From e59bcd0c33a6a3203c011faa8823ba2cac1e4f37 Mon Sep 17 00:00:00 2001
From: Tiago Daniel Jacobs <tiago.jacobs@gmail.com>
Date: Fri, 13 Nov 2020 06:54:32 +0000
Subject: [PATCH] Sanitize all received parameters
---
.../web/controllers/ApiController.groovy | 123 +++++++++++++++++-
1 file changed, 119 insertions(+), 4 deletions(-)
diff --git a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy
index 38610fde2c..776b7a73bd 100755
--- a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy
+++ b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy
@@ -93,6 +93,11 @@ class ApiController {
log.debug CONTROLLER_NAME + "#${API_CALL}"
log.debug request.getParameterMap().toMapString()
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
@@ -175,6 +180,11 @@ class ApiController {
log.debug CONTROLLER_NAME + "#${API_CALL}"
ApiErrors errors = new ApiErrors()
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check", REDIRECT_RESPONSE)
@@ -244,9 +254,6 @@ class ApiController {
// Do we have a name for the user joining? If none, complain.
if (!StringUtils.isEmpty(params.fullName)) {
- params.fullName = StringUtils.strip(params.fullName);
- // remove control characters ( sanitize )
- params.fullName = params.fullName.replaceAll("\\p{Cntrl}", "");
if (StringUtils.isEmpty(params.fullName)) {
errors.missingParamError("fullName");
}
@@ -558,6 +565,11 @@ class ApiController {
String API_CALL = 'isMeetingRunning'
log.debug CONTROLLER_NAME + "#${API_CALL}"
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
@@ -634,9 +646,13 @@ class ApiController {
************************************/
def end = {
String API_CALL = "end"
-
log.debug CONTROLLER_NAME + "#${API_CALL}"
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
@@ -759,6 +775,11 @@ class ApiController {
String API_CALL = "getMeetingInfo"
log.debug CONTROLLER_NAME + "#${API_CALL}"
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
@@ -842,6 +863,11 @@ class ApiController {
String API_CALL = "getMeetings"
log.debug CONTROLLER_NAME + "#${API_CALL}"
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
@@ -900,6 +926,11 @@ class ApiController {
String API_CALL = "getSessions"
log.debug CONTROLLER_NAME + "#${API_CALL}"
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
@@ -975,6 +1006,11 @@ class ApiController {
String API_CALL = "setPollXML"
log.debug CONTROLLER_NAME + "#${API_CALL}"
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
return
@@ -1061,6 +1097,11 @@ class ApiController {
String API_CALL = "setConfigXML"
log.debug CONTROLLER_NAME + "#${API_CALL}"
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
return
@@ -1140,6 +1181,11 @@ class ApiController {
String API_CALL = "getDefaultConfigXML"
ApiErrors errors = new ApiErrors();
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
@@ -1179,6 +1225,11 @@ class ApiController {
String API_CALL = 'configXML'
log.debug CONTROLLER_NAME + "#${API_CALL}"
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
String logoutUrl = paramsProcessorUtil.getDefaultLogoutUrl()
boolean reject = false
String sessionToken = sanitizeSessionToken(params.sessionToken)
@@ -1226,6 +1277,12 @@ class ApiController {
def guestWaitHandler = {
String API_CALL = 'guestWait'
log.debug CONTROLLER_NAME + "#${API_CALL}"
+
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
ApiErrors errors = new ApiErrors()
boolean reject = false;
String sessionToken = sanitizeSessionToken(params.sessionToken)
@@ -1369,6 +1426,14 @@ class ApiController {
* ENTER API
***********************************************/
def enter = {
+ String API_CALL = 'enter'
+ log.debug CONTROLLER_NAME + "#${API_CALL}"
+
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
boolean reject = false;
String sessionToken = sanitizeSessionToken(params.sessionToken)
@@ -1511,6 +1576,14 @@ class ApiController {
* STUN/TURN API
***********************************************/
def stuns = {
+ String API_CALL = 'stuns'
+ log.debug CONTROLLER_NAME + "#${API_CALL}"
+
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
boolean reject = false;
String sessionToken = sanitizeSessionToken(params.sessionToken)
@@ -1582,6 +1655,13 @@ class ApiController {
* SIGNOUT API
*************************************************/
def signOut = {
+ String API_CALL = 'signOut'
+ log.debug CONTROLLER_NAME + "#${API_CALL}"
+
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
String sessionToken = sanitizeSessionToken(params.sessionToken)
@@ -1628,6 +1708,11 @@ class ApiController {
String API_CALL = "getRecordings"
log.debug CONTROLLER_NAME + "#${API_CALL}"
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
@@ -1702,6 +1787,11 @@ class ApiController {
String API_CALL = "publishRecordings"
log.debug CONTROLLER_NAME + "#${API_CALL}"
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
@@ -1783,6 +1873,11 @@ class ApiController {
String API_CALL = "deleteRecordings"
log.debug CONTROLLER_NAME + "#${API_CALL}"
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
@@ -1853,6 +1948,11 @@ class ApiController {
String API_CALL = "updateRecordings"
log.debug CONTROLLER_NAME + "#${API_CALL}"
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
// BEGIN - backward compatibility
if (StringUtils.isEmpty(params.checksum)) {
invalid("checksumError", "You did not pass the checksum security check")
@@ -1924,6 +2024,11 @@ class ApiController {
def uploadDocuments(conf) { //
log.debug("ApiController#uploadDocuments(${conf.getInternalId()})");
+ //sanitizeInput
+ params.each {
+ key, value -> params[key] = sanitizeInput(value)
+ }
+
String requestBody = request.inputStream == null ? null : request.inputStream.text;
requestBody = StringUtils.isEmpty(requestBody) ? null : requestBody;
@@ -2112,6 +2217,16 @@ class ApiController {
return us
}
+ private def sanitizeInput (input) {
+ if(input == null)
+ return
+
+ if(!("java.lang.String".equals(input.getClass().getName())))
+ return input
+
+ StringUtils.strip(input.replaceAll("\\p{Cntrl}", ""));
+ }
+
def sanitizeSessionToken(param) {
if (param == null) {
log.info("sanitizeSessionToken: token is null")
--
GitLab