diff options
author | AKalinich-Luxoft <AKalinich@luxoft.com> | 2017-06-15 10:24:20 +0300 |
---|---|---|
committer | AKalinich-Luxoft <AKalinich@luxoft.com> | 2017-06-20 10:53:16 +0300 |
commit | f050b8f14ed2f3e048d7a4a0b2f1c424255649ac (patch) | |
tree | 38081a0ef91e333f638aa9a805b1b0b7e2a4ee74 /src/components | |
parent | 817052ffe35991d6927e9176528821323b4e6812 (diff) | |
download | sdl_core-f050b8f14ed2f3e048d7a4a0b2f1c424255649ac.tar.gz |
Fixed RPC response in case filename contains forbidden symbols
According to requirements SDL must respond with INVALID_DATA to
RPC request, which contains some filename param, which contains
'/' symbol. The main idea here is to prevent access to files
outside SDL working folder using such RPCs.
In this commit:
- Added IsFileNameValid function to check filename symbols
- Added checking filename param for: DeleteFile, PutFile,
SetAppIcon, SystemRequest
Diffstat (limited to 'src/components')
6 files changed, 51 insertions, 0 deletions
diff --git a/src/components/application_manager/src/commands/mobile/delete_file_request.cc b/src/components/application_manager/src/commands/mobile/delete_file_request.cc index 31ca29cb51..984c7a1725 100644 --- a/src/components/application_manager/src/commands/mobile/delete_file_request.cc +++ b/src/components/application_manager/src/commands/mobile/delete_file_request.cc @@ -73,6 +73,13 @@ void DeleteFileRequest::Run() { const std::string& sync_file_name = (*message_)[strings::msg_params][strings::sync_file_name].asString(); + if (!file_system::IsFileNameValid(sync_file_name)) { + const std::string err_msg = "Sync file name contains forbidden symbols."; + LOG4CXX_ERROR(logger_, err_msg); + SendResponse(false, mobile_apis::Result::INVALID_DATA, err_msg.c_str()); + return; + } + std::string full_file_path = application_manager_.get_settings().app_storage_folder() + "/"; full_file_path += application->folder_name(); diff --git a/src/components/application_manager/src/commands/mobile/put_file_request.cc b/src/components/application_manager/src/commands/mobile/put_file_request.cc index 68e7ad60d1..602b420ba0 100644 --- a/src/components/application_manager/src/commands/mobile/put_file_request.cc +++ b/src/components/application_manager/src/commands/mobile/put_file_request.cc @@ -110,6 +110,17 @@ void PutFileRequest::Run() { } sync_file_name_ = (*message_)[strings::msg_params][strings::sync_file_name].asString(); + + if (!file_system::IsFileNameValid(sync_file_name_)) { + const std::string err_msg = "Sync file name contains forbidden symbols."; + LOG4CXX_ERROR(logger_, err_msg); + SendResponse(false, + mobile_apis::Result::INVALID_DATA, + err_msg.c_str(), + &response_params); + return; + } + file_type_ = static_cast<mobile_apis::FileType::eType>( (*message_)[strings::msg_params][strings::file_type].asInt()); const std::vector<uint8_t> binary_data = diff --git a/src/components/application_manager/src/commands/mobile/set_app_icon_request.cc b/src/components/application_manager/src/commands/mobile/set_app_icon_request.cc index 5d70a2fb5b..8a595ee564 100644 --- a/src/components/application_manager/src/commands/mobile/set_app_icon_request.cc +++ b/src/components/application_manager/src/commands/mobile/set_app_icon_request.cc @@ -71,6 +71,13 @@ void SetAppIconRequest::Run() { const std::string& sync_file_name = (*message_)[strings::msg_params][strings::sync_file_name].asString(); + if (!file_system::IsFileNameValid(sync_file_name)) { + const std::string err_msg = "Sync file name contains forbidden symbols."; + LOG4CXX_ERROR(logger_, err_msg); + SendResponse(false, mobile_apis::Result::INVALID_DATA, err_msg.c_str()); + return; + } + std::string full_file_path = application_manager_.get_settings().app_storage_folder() + "/"; full_file_path += app->folder_name(); diff --git a/src/components/application_manager/src/commands/mobile/system_request.cc b/src/components/application_manager/src/commands/mobile/system_request.cc index 74d25508e0..b9eb1a3a72 100644 --- a/src/components/application_manager/src/commands/mobile/system_request.cc +++ b/src/components/application_manager/src/commands/mobile/system_request.cc @@ -466,6 +466,20 @@ void SystemRequest::Run() { file_name = kSYNC; } + if (!CheckSyntax(file_name)) { + LOG4CXX_ERROR(logger_, + "Incoming request contains \t\n \\t \\n or whitespace"); + SendResponse(false, mobile_apis::Result::INVALID_DATA); + return; + } + + if (!file_system::IsFileNameValid(file_name)) { + const std::string err_msg = "Sync file name contains forbidden symbols."; + LOG4CXX_ERROR(logger_, err_msg); + SendResponse(false, mobile_apis::Result::INVALID_DATA, err_msg.c_str()); + return; + } + bool is_system_file = std::string::npos != file_name.find(kSYNC) || std::string::npos != file_name.find(kIVSU); diff --git a/src/components/utils/include/utils/file_system.h b/src/components/utils/include/utils/file_system.h index 5862241c9c..a46135a47b 100644 --- a/src/components/utils/include/utils/file_system.h +++ b/src/components/utils/include/utils/file_system.h @@ -153,6 +153,14 @@ std::string CurrentWorkingDirectory(); std::string GetAbsolutePath(const std::string& path); /** + * @brief Checks if file name contains invalid symbols e.g. '/' + * @param file_name file name to check + * @return true if file name does not contain any invalid symbol otherwise + * returns false + */ +bool IsFileNameValid(const std::string& file_name); + +/** * @brief Removes file * * @param name path to file diff --git a/src/components/utils/src/file_system.cc b/src/components/utils/src/file_system.cc index 91ff0c3b07..224fc36003 100644 --- a/src/components/utils/src/file_system.cc +++ b/src/components/utils/src/file_system.cc @@ -222,6 +222,10 @@ std::string file_system::GetAbsolutePath(const std::string& path) { return std::string(abs_path); } +bool file_system::IsFileNameValid(const std::string& file_name) { + return file_name.end() == std::find(file_name.begin(), file_name.end(), '/'); +} + bool file_system::DeleteFile(const std::string& name) { if (FileExists(name) && IsAccessible(name, W_OK)) { return !remove(name.c_str()); |