.compile(r"\b(?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|CREATE|ALTER|EXEC|--)\b", re.IGNORECASE)

# Regex pattern to prevent HTML injection
html_injection_pattern = re.compile(r"<[a-z][\s\S]*>", re.IGNORECASE)

# Check for SQL injection
if sql_injection_pattern.search(input_string):
raise ValueError("Invalid input. Detected potential SQL injection attempt.")

# Check for HTML injection
if html_injection_pattern.search(input_string):
raise ValueError("Invalid input. Detected potential HTML injection attempt.")

# HTML escape the input
escaped_string = html.escape(input_string)

return escaped_string

@classmethod
def process(cls):
parser = argparse.ArgumentParser(description="Generate pool transactions")
parser.add_argument('--identity_name', required=True,
parser.add_argument('--identity_name', type=prevent_injections, required=True,
help='Identity name')
parser.add_argument('--vault_path', required=True,
parser.add_argument('--vault_path', type=prevent_injections, required=True,
help='Vault path')
parser.add_argument('--target', required=False, default='console',
parser.add_argument('--target', type=prevent_injections, required=False, default='console',
help='Output type for identity.')
parser.add_argument('--vault_address', required=False, default='http://localhost:8200',
parser.add_argument('--vault_address', type=prevent_injections, required=False, default='https://localhost:8200',
help='Address for vault server.')
parser.add_argument('--version', required=False, default='1',
parser.add_argument('--version', type=prevent_injections, required=False, default='1',
help='Vault KV version')

args = parser.parse_args()
Expand Down