server: quote method in logs, fix CodeQL warnings

CWE-117:
  Log entries created from user input

  If unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.
This commit is contained in:
Roman Khimov 2022-03-21 23:36:19 +03:00
parent 0a338ea94b
commit 9d5b8d606a
2 changed files with 18 additions and 1 deletions

View file

@ -14,6 +14,7 @@ import (
"net" "net"
"net/http" "net/http"
"strconv" "strconv"
"strings"
"sync" "sync"
"time" "time"
@ -325,10 +326,12 @@ func (s *Server) handleHTTPRequest(w http.ResponseWriter, httpRequest *http.Requ
func (s *Server) handleRequest(req *request.Request, sub *subscriber) response.AbstractResult { func (s *Server) handleRequest(req *request.Request, sub *subscriber) response.AbstractResult {
if req.In != nil { if req.In != nil {
req.In.Method = escapeForLog(req.In.Method) // No valid method name will be changed by it.
return s.handleIn(req.In, sub) return s.handleIn(req.In, sub)
} }
resp := make(response.AbstractBatch, len(req.Batch)) resp := make(response.AbstractBatch, len(req.Batch))
for i, in := range req.Batch { for i, in := range req.Batch {
in.Method = escapeForLog(in.Method) // No valid method name will be changed by it.
resp[i] = s.handleIn(&in, sub) resp[i] = s.handleIn(&in, sub)
} }
return resp return resp
@ -349,7 +352,7 @@ func (s *Server) handleIn(req *request.In, sub *subscriber) response.Abstract {
incCounter(req.Method) incCounter(req.Method)
resErr = response.NewMethodNotFoundError(fmt.Sprintf("Method '%s' not supported", req.Method), nil) resErr = response.NewMethodNotFoundError(fmt.Sprintf("Method %q not supported", req.Method), nil)
handler, ok := rpcHandlers[req.Method] handler, ok := rpcHandlers[req.Method]
if ok { if ok {
res, resErr = handler(s, reqParams) res, resErr = handler(s, reqParams)
@ -2190,3 +2193,12 @@ func validateAddress(addr interface{}) bool {
} }
return false return false
} }
func escapeForLog(in string) string {
return strings.Map(func(c rune) rune {
if !strconv.IsGraphic(c) {
return -1
}
return c
}, in)
}

View file

@ -2569,6 +2569,11 @@ func checkNep17TransfersAux(t *testing.T, e *executor, acc interface{}, sent, rc
require.Equal(t, arr, res.Received) require.Equal(t, arr, res.Received)
} }
func TestEscapeForLog(t *testing.T) {
in := "\n\tbad"
require.Equal(t, "bad", escapeForLog(in))
}
func BenchmarkHandleIn(b *testing.B) { func BenchmarkHandleIn(b *testing.B) {
chain, orc, cfg, logger := getUnitTestChain(b, false, false) chain, orc, cfg, logger := getUnitTestChain(b, false, false)