seasharp/anvil
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(striker-ui-api): sanitize config striker input, rename rqbody->body

Browse Source
This commit is contained in:
Tsu-ba-me 2023-04-25 23:22:01 -04:00
parent c4232916f9
commit dc4a49a94c
2 changed files with 45 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
striker-ui-api/src/lib/request_handlers/host/configStriker.ts
View File

@ -3,13 +3,14 @@ import { RequestHandler } from 'express';
import {
REP_DOMAIN,
REP_INTEGER,
REP_IPV4,
REP_IPV4_CSV,
} from '../../consts/REG_EXP_PATTERNS';
import SERVER_PATHS from '../../consts/SERVER_PATHS';
REP_PEACEFUL_STRING,
SERVER_PATHS,
} from '../../consts';
import { job } from '../../accessModule';
import { sanitize } from '../../sanitize';
import { stderr, stdoutVar } from '../../shell';
const fvar = (configStepCount: number, fieldName: string) =>
@ -39,70 +40,72 @@ ${fvar(
export const configStriker: RequestHandler<
unknown,
undefined,
InitializeStrikerForm
> = ({ body }, response) => {
Partial<InitializeStrikerForm>
> = (request, response) => {
const { body = {} } = request;
stdoutVar(body, 'Begin initialize Striker; body=');
const {
adminPassword = '',
domainName = '',
hostName = '',
hostNumber = 0,
networkDNS = '',
networkGateway = '',
adminPassword: rAdminPassword = '',
domainName: rDomainName = '',
hostName: rHostName = '',
hostNumber: rHostNumber = 0,
networkDNS: rNetworkDns = '',
networkGateway: rNetworkGateway = '',
networks = [],
organizationName = '',
organizationPrefix = '',
} = body || {};
organizationName: rOrganizationName = '',
organizationPrefix: rOrganizationPrefix = '',
} = body;
const dataAdminPassword = String(adminPassword);
const dataDomainName = String(domainName);
const dataHostName = String(hostName);
const dataHostNumber = String(hostNumber);
const dataNetworkDNS = String(networkDNS);
const dataNetworkGateway = String(networkGateway);
const dataOrganizationName = String(organizationName);
const dataOrganizationPrefix = String(organizationPrefix);
const adminPassword = sanitize(rAdminPassword, 'string');
const domainName = sanitize(rDomainName, 'string');
const hostName = sanitize(rHostName, 'string');
const hostNumber = sanitize(rHostNumber, 'number');
const networkDns = sanitize(rNetworkDns, 'string');
const networkGateway = sanitize(rNetworkGateway, 'string');
const organizationName = sanitize(rOrganizationName, 'string');
const organizationPrefix = sanitize(rOrganizationPrefix, 'string');
try {
assert(
!/['"/\\><}{]/g.test(dataAdminPassword),
`Data admin password cannot contain single-quote, double-quote, slash, backslash, angle brackets, and curly brackets; got [${dataAdminPassword}]`,
REP_PEACEFUL_STRING.test(adminPassword),
`Data admin password cannot contain single-quote, double-quote, slash, backslash, angle brackets, and curly brackets; got [${adminPassword}]`,
);
assert(
REP_DOMAIN.test(dataDomainName),
`Data domain name can only contain alphanumeric, hyphen, and dot characters; got [${dataDomainName}]`,
REP_DOMAIN.test(domainName),
`Data domain name can only contain alphanumeric, hyphen, and dot characters; got [${domainName}]`,
);
assert(
REP_DOMAIN.test(dataHostName),
`Data host name can only contain alphanumeric, hyphen, and dot characters; got [${dataHostName}]`,
REP_DOMAIN.test(hostName),
`Data host name can only contain alphanumeric, hyphen, and dot characters; got [${hostName}]`,
);
assert(
REP_INTEGER.test(dataHostNumber) && hostNumber > 0,
`Data host number can only contain digits; got [${dataHostNumber}]`,
Number.isInteger(hostNumber) && hostNumber > 0,
`Data host number can only contain digits; got [${hostNumber}]`,
);
assert(
REP_IPV4_CSV.test(dataNetworkDNS),
`Data network DNS must be a comma separated list of valid IPv4 addresses; got [${dataNetworkDNS}]`,
REP_IPV4_CSV.test(networkDns),
`Data network DNS must be a comma separated list of valid IPv4 addresses; got [${networkDns}]`,
);
assert(
REP_IPV4.test(dataNetworkGateway),
`Data network gateway must be a valid IPv4 address; got [${dataNetworkGateway}]`,
REP_IPV4.test(networkGateway),
`Data network gateway must be a valid IPv4 address; got [${networkGateway}]`,
);
assert(
dataOrganizationName.length > 0,
`Data organization name cannot be empty; got [${dataOrganizationName}]`,
REP_PEACEFUL_STRING.test(organizationName),
`Data organization name cannot be empty; got [${organizationName}]`,
);
assert(
/^[a-z0-9]{1,5}$/.test(dataOrganizationPrefix),
`Data organization prefix can only contain 1 to 5 lowercase alphanumeric characters; got [${dataOrganizationPrefix}]`,
/^[a-z0-9]{1,5}$/.test(organizationPrefix),
`Data organization prefix can only contain 1 to 5 lowercase alphanumeric characters; got [${organizationPrefix}]`,
);
} catch (assertError) {
stderr(
@ -120,7 +123,7 @@ export const configStriker: RequestHandler<
${fvar(1, 'organization')}=${organizationName}
${fvar(1, 'prefix')}=${organizationPrefix}
${fvar(1, 'sequence')}=${hostNumber}
${fvar(2, 'dns')}=${networkDNS}
${fvar(2, 'dns')}=${networkDns}
${fvar(2, 'gateway')}=${networkGateway}
${fvar(2, 'host_name')}=${hostName}
${fvar(2, 'striker_password')}=${adminPassword}

6
striker-ui-api/src/lib/request_handlers/server/createServer.ts
View File

@ -9,9 +9,9 @@ import { sanitize } from '../../sanitize';
import { stderr, stdout, stdoutVar } from '../../shell';
export const createServer: RequestHandler = async (request, response) => {
const { body: rqbody = {} } = request;
const { body = {} } = request;
stdoutVar({ rqbody }, 'Creating server.\n');
stdoutVar(body, 'Creating server; body=');
const {
serverName: rServerName,
@ -27,7 +27,7 @@ export const createServer: RequestHandler = async (request, response) => {
driverISOFileUUID: rDriverIsoUuid,
anvilUUID: rAnvilUuid,
optimizeForOS: rOptimizeForOs,
} = rqbody;
} = body;
const serverName = sanitize(rServerName, 'string');
const os = sanitize(rOptimizeForOs, 'string');