adding .gitignore

removing some xdmp:evals fixing possible xqy injection hole fixing path separator in windows vs *nix
marklogic-community · Mar 14, 2012 · 88899de · 88899de
1 parent 333038b
commit 88899de
Show file tree

Hide file tree

Showing 12 changed files with 72 additions and 16 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,6 @@
+.DS_Store
+local.properties
+*.tmproj
+Thumbs.db
+.project
+.settings/
diff --git a/deploy/.DS_Store b/deploy/.DS_Store
diff --git a/deploy/default.properties b/deploy/default.properties
@@ -75,7 +75,7 @@ default-user=nobody
 #
 # the uris or IP addresses of your servers
 # WARNING: if you are running these scripts on windows you may need to change localhost to 127.0.0.1
-# There have been reported issues with dns resolution when localhost wasn't int the hosts file.
+# There have been reported issues with dns resolution when localhost wasn't in the hosts file.
 #
 local-server=localhost
 #dev-server=

diff --git a/deploy/lib/util.rb b/deploy/lib/util.rb
@@ -13,6 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ###############################################################################
+require 'rbconfig'
+
 def find_arg(args = [])
   args.each do |arg|
     if (ARGV.include?(arg))
@@ -25,7 +27,7 @@ def find_arg(args = [])
 end
 
 def is_windows?
-  RUBY_PLATFORM.downcase.include?("mswin")
+  return (Config::CONFIG['host_os'] =~ /mswin|mingw/).nil? == false
 end
 
 def path_separator

diff --git a/ml b/ml
@@ -33,7 +33,7 @@ then
     git clone https://github.com/marklogic/roxy ${app_name}
     cd ${app_name}
     rm -rf .git*
-    ml init
+    ./ml init
     cd ..
     printf " done\n"
     if [ -e $app_name ]

diff --git a/src/default.xqy b/src/default.xqy
@@ -22,7 +22,7 @@ import module namespace rh = "http://marklogic.com/roxy/routing-helper" at "/lib
 
 declare option xdmp:mapping "false";
 
-declare variable $controller as xs:string := req:get("controller", "", "type=xs:string");
+declare variable $controller as xs:QName := req:get("controller", "type=xs:QName");
 declare variable $controller-path as xs:string := fn:concat("/app/controllers/", $controller, ".xqy");
 declare variable $func as xs:string := req:get("func", "index", "type=xs:string");
 declare variable $format as xs:string := req:get("format", $config:DEFAULT-FORMAT, "type=xs:string");
@@ -34,15 +34,13 @@ declare variable $default-layout as xs:string? := map:get($config:DEFAULT-LAYOUT
 try
 {
   let $map := map:map()
+  (: Ensure $type is a valid QName :)
+  let $_ := xs:QName($func)
   let $eval-str :=
     fn:concat('
         import module namespace c="http://marklogic.com/roxy/controller/', $controller, '" at "', $controller-path, '";
-        import module namespace ch = "http://marklogic.com/roxy/controller-helper" at "/lib/controller-helper.xqy";
-        declare variable $map as map:map external;
-        xdmp:set($ch:map, $map),
       c:', $func, '()')
-
-  let $data := xdmp:eval($eval-str, (xs:QName("map"), $map))
+  let $data := xdmp:eval($eval-str, (xs:QName("ch:map"), $map))
 
   (: framework options :)
   let $options :=
@@ -106,6 +104,8 @@ catch($ex)
 {
   if ($ex/error:code = "XDMP-UNDVAR" and $ex/error:data/error:datum = "$c:map") then
     fn:error(xs:QName("MISSING-MAP"), fn:concat("Missing external map declaration in ", $controller-path), $controller-path)
+  else if ($ex/error:code eq "XDMP-CAST" and $ex/error:expr eq "xs:QName($func)") then
+    fn:error(xs:QName("four-o-four"))
   else
     xdmp:rethrow()
 }
diff --git a/src/lib/controller-helper.xqy b/src/lib/controller-helper.xqy
@@ -21,7 +21,7 @@ declare option xdmp:mapping "false";
 
 declare variable $ALL-FORMATS as xs:string+ := ("html", "xml", "json", "text");
 
-declare variable $ch:map as map:map? := ();
+declare variable $ch:map as map:map external;
 
 declare function ch:use-view($view as xs:string?)
 {

diff --git a/src/lib/request.xqy b/src/lib/request.xqy
@@ -96,10 +96,15 @@ declare function req:get($name as xs:string, $default as item()*, $options as xs
           if (fn:exists($v)) then $v/*
           else $default
       else if ($value and $type) then
-        try {
-          xdmp:eval(fn:concat('"', fn:replace(fn:replace($value, '"', '""'), "&amp;", "&amp;amp;"), '" cast as ', $type))
+        try
+        {
+          (: Ensure $type is a valid QName before putting it through xdmp:value() :)
+          let $_ := xs:QName($type)
+          return
+            xdmp:value(fn:concat('"', fn:replace(fn:replace($value, '"', '""'), "&amp;", "&amp;amp;"), '" cast as ', $type))
         }
-        catch($ex) {
+        catch($ex)
+        {
           req:assert-max-count($name, $value, $max-count),
           if ($validate eq fn:true()) then
             fn:error(xs:QName("INVALID-REQUEST-PARAMETER"), fn:concat($name, "=", $value), "response-code=400")
@@ -156,7 +161,7 @@ declare private function req:get-option($options as xs:string*, $name as xs:stri
   return
     if ($value) then
       try {
-        xdmp:eval(fn:concat('"', $value, '" cast as ', $type))
+        xdmp:value(fn:concat('"', $value, '" cast as ', $type))
       }
       catch($ex) {()}
     else ()

diff --git a/src/test/suites/Framework Tests/routing.xqy b/src/test/suites/Framework Tests/routing.xqy
@@ -192,4 +192,23 @@ let $response := xdmp:http-get(test:easy-url("/not-real/at-all"), $options-non-x
 return
 (
   test:assert-equal(404, fn:data($response[1]/*:code))
-)
+),
+
+(: test for xquery injection via evil urls :)
+let $url := "default.xqy?func=main(),%20xdmp:document-insert(%22foo.xml%22,%20%3Cboo/%3E),%20&amp;controller=appbuilder"
+let $url := fn:concat("http://localhost:", fn:tokenize(xdmp:get-request-header("Host"), ":")[2], if (fn:starts-with($url, "/")) then () else "/", $url)
+let $response := xdmp:http-get($url, $options-non-xml)
+return
+(
+  test:assert-equal(404, fn:data($response[1]/*:code))
+),
+
+
+let $response := xdmp:http-get(test:easy-url("/tester/update"), $options-non-xml)
+return
+  test:assert-equal(200, fn:data($response[1]/*:code));
+
+import module namespace test="http://marklogic.com/ps/test-helper" at "/test/test-helper.xqy";
+let $doc := xdmp:eval('fn:doc("/test-insert.xml")/*')
+return
+  test:assert-equal(<test/>, $doc)
diff --git a/src/test/suites/Framework Tests/suite-teardown.xqy b/src/test/suites/Framework Tests/suite-teardown.xqy
@@ -11,4 +11,10 @@ if (xdmp:modules-database() ne 0) then
     <options xmlns="xdmp:eval">
       <database>{xdmp:modules-database()}</database>
     </options>)
-else ()
+else (),
+
+try
+{
+	xdmp:document-delete("/test-insert.xml")
+}
+catch($ex){()}
diff --git a/src/test/suites/Framework Tests/test-data/tester.xqy b/src/test/suites/Framework Tests/test-data/tester.xqy
@@ -88,4 +88,11 @@ declare function c:view-that-returns-the-input()
 {
   ch:add-value("title", "view-that-returns-the-input"),
   ch:use-layout("test-layout")
+};
+declare function c:update()
+{
+  xdmp:document-insert("/test-insert.xml", <test/>),
+  ch:use-layout(()),
+  ch:use-view(()),
+  ch:add-value("test", "done")
 };
diff --git a/src/test/suites/Framework Tests/util.xqy b/src/test/suites/Framework Tests/util.xqy
@@ -0,0 +1,11 @@
+xquery version "1.0-ml";
+
+import module namespace test="http://marklogic.com/ps/test-helper" at "/test/test-helper.xqy";
+
+import module namespace c = "http://marklogic.com/ns/test-config" at "/test/test-config.xqy";
+
+import module namespace u = "http://marklogic.com/framework/util" at "/lib/util.xqy";
+
+declare namespace html = "http://www.w3.org/1999/xhtml";
+
+test:assert-equal(fn:true(), u:module-file-exists("/test/suites/Framework Tests/util.xqy"))