forked from TrueCloudLab/neoneo-go
server: quote method in logs, fix CodeQL warnings
CWE-117: Log entries created from user input If unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.
This commit is contained in:
parent
0a338ea94b
commit
9d5b8d606a
2 changed files with 18 additions and 1 deletions
|
@ -14,6 +14,7 @@ import (
|
|||
"net"
|
||||
"net/http"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
|
@ -325,10 +326,12 @@ func (s *Server) handleHTTPRequest(w http.ResponseWriter, httpRequest *http.Requ
|
|||
|
||||
func (s *Server) handleRequest(req *request.Request, sub *subscriber) response.AbstractResult {
|
||||
if req.In != nil {
|
||||
req.In.Method = escapeForLog(req.In.Method) // No valid method name will be changed by it.
|
||||
return s.handleIn(req.In, sub)
|
||||
}
|
||||
resp := make(response.AbstractBatch, len(req.Batch))
|
||||
for i, in := range req.Batch {
|
||||
in.Method = escapeForLog(in.Method) // No valid method name will be changed by it.
|
||||
resp[i] = s.handleIn(&in, sub)
|
||||
}
|
||||
return resp
|
||||
|
@ -349,7 +352,7 @@ func (s *Server) handleIn(req *request.In, sub *subscriber) response.Abstract {
|
|||
|
||||
incCounter(req.Method)
|
||||
|
||||
resErr = response.NewMethodNotFoundError(fmt.Sprintf("Method '%s' not supported", req.Method), nil)
|
||||
resErr = response.NewMethodNotFoundError(fmt.Sprintf("Method %q not supported", req.Method), nil)
|
||||
handler, ok := rpcHandlers[req.Method]
|
||||
if ok {
|
||||
res, resErr = handler(s, reqParams)
|
||||
|
@ -2190,3 +2193,12 @@ func validateAddress(addr interface{}) bool {
|
|||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func escapeForLog(in string) string {
|
||||
return strings.Map(func(c rune) rune {
|
||||
if !strconv.IsGraphic(c) {
|
||||
return -1
|
||||
}
|
||||
return c
|
||||
}, in)
|
||||
}
|
||||
|
|
|
@ -2569,6 +2569,11 @@ func checkNep17TransfersAux(t *testing.T, e *executor, acc interface{}, sent, rc
|
|||
require.Equal(t, arr, res.Received)
|
||||
}
|
||||
|
||||
func TestEscapeForLog(t *testing.T) {
|
||||
in := "\n\tbad"
|
||||
require.Equal(t, "bad", escapeForLog(in))
|
||||
}
|
||||
|
||||
func BenchmarkHandleIn(b *testing.B) {
|
||||
chain, orc, cfg, logger := getUnitTestChain(b, false, false)
|
||||
|
||||
|
|
Loading…
Reference in a new issue