Skip to content

Commit d7ce864

Browse files
ronaldyangronaldyang
committed
add string sanity check for parameters in sendRequest
1 parent 2fed0d1 commit d7ce864

File tree

2 files changed

+34
-14
lines changed

2 files changed

+34
-14
lines changed

src/internal/ParseClient.cpp

Lines changed: 20 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
*/
2121

2222
#include "ParseClient.h"
23+
#include "ParseUtils.h"
2324

2425
ParseClient::ParseClient() {
2526
}
@@ -95,20 +96,25 @@ ParseResponse ParseClient::sendRequest(const char* httpVerb, const char* httpPat
9596
ParseResponse ParseClient::sendRequest(const String& httpVerb, const String& httpPath, const String& requestBody, const String& urlParams) {
9697
requestClient.begin("parse_request"); // start a process that launch the "parse_request" command
9798

98-
requestClient.addParameter("-v");
99-
requestClient.addParameter(httpVerb);
100-
requestClient.addParameter("-e");
101-
requestClient.addParameter(httpPath);
102-
if (requestBody != "") {
103-
requestClient.addParameter("-d");
104-
requestClient.addParameter(requestBody);
105-
}
106-
if (urlParams != "") {
107-
requestClient.addParameter("-p");
108-
requestClient.addParameter(urlParams);
109-
requestClient.runAsynchronously();
110-
} else {
111-
requestClient.run(); // Run the process and wait for its termination
99+
if( ParseUtils::isSanitizedString(httpVerb)
100+
&& ParseUtils::isSanitizedString(httpPath)
101+
&& ParseUtils::isSanitizedString(requestBody)
102+
&& ParseUtils::isSanitizedString(urlParams)) {
103+
requestClient.addParameter("-v");
104+
requestClient.addParameter(httpVerb);
105+
requestClient.addParameter("-e");
106+
requestClient.addParameter(httpPath);
107+
if (requestBody != "") {
108+
requestClient.addParameter("-d");
109+
requestClient.addParameter(requestBody);
110+
}
111+
if (urlParams != "") {
112+
requestClient.addParameter("-p");
113+
requestClient.addParameter(urlParams);
114+
requestClient.runAsynchronously();
115+
} else {
116+
requestClient.run(); // Run the process and wait for its termination
117+
}
112118
}
113119

114120
ParseResponse response(&requestClient);

src/internal/ParseUtils.h

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -232,6 +232,20 @@ class ParseUtils {
232232
delete[] value;
233233
return false;
234234
}
235+
236+
static bool isSanitizedString(const String& userData) {
237+
static char badChars[] = " \t\n\r";
238+
int k;
239+
int i;
240+
for(k = 0; k < userData.length(); k++) {
241+
for(i = 0; i < strlen(badChars); i++) {
242+
if(userData[k] == badChars[i]){
243+
return false;
244+
}
245+
}
246+
}
247+
return true;
248+
}
235249
};
236250

237251
#endif

0 commit comments

Comments
 (0)