From 223c5762f9cd5bb1e9d77ec21d927847600a6a0b Mon Sep 17 00:00:00 2001 From: Michael McVady Date: Mon, 2 Jan 2023 21:53:22 -0600 Subject: First pass at UUID validation --- src/clog.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 58 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/src/clog.c b/src/clog.c index 2ce9b88..e15b1ee 100644 --- a/src/clog.c +++ b/src/clog.c @@ -1,13 +1,10 @@ +#include + #include #include #include #include -#include "assets.h" - -// FIXME: Why does compilation fail if this is a .c file? -#include "queries.h" - #include "../lib/md4c/src/entity.h" #include "../lib/md4c/src/entity.c" #include "../lib/md4c/src/md4c.h" @@ -15,6 +12,10 @@ #include "../lib/md4c/src/md4c-html.h" #include "../lib/md4c/src/md4c-html.c" +#include "assets.h" +// FIXME: Why does compilation fail if this is a .c file? +#include "queries.h" + KORE_SECCOMP_FILTER("clog", KORE_SYSCALL_ALLOW(bind), KORE_SYSCALL_ALLOW(getdents64), @@ -45,6 +46,8 @@ static const char * const error_msg[] = { void post_request_init(struct post_request *post_req); void post_request_cleanup(struct post_request *post_req); +int validate_uuid(const char *input); + int redirect(struct http_request *req); int post(struct http_request *req); @@ -56,7 +59,8 @@ int render_posts_query(struct post_request *post_req); static void process_md_output(const MD_CHAR *, MD_SIZE size, void *); static int render_md(const char *, struct kore_buf *); -void post_request_init(struct post_request *post_req) { +void +post_request_init(struct post_request *post_req) { post_req->req = NULL; post_req->resource = NULL; post_req->type = JSON; @@ -65,11 +69,37 @@ void post_request_init(struct post_request *post_req) { post_req->resp_buf = kore_buf_alloc(0); } -void post_request_cleanup(struct post_request *post_req) { - if (post_req->resp_buf != NULL) { +void +post_request_cleanup(struct post_request *post_req) { + if (post_req->resp_buf != NULL) kore_buf_free(post_req->resp_buf); - post_req->resp_buf = NULL; + post_req->resp_buf = NULL; +} + +int +validate_uuid(const char *input) { + int i = 0; + const char *p = NULL; + + if (strlen(input) != 36) + return KORE_RESULT_ERROR; + + for (i = 0, p = input; i <= 36; i++) { + if ((i == 8) || (i == 13) || (i == 18) || (i == 23)) { + if (p[i] != '-') + return KORE_RESULT_ERROR; + continue; + } + if (i == 36) { + if (p[i] != '\0') + return KORE_RESULT_ERROR; + continue; + } + if (!isxdigit(p[i])) + return KORE_RESULT_ERROR; } + + return KORE_RESULT_OK; } int @@ -131,6 +161,7 @@ render_posts(struct http_request *req, const char *resource) { } else { http_response_header(post_req.req, "content-type", "text/html; charset=utf-8"); + kore_buf_append(post_req.resp_buf, asset_index_begin_html, asset_len_index_begin_html); (void) render_posts_query(&post_req); @@ -175,6 +206,17 @@ render_posts_query(struct post_request *post_req) { kore_pgsql_init(&sql); + // TODO use kore validation here. + if (post_req->resource) { + // Check for valid resource ID/UUID + err = validate_uuid(post_req->resource); + if (err == KORE_RESULT_ERROR) { + post_req->resp_status = HTTP_STATUS_NOT_FOUND; + kore_log(LOG_ERR, "Invalid post id %s.", post_req->resource); + goto out; + } + } + // Initialize our kore_pgsql data structure with the database name // we want to connect to (note that we registered this earlier with // kore_pgsql_register()). We also say we will perform a synchronous @@ -261,6 +303,7 @@ render_posts_query(struct post_request *post_req) { kore_buf_free(html_buf); } } + out: ; kore_pgsql_cleanup(&sql); @@ -285,7 +328,7 @@ render_md(const char *in, struct kore_buf *out) { ); if(err != 0) { - kore_log(LOG_ERR, "Parsing Markdown failed.\n"); + kore_log(LOG_ERR, "Parsing Markdown failed."); return KORE_RESULT_ERROR; } @@ -294,6 +337,10 @@ render_md(const char *in, struct kore_buf *out) { static void process_md_output(const MD_CHAR *html, MD_SIZE size, void *buf) { - kore_buf_append((struct kore_buf *) buf, (const void *) html, (size_t) size); + kore_buf_append( + (struct kore_buf *) buf, + (const void *) html, + (size_t) size + ); } -- cgit v1.2.3