BigBlueButton/bigbluebutton-Github
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Check for pressence of query and body

Browse Source
This commit is contained in:
Paul 2024-03-11 19:05:58 +00:00 committed by Anton Georgiev
parent 916d601d2b
commit 1e9e461f50
6 changed files with 48 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/Checksum.java
View File

@ -3,6 +3,8 @@ package org.bigbluebutton.api.model.shared;
import org.bigbluebutton.api.model.constraint.NotEmpty; import org.bigbluebutton.api.model.constraint.NotEmpty;
import org.bigbluebutton.api.util.ParamsUtil; import org.bigbluebutton.api.util.ParamsUtil;
import javax.servlet.http.HttpServletRequest;
public abstract class Checksum { public abstract class Checksum {
@NotEmpty(message = "You must provide the API call", groups = ChecksumValidationGroup.class) @NotEmpty(message = "You must provide the API call", groups = ChecksumValidationGroup.class)
@ -13,9 +15,12 @@ public abstract class Checksum {
protected String queryStringWithoutChecksum; protected String queryStringWithoutChecksum;
public Checksum(String apiCall, String checksum) { protected HttpServletRequest request;
public Checksum(String apiCall, String checksum, HttpServletRequest request) {
this.apiCall = ParamsUtil.sanitizeString(apiCall); this.apiCall = ParamsUtil.sanitizeString(apiCall);
this.checksum = ParamsUtil.sanitizeString(checksum); this.checksum = ParamsUtil.sanitizeString(checksum);
this.request = request;
} }
public String getApiCall() { public String getApiCall() {
@ -30,10 +35,14 @@ public abstract class Checksum {
return checksum; return checksum;
} }
public HttpServletRequest getRequest() { return request; }
public void setChecksum(String checksum) { public void setChecksum(String checksum) {
this.checksum = checksum; this.checksum = checksum;
} }
public void setRequest(HttpServletRequest request) { this.request = request; }
public String getQueryStringWithoutChecksum() { public String getQueryStringWithoutChecksum() {
return queryStringWithoutChecksum; return queryStringWithoutChecksum;
} }

5
bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/GetChecksum.java
View File

@ -3,6 +3,7 @@ package org.bigbluebutton.api.model.shared;
import org.bigbluebutton.api.model.constraint.GetChecksumConstraint; import org.bigbluebutton.api.model.constraint.GetChecksumConstraint;
import org.bigbluebutton.api.util.ParamsUtil; import org.bigbluebutton.api.util.ParamsUtil;
import javax.servlet.http.HttpServletRequest;
import javax.validation.constraints.NotEmpty; import javax.validation.constraints.NotEmpty;
@GetChecksumConstraint(groups = ChecksumValidationGroup.class) @GetChecksumConstraint(groups = ChecksumValidationGroup.class)
@ -11,8 +12,8 @@ public class GetChecksum extends Checksum {
@NotEmpty(message = "You must provide the query string") @NotEmpty(message = "You must provide the query string")
private String queryString; private String queryString;
public GetChecksum(String apiCall, String checksum, String queryString) { public GetChecksum(String apiCall, String checksum, String queryString, HttpServletRequest request) {
super(apiCall, checksum); super(apiCall, checksum, request);
this.queryString = ParamsUtil.sanitizeString(queryString); this.queryString = ParamsUtil.sanitizeString(queryString);
removeChecksumFromQueryString(); removeChecksumFromQueryString();
} }

5
bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/PostChecksum.java
View File

@ -3,6 +3,7 @@ package org.bigbluebutton.api.model.shared;
import org.bigbluebutton.api.model.constraint.PostChecksumConstraint; import org.bigbluebutton.api.model.constraint.PostChecksumConstraint;
import org.bigbluebutton.api.service.ValidationService; import org.bigbluebutton.api.service.ValidationService;
import javax.servlet.http.HttpServletRequest;
import java.util.Map; import java.util.Map;
@PostChecksumConstraint(groups = ChecksumValidationGroup.class) @PostChecksumConstraint(groups = ChecksumValidationGroup.class)
@ -10,8 +11,8 @@ public class PostChecksum extends Checksum {
Map<String, String[]> params; Map<String, String[]> params;
public PostChecksum(String apiCall, String checksum, Map<String, String[]> params) { public PostChecksum(String apiCall, String checksum, Map<String, String[]> params, HttpServletRequest request) {
super(apiCall, checksum); super(apiCall, checksum, request);
this.params = params; this.params = params;
queryStringWithoutChecksum = ValidationService.buildQueryStringFromParamsMap(params); queryStringWithoutChecksum = ValidationService.buildQueryStringFromParamsMap(params);
} }

7
bbb-common-web/src/main/java/org/bigbluebutton/api/model/validator/GetChecksumValidator.java
View File

@ -1,5 +1,6 @@
package org.bigbluebutton.api.model.validator; package org.bigbluebutton.api.model.validator;
import javax.servlet.http.HttpServletRequest;
import javax.validation.ConstraintValidator; import javax.validation.ConstraintValidator;
import javax.validation.ConstraintValidatorContext; import javax.validation.ConstraintValidatorContext;
@ -22,6 +23,12 @@ public class GetChecksumValidator implements ConstraintValidator<GetChecksumCons
String securitySalt = ServiceUtils.getValidationService().getSecuritySalt(); String securitySalt = ServiceUtils.getValidationService().getSecuritySalt();
String supportedChecksumAlgorithms = ServiceUtils.getValidationService().getSupportedChecksumAlgorithms(); String supportedChecksumAlgorithms = ServiceUtils.getValidationService().getSupportedChecksumAlgorithms();
HttpServletRequest request = checksum.getRequest();
boolean queryStringPresent = request.getQueryString() != null && !request.getQueryString().isEmpty();
boolean requestBodyPresent = request.getContentLength() > 0;
if (queryStringPresent && requestBodyPresent) return false;
if (securitySalt.isEmpty()) { if (securitySalt.isEmpty()) {
log.warn("Security is disabled in this service. Make sure this is intentional."); log.warn("Security is disabled in this service. Make sure this is intentional.");
return true; return true;

11
bbb-common-web/src/main/java/org/bigbluebutton/api/service/ValidationService.java
View File

@ -9,6 +9,7 @@ import org.bigbluebutton.api.util.ParamsUtil;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import javax.servlet.http.HttpServletRequest;
import javax.validation.ConstraintViolation; import javax.validation.ConstraintViolation;
import javax.validation.Validation; import javax.validation.Validation;
import javax.validation.Validator; import javax.validation.Validator;
@ -70,11 +71,13 @@ public class ValidationService {
validator = validatorFactory.getValidator(); validator = validatorFactory.getValidator();
} }
public Map<String, String> validate(ApiCall apiCall, Map<String, String[]> params, String queryString) { public Map<String, String> validate(ApiCall apiCall, HttpServletRequest servletRequest) {
String queryString = servletRequest.getQueryString();
Map<String, String[]> params = servletRequest.getParameterMap();
log.info("Validating {} request with query string {}", apiCall.getName(), queryString); log.info("Validating {} request with query string {}", apiCall.getName(), queryString);
params = sanitizeParams(params); params = sanitizeParams(params);
Request request = initializeRequest(apiCall, params, queryString); Request request = initializeRequest(apiCall, params, queryString, servletRequest);
Map<String,String> violations = new HashMap<>(); Map<String,String> violations = new HashMap<>();
if(request == null) { if(request == null) {
@ -101,7 +104,7 @@ public class ValidationService {
} }
} }
private Request initializeRequest(ApiCall apiCall, Map<String, String[]> params, String queryString) { private Request initializeRequest(ApiCall apiCall, Map<String, String[]> params, String queryString, HttpServletRequest servletRequest) {
Request request = null; Request request = null;
Checksum checksum; Checksum checksum;
@ -116,7 +119,7 @@ public class ValidationService {
switch(apiCall.requestType) { switch(apiCall.requestType) {
case GET: case GET:
checksum = new GetChecksum(apiCall.getName(), checksumValue, queryString); checksum = new GetChecksum(apiCall.getName(), checksumValue, queryString, servletRequest);
switch(apiCall) { switch(apiCall) {
case CREATE: case CREATE:
request = new CreateMeeting(checksum); request = new CreateMeeting(checksum);

49
bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy
View File

@ -45,6 +45,7 @@ import org.bigbluebutton.web.services.turn.StunServer
import org.bigbluebutton.web.services.turn.RemoteIceCandidate import org.bigbluebutton.web.services.turn.RemoteIceCandidate
import org.json.JSONArray import org.json.JSONArray
import javax.servlet.ServletRequest import javax.servlet.ServletRequest
import javax.servlet.http.HttpServletRequest
class ApiController { class ApiController {
private static final String CONTROLLER_NAME = 'ApiController' private static final String CONTROLLER_NAME = 'ApiController'
@ -109,14 +110,14 @@ class ApiController {
log.info("attendeePW [${attendeePW}]") log.info("attendeePW [${attendeePW}]")
log.info("moderatorPW [${moderatorPW}]") log.info("moderatorPW [${moderatorPW}]")
log.info("Content length type [${}]")
if(attendeePW.equals("")) log.info("attendeePW is empty") if(attendeePW.equals("")) log.info("attendeePW is empty")
if(moderatorPW.equals("")) log.info("moderatorPW is empty") if(moderatorPW.equals("")) log.info("moderatorPW is empty")
Map.Entry<String, String> validationResponse = validateRequest( Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.CREATE, ValidationService.ApiCall.CREATE,
request.getParameterMap(), request
request.getQueryString()
) )
if(!(validationResponse == null)) { if(!(validationResponse == null)) {
@ -208,7 +209,6 @@ class ApiController {
} }
} }
/********************************************** /**********************************************
* JOIN API * JOIN API
*********************************************/ *********************************************/
@ -220,8 +220,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest( Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.JOIN, ValidationService.ApiCall.JOIN,
request.getParameterMap(), request
request.getQueryString()
) )
HashMap<String, String> roles = new HashMap<String, String>(); HashMap<String, String> roles = new HashMap<String, String>();
@ -520,8 +519,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest( Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.MEETING_RUNNING, ValidationService.ApiCall.MEETING_RUNNING,
request.getParameterMap(), request
request.getQueryString()
) )
if(!(validationResponse == null)) { if(!(validationResponse == null)) {
@ -551,8 +549,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest( Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.END, ValidationService.ApiCall.END,
request.getParameterMap(), request
request.getQueryString()
) )
if(!(validationResponse == null)) { if(!(validationResponse == null)) {
@ -595,8 +592,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest( Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.GET_MEETING_INFO, ValidationService.ApiCall.GET_MEETING_INFO,
request.getParameterMap(), request
request.getQueryString()
) )
if(!(validationResponse == null)) { if(!(validationResponse == null)) {
@ -622,8 +618,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest( Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.GET_MEETINGS, ValidationService.ApiCall.GET_MEETINGS,
request.getParameterMap(), request
request.getQueryString()
) )
if(!(validationResponse == null)) { if(!(validationResponse == null)) {
@ -660,8 +655,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest( Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.GET_SESSIONS, ValidationService.ApiCall.GET_SESSIONS,
request.getParameterMap(), request
request.getQueryString()
) )
if(!(validationResponse == null)) { if(!(validationResponse == null)) {
@ -719,8 +713,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest( Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.GUEST_WAIT, ValidationService.ApiCall.GUEST_WAIT,
request.getParameterMap(), request
request.getQueryString()
) )
if(!(validationResponse == null)) { if(!(validationResponse == null)) {
msgKey = validationResponse.getKey() msgKey = validationResponse.getKey()
@ -833,8 +826,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest( Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.ENTER, ValidationService.ApiCall.ENTER,
request.getParameterMap(), request
request.getQueryString(),
) )
if(!(validationResponse == null)) { if(!(validationResponse == null)) {
respMessage = validationResponse.getValue() respMessage = validationResponse.getValue()
@ -991,8 +983,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest( Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.STUNS, ValidationService.ApiCall.STUNS,
request.getParameterMap(), request
request.getQueryString(),
) )
if(!(validationResponse == null)) { if(!(validationResponse == null)) {
@ -1068,8 +1059,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest( Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.SIGN_OUT, ValidationService.ApiCall.SIGN_OUT,
request.getParameterMap(), request
request.getQueryString()
) )
if(validationResponse == null) { if(validationResponse == null) {
@ -1113,8 +1103,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest( Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.INSERT_DOCUMENT, ValidationService.ApiCall.INSERT_DOCUMENT,
request.getParameterMap(), request
request.getQueryString()
) )
def externalMeetingId = params.meetingID.toString() def externalMeetingId = params.meetingID.toString()
@ -1166,8 +1155,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest( Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.GET_JOIN_URL, ValidationService.ApiCall.GET_JOIN_URL,
request.getParameterMap(), request
request.getQueryString(),
) )
//Validate Session //Validate Session
@ -1266,8 +1254,7 @@ class ApiController {
Map.Entry<String, String> validationResponse = validateRequest( Map.Entry<String, String> validationResponse = validateRequest(
ValidationService.ApiCall.LEARNING_DASHBOARD, ValidationService.ApiCall.LEARNING_DASHBOARD,
request.getParameterMap(), request
request.getQueryString(),
) )
//Validate Session //Validate Session
@ -1945,8 +1932,8 @@ class ApiController {
redirect(url: newUri) redirect(url: newUri)
} }
private Map.Entry<String, String> validateRequest(ValidationService.ApiCall apiCall, Map<String, String[]> params, String queryString) { private Map.Entry<String, String> validateRequest(ValidationService.ApiCall apiCall, HttpServletRequest request) {
Map<String, String> violations = validationService.validate(apiCall, params, queryString) Map<String, String> violations = validationService.validate(apiCall, request)
Map.Entry<String, String> response = null Map.Entry<String, String> response = null
if(!violations.isEmpty()) { if(!violations.isEmpty()) {