cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Kinsella" <...@stratosec.co>
Subject Re: Review Request: Non-printable characters such as %00 or %0025 are getting stored in raw/non encoded form in the database
Date Wed, 09 Jan 2013 00:27:55 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/8876/#review15166
-----------------------------------------------------------


Likitha - this could be done a little better, a few comments if I may...

* You're implementing a blacklisting pattern. That's a good start, but the problem is it's
hard to figure out every character which should be disallowed.  A whitelisting pattern is
a more comprehensive solution, although it may take a little longer to write.

* Ideally, this filtering code should be in a centralized place, like cloud-utils, so that
we don't have to re-write several times within CloudStack.

* More ideally, this might be a good first case to start using OWASP's ESAPI library, in particular
something like the getValidSafeHTML() method. You can read more about that at https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet



- John Kinsella


On Jan. 8, 2013, 5:27 a.m., Likitha Shetty wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/8876/
> -----------------------------------------------------------
> 
> (Updated Jan. 8, 2013, 5:27 a.m.)
> 
> 
> Review request for cloudstack, Alena Prokharchyk and Rohit Yadav.
> 
> 
> Description
> -------
> 
> Non-printable characters results in empty pages for all users loading the corrupted object
in the web interface. It also results in the API call results getting truncated with an error
when it encounters the non-printable characters.
> To find if a parameter value contains a control character, every decoded parameter value
was matched with the regex [\000-\037\177] as the ASCII non-printable characters are numbers
0 to 31 and 127 decimal.
> 
> 
> This addresses bug CLOUDSTACK-863.
> 
> 
> Diffs
> -----
> 
>   server/src/com/cloud/api/ApiServer.java f42025c 
> 
> Diff: https://reviews.apache.org/r/8876/diff/
> 
> 
> Testing
> -------
> 
> Manual Testing done, 
> For sample API's (updateVirtualMachine, createVolume, authorizeSecurityGroupIngress etc),
provide input values containing character(s) that are
> • ASCII printable - pass 
> • ASCII non-printable - fail with error code 431 and error 'Received value <parameter-value>
for parameter <parameter-name> is invalid, contains illegal ASCII non-printable characters'

> • non-english - pass
> 
> 
> Thanks,
> 
> Likitha Shetty
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message