fix(connector-fabric): uncontrolled data used in path expression

Starts using the `sanitize-filename` npm package to secure the Fabric ledger connector against malicious user input when it comes to file paths of the golang source codes that can be deployed through it. https://www.npmjs.com/package/sanitize-filename Fixes #1909 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
hyperledger · Mar 14, 2022 · ef0981d · ef0981d
1 parent 618bf47
commit ef0981d
Show file tree

Hide file tree

Showing 3 changed files with 338 additions and 292 deletions.
diff --git a/packages/cactus-plugin-ledger-connector-fabric/package.json b/packages/cactus-plugin-ledger-connector-fabric/package.json
@@ -74,6 +74,7 @@
     "node-vault": "0.9.22",
     "openapi-types": "9.1.0",
     "prom-client": "13.2.0",
+    "sanitize-filename": "1.6.3",
     "secp256k1": "4.0.3",
     "temp": "0.9.4",
     "typescript-optional": "2.0.1",

diff --git a/...ic/src/main/typescript/deploy-contract-go-source/deploy-contract-go-source-endpoint-v1.ts b/...ic/src/main/typescript/deploy-contract-go-source/deploy-contract-go-source-endpoint-v1.ts
@@ -1,5 +1,6 @@
 import { Express, Request, Response } from "express";
 import HttpStatus from "http-status-codes";
+import sanitizeFilename from "sanitize-filename";
 
 import {
   Logger,
@@ -84,6 +85,24 @@ export class DeployContractGoSourceEndpointV1 implements IWebServiceEndpoint {
     return this;
   }
 
+  /**
+   * Important: This function mutates the input object in an attempt to sanitize
+   * the user provided data in case it was malicious.
+   *
+   *
+   * @param reqBody The HTTP request body that will have it's filenames and
+   * filepaths mutated if they contain invalid/unsafe user input. The passed
+   * in object will have it's values updated once the function has returned.
+   */
+  protected async sanitizeFilenamesInRequest(
+    reqBody: DeployContractGoSourceV1Request,
+  ): Promise<void> {
+    reqBody.goSource.filename = sanitizeFilename(reqBody.goSource.filename);
+    if (reqBody.goSource.filepath) {
+      reqBody.goSource.filepath = sanitizeFilename(reqBody.goSource.filepath);
+    }
+  }
+
   async handleRequest(req: Request, res: Response): Promise<void> {
     const fnTag = `${this.className}#handleRequest()`;
     const verbUpper = this.getVerbLowerCase().toUpperCase();
@@ -92,6 +111,7 @@ export class DeployContractGoSourceEndpointV1 implements IWebServiceEndpoint {
     try {
       const { connector } = this.opts;
       const reqBody = req.body as DeployContractGoSourceV1Request;
+      await this.sanitizeFilenamesInRequest(reqBody);
       const resBody = await connector.deployContractGoSourceV1(reqBody);
       res.status(HttpStatus.OK);
       res.json(resBody);