Forbid slashes and other URL sensitive characters in user, actions and resources ids #523
Comments
|
I've committed some code, not PRing just yet... i've put in regex in db constraint, and also in the validation. I had to tweak a lot of tests that were broken as a result of it working as expected (prevents some sql injection stuff which is good). I'm applying to all entity id calls (inserts and updates will also be checked by the db constraint, no harm for manual imports of data for it to match joi), but not sure about the _ only rule in teamid, I think it's to do with the paths field... need a little more investigation here, maybe we disable all non alpha-numeric except _, but the - is nice to have in the slug, if path can handle that we should allow as our autogenerated ids use hypens to. |
|
I'd say let's only forbid characters which have meaning in URLs. So |
|
Yeah, but we are already restricting to only alphanumeric and If we are restricting one entity id, we should be consistent across them all I think... See my solution here, I think it's cleanest approach: #529 |
|
Approved! |
|
One quick note here: forbidding characters is blacklisting the input validation. The best practice would be to whitelist the input. E.g. instead of forbidding a set of characters, create a regex with the sequence of allowed characters. Here is more info: https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#Whitelisting_vs_blacklisting |
|
That's the approach I took David, to only whitelist alphanumeric and hyphen The PR should be called allow not disallow, but it's a whitelist approach |
Currently we don't validate the format, but since those ids are used in the URLs, these might mess with routing.
We should forbid slashes (
/) and other sensitive characters (#,?and so forth) in ids so no ambiguity rises.The text was updated successfully, but these errors were encountered: