From 1e9e461f505ddbfd986240ccce688094c2b7fa6d Mon Sep 17 00:00:00 2001 From: Paul Date: Mon, 11 Mar 2024 19:05:58 +0000 Subject: [PATCH] Check for pressence of query and body --- .../api/model/shared/Checksum.java | 11 ++++- .../api/model/shared/GetChecksum.java | 5 +- .../api/model/shared/PostChecksum.java | 5 +- .../model/validator/GetChecksumValidator.java | 7 +++ .../api/service/ValidationService.java | 11 +++-- .../web/controllers/ApiController.groovy | 49 +++++++------------ 6 files changed, 48 insertions(+), 40 deletions(-) diff --git a/bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/Checksum.java b/bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/Checksum.java index bc7674a0af..23be59165e 100755 --- a/bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/Checksum.java +++ b/bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/Checksum.java @@ -3,6 +3,8 @@ package org.bigbluebutton.api.model.shared; import org.bigbluebutton.api.model.constraint.NotEmpty; import org.bigbluebutton.api.util.ParamsUtil; +import javax.servlet.http.HttpServletRequest; + public abstract class Checksum { @NotEmpty(message = "You must provide the API call", groups = ChecksumValidationGroup.class) @@ -13,9 +15,12 @@ public abstract class Checksum { protected String queryStringWithoutChecksum; - public Checksum(String apiCall, String checksum) { + protected HttpServletRequest request; + + public Checksum(String apiCall, String checksum, HttpServletRequest request) { this.apiCall = ParamsUtil.sanitizeString(apiCall); this.checksum = ParamsUtil.sanitizeString(checksum); + this.request = request; } public String getApiCall() { @@ -30,10 +35,14 @@ public abstract class Checksum { return checksum; } + public HttpServletRequest getRequest() { return request; } + public void setChecksum(String checksum) { this.checksum = checksum; } + public void setRequest(HttpServletRequest request) { this.request = request; } + public String getQueryStringWithoutChecksum() { return queryStringWithoutChecksum; } diff --git a/bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/GetChecksum.java b/bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/GetChecksum.java index 5c639fa1e8..c1df483052 100755 --- a/bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/GetChecksum.java +++ b/bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/GetChecksum.java @@ -3,6 +3,7 @@ package org.bigbluebutton.api.model.shared; import org.bigbluebutton.api.model.constraint.GetChecksumConstraint; import org.bigbluebutton.api.util.ParamsUtil; +import javax.servlet.http.HttpServletRequest; import javax.validation.constraints.NotEmpty; @GetChecksumConstraint(groups = ChecksumValidationGroup.class) @@ -11,8 +12,8 @@ public class GetChecksum extends Checksum { @NotEmpty(message = "You must provide the query string") private String queryString; - public GetChecksum(String apiCall, String checksum, String queryString) { - super(apiCall, checksum); + public GetChecksum(String apiCall, String checksum, String queryString, HttpServletRequest request) { + super(apiCall, checksum, request); this.queryString = ParamsUtil.sanitizeString(queryString); removeChecksumFromQueryString(); } diff --git a/bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/PostChecksum.java b/bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/PostChecksum.java index d5d72f3756..577c244e63 100755 --- a/bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/PostChecksum.java +++ b/bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/PostChecksum.java @@ -3,6 +3,7 @@ package org.bigbluebutton.api.model.shared; import org.bigbluebutton.api.model.constraint.PostChecksumConstraint; import org.bigbluebutton.api.service.ValidationService; +import javax.servlet.http.HttpServletRequest; import java.util.Map; @PostChecksumConstraint(groups = ChecksumValidationGroup.class) @@ -10,8 +11,8 @@ public class PostChecksum extends Checksum { Map params; - public PostChecksum(String apiCall, String checksum, Map params) { - super(apiCall, checksum); + public PostChecksum(String apiCall, String checksum, Map params, HttpServletRequest request) { + super(apiCall, checksum, request); this.params = params; queryStringWithoutChecksum = ValidationService.buildQueryStringFromParamsMap(params); } diff --git a/bbb-common-web/src/main/java/org/bigbluebutton/api/model/validator/GetChecksumValidator.java b/bbb-common-web/src/main/java/org/bigbluebutton/api/model/validator/GetChecksumValidator.java index 0e439c7263..18e29c1dc8 100755 --- a/bbb-common-web/src/main/java/org/bigbluebutton/api/model/validator/GetChecksumValidator.java +++ b/bbb-common-web/src/main/java/org/bigbluebutton/api/model/validator/GetChecksumValidator.java @@ -1,5 +1,6 @@ package org.bigbluebutton.api.model.validator; +import javax.servlet.http.HttpServletRequest; import javax.validation.ConstraintValidator; import javax.validation.ConstraintValidatorContext; @@ -22,6 +23,12 @@ public class GetChecksumValidator implements ConstraintValidator 0; + + if (queryStringPresent && requestBodyPresent) return false; + if (securitySalt.isEmpty()) { log.warn("Security is disabled in this service. Make sure this is intentional."); return true; diff --git a/bbb-common-web/src/main/java/org/bigbluebutton/api/service/ValidationService.java b/bbb-common-web/src/main/java/org/bigbluebutton/api/service/ValidationService.java index b26b367adb..070e7b6863 100755 --- a/bbb-common-web/src/main/java/org/bigbluebutton/api/service/ValidationService.java +++ b/bbb-common-web/src/main/java/org/bigbluebutton/api/service/ValidationService.java @@ -9,6 +9,7 @@ import org.bigbluebutton.api.util.ParamsUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import javax.servlet.http.HttpServletRequest; import javax.validation.ConstraintViolation; import javax.validation.Validation; import javax.validation.Validator; @@ -70,11 +71,13 @@ public class ValidationService { validator = validatorFactory.getValidator(); } - public Map validate(ApiCall apiCall, Map params, String queryString) { + public Map validate(ApiCall apiCall, HttpServletRequest servletRequest) { + String queryString = servletRequest.getQueryString(); + Map params = servletRequest.getParameterMap(); log.info("Validating {} request with query string {}", apiCall.getName(), queryString); params = sanitizeParams(params); - Request request = initializeRequest(apiCall, params, queryString); + Request request = initializeRequest(apiCall, params, queryString, servletRequest); Map violations = new HashMap<>(); if(request == null) { @@ -101,7 +104,7 @@ public class ValidationService { } } - private Request initializeRequest(ApiCall apiCall, Map params, String queryString) { + private Request initializeRequest(ApiCall apiCall, Map params, String queryString, HttpServletRequest servletRequest) { Request request = null; Checksum checksum; @@ -116,7 +119,7 @@ public class ValidationService { switch(apiCall.requestType) { case GET: - checksum = new GetChecksum(apiCall.getName(), checksumValue, queryString); + checksum = new GetChecksum(apiCall.getName(), checksumValue, queryString, servletRequest); switch(apiCall) { case CREATE: request = new CreateMeeting(checksum); diff --git a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy index 8e49638816..280e0b82d8 100755 --- a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy +++ b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy @@ -45,6 +45,7 @@ import org.bigbluebutton.web.services.turn.StunServer import org.bigbluebutton.web.services.turn.RemoteIceCandidate import org.json.JSONArray import javax.servlet.ServletRequest +import javax.servlet.http.HttpServletRequest class ApiController { private static final String CONTROLLER_NAME = 'ApiController' @@ -109,14 +110,14 @@ class ApiController { log.info("attendeePW [${attendeePW}]") log.info("moderatorPW [${moderatorPW}]") + log.info("Content length type [${}]") if(attendeePW.equals("")) log.info("attendeePW is empty") if(moderatorPW.equals("")) log.info("moderatorPW is empty") Map.Entry validationResponse = validateRequest( ValidationService.ApiCall.CREATE, - request.getParameterMap(), - request.getQueryString() + request ) if(!(validationResponse == null)) { @@ -208,7 +209,6 @@ class ApiController { } } - /********************************************** * JOIN API *********************************************/ @@ -220,8 +220,7 @@ class ApiController { Map.Entry validationResponse = validateRequest( ValidationService.ApiCall.JOIN, - request.getParameterMap(), - request.getQueryString() + request ) HashMap roles = new HashMap(); @@ -520,8 +519,7 @@ class ApiController { Map.Entry validationResponse = validateRequest( ValidationService.ApiCall.MEETING_RUNNING, - request.getParameterMap(), - request.getQueryString() + request ) if(!(validationResponse == null)) { @@ -551,8 +549,7 @@ class ApiController { Map.Entry validationResponse = validateRequest( ValidationService.ApiCall.END, - request.getParameterMap(), - request.getQueryString() + request ) if(!(validationResponse == null)) { @@ -595,8 +592,7 @@ class ApiController { Map.Entry validationResponse = validateRequest( ValidationService.ApiCall.GET_MEETING_INFO, - request.getParameterMap(), - request.getQueryString() + request ) if(!(validationResponse == null)) { @@ -622,8 +618,7 @@ class ApiController { Map.Entry validationResponse = validateRequest( ValidationService.ApiCall.GET_MEETINGS, - request.getParameterMap(), - request.getQueryString() + request ) if(!(validationResponse == null)) { @@ -660,8 +655,7 @@ class ApiController { Map.Entry validationResponse = validateRequest( ValidationService.ApiCall.GET_SESSIONS, - request.getParameterMap(), - request.getQueryString() + request ) if(!(validationResponse == null)) { @@ -719,8 +713,7 @@ class ApiController { Map.Entry validationResponse = validateRequest( ValidationService.ApiCall.GUEST_WAIT, - request.getParameterMap(), - request.getQueryString() + request ) if(!(validationResponse == null)) { msgKey = validationResponse.getKey() @@ -833,8 +826,7 @@ class ApiController { Map.Entry validationResponse = validateRequest( ValidationService.ApiCall.ENTER, - request.getParameterMap(), - request.getQueryString(), + request ) if(!(validationResponse == null)) { respMessage = validationResponse.getValue() @@ -991,8 +983,7 @@ class ApiController { Map.Entry validationResponse = validateRequest( ValidationService.ApiCall.STUNS, - request.getParameterMap(), - request.getQueryString(), + request ) if(!(validationResponse == null)) { @@ -1068,8 +1059,7 @@ class ApiController { Map.Entry validationResponse = validateRequest( ValidationService.ApiCall.SIGN_OUT, - request.getParameterMap(), - request.getQueryString() + request ) if(validationResponse == null) { @@ -1113,8 +1103,7 @@ class ApiController { Map.Entry validationResponse = validateRequest( ValidationService.ApiCall.INSERT_DOCUMENT, - request.getParameterMap(), - request.getQueryString() + request ) def externalMeetingId = params.meetingID.toString() @@ -1166,8 +1155,7 @@ class ApiController { Map.Entry validationResponse = validateRequest( ValidationService.ApiCall.GET_JOIN_URL, - request.getParameterMap(), - request.getQueryString(), + request ) //Validate Session @@ -1266,8 +1254,7 @@ class ApiController { Map.Entry validationResponse = validateRequest( ValidationService.ApiCall.LEARNING_DASHBOARD, - request.getParameterMap(), - request.getQueryString(), + request ) //Validate Session @@ -1945,8 +1932,8 @@ class ApiController { redirect(url: newUri) } - private Map.Entry validateRequest(ValidationService.ApiCall apiCall, Map params, String queryString) { - Map violations = validationService.validate(apiCall, params, queryString) + private Map.Entry validateRequest(ValidationService.ApiCall apiCall, HttpServletRequest request) { + Map violations = validationService.validate(apiCall, request) Map.Entry response = null if(!violations.isEmpty()) {