forked from TrueCloudLab/neoneo-go
server: quote method in logs, fix CodeQL warnings
CWE-117: Log entries created from user input If unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.
This commit is contained in:
parent
0a338ea94b
commit
9d5b8d606a
2 changed files with 18 additions and 1 deletions
|
@ -14,6 +14,7 @@ import (
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -325,10 +326,12 @@ func (s *Server) handleHTTPRequest(w http.ResponseWriter, httpRequest *http.Requ
|
||||||
|
|
||||||
func (s *Server) handleRequest(req *request.Request, sub *subscriber) response.AbstractResult {
|
func (s *Server) handleRequest(req *request.Request, sub *subscriber) response.AbstractResult {
|
||||||
if req.In != nil {
|
if req.In != nil {
|
||||||
|
req.In.Method = escapeForLog(req.In.Method) // No valid method name will be changed by it.
|
||||||
return s.handleIn(req.In, sub)
|
return s.handleIn(req.In, sub)
|
||||||
}
|
}
|
||||||
resp := make(response.AbstractBatch, len(req.Batch))
|
resp := make(response.AbstractBatch, len(req.Batch))
|
||||||
for i, in := range req.Batch {
|
for i, in := range req.Batch {
|
||||||
|
in.Method = escapeForLog(in.Method) // No valid method name will be changed by it.
|
||||||
resp[i] = s.handleIn(&in, sub)
|
resp[i] = s.handleIn(&in, sub)
|
||||||
}
|
}
|
||||||
return resp
|
return resp
|
||||||
|
@ -349,7 +352,7 @@ func (s *Server) handleIn(req *request.In, sub *subscriber) response.Abstract {
|
||||||
|
|
||||||
incCounter(req.Method)
|
incCounter(req.Method)
|
||||||
|
|
||||||
resErr = response.NewMethodNotFoundError(fmt.Sprintf("Method '%s' not supported", req.Method), nil)
|
resErr = response.NewMethodNotFoundError(fmt.Sprintf("Method %q not supported", req.Method), nil)
|
||||||
handler, ok := rpcHandlers[req.Method]
|
handler, ok := rpcHandlers[req.Method]
|
||||||
if ok {
|
if ok {
|
||||||
res, resErr = handler(s, reqParams)
|
res, resErr = handler(s, reqParams)
|
||||||
|
@ -2190,3 +2193,12 @@ func validateAddress(addr interface{}) bool {
|
||||||
}
|
}
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func escapeForLog(in string) string {
|
||||||
|
return strings.Map(func(c rune) rune {
|
||||||
|
if !strconv.IsGraphic(c) {
|
||||||
|
return -1
|
||||||
|
}
|
||||||
|
return c
|
||||||
|
}, in)
|
||||||
|
}
|
||||||
|
|
|
@ -2569,6 +2569,11 @@ func checkNep17TransfersAux(t *testing.T, e *executor, acc interface{}, sent, rc
|
||||||
require.Equal(t, arr, res.Received)
|
require.Equal(t, arr, res.Received)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestEscapeForLog(t *testing.T) {
|
||||||
|
in := "\n\tbad"
|
||||||
|
require.Equal(t, "bad", escapeForLog(in))
|
||||||
|
}
|
||||||
|
|
||||||
func BenchmarkHandleIn(b *testing.B) {
|
func BenchmarkHandleIn(b *testing.B) {
|
||||||
chain, orc, cfg, logger := getUnitTestChain(b, false, false)
|
chain, orc, cfg, logger := getUnitTestChain(b, false, false)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue