From 9d5b8d606ae13f39fb6aaf82f1ffd4599f87b763 Mon Sep 17 00:00:00 2001 From: Roman Khimov Date: Mon, 21 Mar 2022 23:36:19 +0300 Subject: [PATCH] server: quote method in logs, fix CodeQL warnings CWE-117: Log entries created from user input If unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries. --- pkg/rpc/server/server.go | 14 +++++++++++++- pkg/rpc/server/server_test.go | 5 +++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/pkg/rpc/server/server.go b/pkg/rpc/server/server.go index d9c0081aa..a25f68e93 100644 --- a/pkg/rpc/server/server.go +++ b/pkg/rpc/server/server.go @@ -14,6 +14,7 @@ import ( "net" "net/http" "strconv" + "strings" "sync" "time" @@ -325,10 +326,12 @@ func (s *Server) handleHTTPRequest(w http.ResponseWriter, httpRequest *http.Requ func (s *Server) handleRequest(req *request.Request, sub *subscriber) response.AbstractResult { if req.In != nil { + req.In.Method = escapeForLog(req.In.Method) // No valid method name will be changed by it. return s.handleIn(req.In, sub) } resp := make(response.AbstractBatch, len(req.Batch)) for i, in := range req.Batch { + in.Method = escapeForLog(in.Method) // No valid method name will be changed by it. resp[i] = s.handleIn(&in, sub) } return resp @@ -349,7 +352,7 @@ func (s *Server) handleIn(req *request.In, sub *subscriber) response.Abstract { incCounter(req.Method) - resErr = response.NewMethodNotFoundError(fmt.Sprintf("Method '%s' not supported", req.Method), nil) + resErr = response.NewMethodNotFoundError(fmt.Sprintf("Method %q not supported", req.Method), nil) handler, ok := rpcHandlers[req.Method] if ok { res, resErr = handler(s, reqParams) @@ -2190,3 +2193,12 @@ func validateAddress(addr interface{}) bool { } return false } + +func escapeForLog(in string) string { + return strings.Map(func(c rune) rune { + if !strconv.IsGraphic(c) { + return -1 + } + return c + }, in) +} diff --git a/pkg/rpc/server/server_test.go b/pkg/rpc/server/server_test.go index f9a6b02b9..71eab16d8 100644 --- a/pkg/rpc/server/server_test.go +++ b/pkg/rpc/server/server_test.go @@ -2569,6 +2569,11 @@ func checkNep17TransfersAux(t *testing.T, e *executor, acc interface{}, sent, rc require.Equal(t, arr, res.Received) } +func TestEscapeForLog(t *testing.T) { + in := "\n\tbad" + require.Equal(t, "bad", escapeForLog(in)) +} + func BenchmarkHandleIn(b *testing.B) { chain, orc, cfg, logger := getUnitTestChain(b, false, false)