BigBlueButton/bigbluebutton-Github
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Check for pressence of query and body

Browse Source
This commit is contained in:
Paul 2024-03-11 19:05:58 +00:00 committed by Anton Georgiev
parent 916d601d2b
commit 1e9e461f50
6 changed files with 48 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/Checksum.java
View File

@ -3,6 +3,8 @@ package org.bigbluebutton.api.model.shared;
import org.bigbluebutton.api.model.constraint.NotEmpty;
import org.bigbluebutton.api.util.ParamsUtil;
import javax.servlet.http.HttpServletRequest;
public abstract class Checksum {
@NotEmpty(message = "You must provide the API call", groups = ChecksumValidationGroup.class)
@ -13,9 +15,12 @@ public abstract class Checksum {
protected String queryStringWithoutChecksum;
public Checksum(String apiCall, String checksum) {
protected HttpServletRequest request;
public Checksum(String apiCall, String checksum, HttpServletRequest request) {
this.apiCall = ParamsUtil.sanitizeString(apiCall);
this.checksum = ParamsUtil.sanitizeString(checksum);
this.request = request;
}
public String getApiCall() {
@ -30,10 +35,14 @@ public abstract class Checksum {
return checksum;
}
public HttpServletRequest getRequest() { return request; }
public void setChecksum(String checksum) {
this.checksum = checksum;
}
public void setRequest(HttpServletRequest request) { this.request = request; }
public String getQueryStringWithoutChecksum() {
return queryStringWithoutChecksum;
}

5
bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/GetChecksum.java
View File

@ -3,6 +3,7 @@ package org.bigbluebutton.api.model.shared;
import org.bigbluebutton.api.model.constraint.GetChecksumConstraint;
import org.bigbluebutton.api.util.ParamsUtil;
import javax.servlet.http.HttpServletRequest;
import javax.validation.constraints.NotEmpty;
@GetChecksumConstraint(groups = ChecksumValidationGroup.class)
@ -11,8 +12,8 @@ public class GetChecksum extends Checksum {
@NotEmpty(message = "You must provide the query string")
private String queryString;
public GetChecksum(String apiCall, String checksum, String queryString) {
super(apiCall, checksum);
public GetChecksum(String apiCall, String checksum, String queryString, HttpServletRequest request) {
super(apiCall, checksum, request);
this.queryString = ParamsUtil.sanitizeString(queryString);
removeChecksumFromQueryString();
}

5
bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/PostChecksum.java
View File

@ -3,6 +3,7 @@ package org.bigbluebutton.api.model.shared;
import org.bigbluebutton.api.model.constraint.PostChecksumConstraint;
import org.bigbluebutton.api.service.ValidationService;
import javax.servlet.http.HttpServletRequest;
import java.util.Map;
@PostChecksumConstraint(groups = ChecksumValidationGroup.class)
@ -10,8 +11,8 @@ public class PostChecksum extends Checksum {
Map<String, String[]> params;
public PostChecksum(String apiCall, String checksum, Map<String, String[]> params) {
super(apiCall, checksum);
public PostChecksum(String apiCall, String checksum, Map<String, String[]> params, HttpServletRequest request) {
super(apiCall, checksum, request);
this.params = params;
queryStringWithoutChecksum = ValidationService.buildQueryStringFromParamsMap(params);
}

7
bbb-common-web/src/main/java/org/bigbluebutton/api/model/validator/GetChecksumValidator.java
View File

@ -1,5 +1,6 @@
package org.bigbluebutton.api.model.validator;
import javax.servlet.http.HttpServletRequest;
import javax.validation.ConstraintValidator;
import javax.validation.ConstraintValidatorContext;
@ -22,6 +23,12 @@ public class GetChecksumValidator implements ConstraintValidator<GetChecksumCons
String securitySalt = ServiceUtils.getValidationService().getSecuritySalt();
String supportedChecksumAlgorithms = ServiceUtils.getValidationService().getSupportedChecksumAlgorithms();
HttpServletRequest request = checksum.getRequest();
boolean queryStringPresent = request.getQueryString() != null && !request.getQueryString().isEmpty();
boolean requestBodyPresent = request.getContentLength() > 0;
if (queryStringPresent && requestBodyPresent) return false;
if (securitySalt.isEmpty()) {
log.warn("Security is disabled in this service. Make sure this is intentional.");
return true;

11
bbb-common-web/src/main/java/org/bigbluebutton/api/service/ValidationService.java
View File

@ -9,6 +9,7 @@ import org.bigbluebutton.api.util.ParamsUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.http.HttpServletRequest;
import javax.validation.ConstraintViolation;
import javax.validation.Validation;
import javax.validation.Validator;
@ -70,11 +71,13 @@ public class ValidationService {
validator = validatorFactory.getValidator();
}
public Map<String, String> validate(ApiCall apiCall, Map<String, String[]> params, String queryString) {
public Map<String, String> validate(ApiCall apiCall, HttpServletRequest servletRequest) {
String queryString = servletRequest.getQueryString();
Map<String, String[]> params = servletRequest.getParameterMap();
log.info("Validating {} request with query string {}", apiCall.getName(), queryString);
params = sanitizeParams(params);
Request request = initializeRequest(apiCall, params, queryString);
Request request = initializeRequest(apiCall, params, queryString, servletRequest);
Map<String,String> violations = new HashMap<>();
if(request == null) {
@ -101,7 +104,7 @@ public class ValidationService {
}
}
private Request initializeRequest(ApiCall apiCall, Map<String, String[]> params, String queryString) {
private Request initializeRequest(ApiCall apiCall, Map<String, String[]> params, String queryString, HttpServletRequest servletRequest) {
Request request = null;
Checksum checksum;
@ -116,7 +119,7 @@ public class ValidationService {
switch(apiCall.requestType) {
case GET:
checksum = new GetChecksum(apiCall.getName(), checksumValue, queryString);
checksum = new GetChecksum(apiCall.getName(), checksumValue, queryString, servletRequest);
switch(apiCall) {
case CREATE:
request = new CreateMeeting(checksum);

49
bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy
View File

@ -45,6 +45,7 @@ import org.bigbluebutton.web.services.turn.StunServer
import org.bigbluebutton.web.services.turn.RemoteIceCandidate
import org.json.JSONArray
import javax.servlet.ServletRequest
import javax.servlet.http.HttpServletRequest
class ApiController {
private static final String CONTROLLER_NAME = 'ApiController'
@ -109,14 +110,14 @@ class ApiController {
log.info("attendeePW [${attendeePW}]")
log.info("moderatorPW [${moderatorPW}]")
log.info("Content length type [${}]")
if(attendeePW.equals("")) log.info("attendeePW is empty")
if(moderatorPW.equals("")) log.info("moderatorPW is empty")
Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.CREATE,
request.getParameterMap(),
request.getQueryString()
request
)
if(!(validationResponse == null)) {
@ -208,7 +209,6 @@ class ApiController {
}
}
/**********************************************
* JOIN API
*********************************************/
@ -220,8 +220,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.JOIN,
request.getParameterMap(),
request.getQueryString()
request
)
HashMap<String, String> roles = new HashMap<String, String>();
@ -520,8 +519,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.MEETING_RUNNING,
request.getParameterMap(),
request.getQueryString()
request
)
if(!(validationResponse == null)) {
@ -551,8 +549,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.END,
request.getParameterMap(),
request.getQueryString()
request
)
if(!(validationResponse == null)) {
@ -595,8 +592,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.GET_MEETING_INFO,
request.getParameterMap(),
request.getQueryString()
request
)
if(!(validationResponse == null)) {
@ -622,8 +618,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.GET_MEETINGS,
request.getParameterMap(),
request.getQueryString()
request
)
if(!(validationResponse == null)) {
@ -660,8 +655,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.GET_SESSIONS,
request.getParameterMap(),
request.getQueryString()
request
)
if(!(validationResponse == null)) {
@ -719,8 +713,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.GUEST_WAIT,
request.getParameterMap(),
request.getQueryString()
request
)
if(!(validationResponse == null)) {
msgKey = validationResponse.getKey()
@ -833,8 +826,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.ENTER,
request.getParameterMap(),
request.getQueryString(),
request
)
if(!(validationResponse == null)) {
respMessage = validationResponse.getValue()
@ -991,8 +983,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.STUNS,
request.getParameterMap(),
request.getQueryString(),
request
)
if(!(validationResponse == null)) {
@ -1068,8 +1059,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.SIGN_OUT,
request.getParameterMap(),
request.getQueryString()
request
)
if(validationResponse == null) {
@ -1113,8 +1103,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.INSERT_DOCUMENT,
request.getParameterMap(),
request.getQueryString()
request
)
def externalMeetingId = params.meetingID.toString()
@ -1166,8 +1155,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.GET_JOIN_URL,
request.getParameterMap(),
request.getQueryString(),
request
)
//Validate Session
@ -1266,8 +1254,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.LEARNING_DASHBOARD,
request.getParameterMap(),
request.getQueryString(),
request
)
//Validate Session
@ -1945,8 +1932,8 @@ class ApiController {
redirect(url: newUri)
}
private Map.Entry<String, String> validateRequest(ValidationService.ApiCall apiCall, Map<String, String[]> params, String queryString) {
Map<String, String> violations = validationService.validate(apiCall, params, queryString)
private Map.Entry<String, String> validateRequest(ValidationService.ApiCall apiCall, HttpServletRequest request) {
Map<String, String> violations = validationService.validate(apiCall, request)
Map.Entry<String, String> response = null
if(!violations.isEmpty()) {