server: quote method in logs, fix CodeQL warnings

CWE-117: Log entries created from user input If unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.
nspcc-dev · Mar 22, 2022 · e79d700 · e79d700
1 parent 0a338ea
commit e79d700
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/pkg/rpc/server/server.go b/pkg/rpc/server/server.go
@@ -14,6 +14,7 @@ import (
 	"net"
 	"net/http"
 	"strconv"
+	"strings"
 	"sync"
 	"time"
 
@@ -325,10 +326,12 @@ func (s *Server) handleHTTPRequest(w http.ResponseWriter, httpRequest *http.Requ
 
 func (s *Server) handleRequest(req *request.Request, sub *subscriber) response.AbstractResult {
 	if req.In != nil {
+		req.In.Method = escapeForLog(req.In.Method) // No valid method name will be changed by it.
 		return s.handleIn(req.In, sub)
 	}
 	resp := make(response.AbstractBatch, len(req.Batch))
 	for i, in := range req.Batch {
+		in.Method = escapeForLog(in.Method) // No valid method name will be changed by it.
 		resp[i] = s.handleIn(&in, sub)
 	}
 	return resp
@@ -349,7 +352,7 @@ func (s *Server) handleIn(req *request.In, sub *subscriber) response.Abstract {
 
 	incCounter(req.Method)
 
-	resErr = response.NewMethodNotFoundError(fmt.Sprintf("Method '%s' not supported", req.Method), nil)
+	resErr = response.NewMethodNotFoundError(fmt.Sprintf("Method %q not supported", req.Method), nil)
 	handler, ok := rpcHandlers[req.Method]
 	if ok {
 		res, resErr = handler(s, reqParams)
@@ -2190,3 +2193,12 @@ func validateAddress(addr interface{}) bool {
 	}
 	return false
 }
+
+func escapeForLog(in string) string {
+	return strings.Map(func(c rune) rune {
+		if c < 32 || !strconv.IsGraphic(c) {
+			return -1
+		}
+		return c
+	}, in)
+}