From bba51c38fa386d9e5b6aaf0cf054b301c8a77261 Mon Sep 17 00:00:00 2001 From: GuiLeme Date: Thu, 9 Nov 2023 09:50:38 -0300 Subject: [PATCH] [GHSA-j42p-fh2w-24q6] - validate URL for external upload of presentation. --- .../api/service/ValidationService.java | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/bbb-common-web/src/main/java/org/bigbluebutton/api/service/ValidationService.java b/bbb-common-web/src/main/java/org/bigbluebutton/api/service/ValidationService.java index 7971c456c3..b26b367adb 100755 --- a/bbb-common-web/src/main/java/org/bigbluebutton/api/service/ValidationService.java +++ b/bbb-common-web/src/main/java/org/bigbluebutton/api/service/ValidationService.java @@ -14,6 +14,9 @@ import javax.validation.Validation; import javax.validation.Validator; import javax.validation.ValidatorFactory; import java.io.UnsupportedEncodingException; +import java.net.MalformedURLException; +import java.net.URISyntaxException; +import java.net.URL; import java.net.URLEncoder; import java.nio.charset.StandardCharsets; import java.util.*; @@ -76,6 +79,11 @@ public class ValidationService { if(request == null) { violations.put("validationError", "Request not recognized"); + } else if(params.containsKey("presentationUploadExternalUrl")) { + String urlToValidate = params.get("presentationUploadExternalUrl")[0]; + if(!this.isValidURL(urlToValidate)) { + violations.put("validationError", "Param 'presentationUploadExternalUrl' is not a valid URL"); + } } else { request.populateFromParamsMap(params); violations = performValidation(request); @@ -84,6 +92,15 @@ public class ValidationService { return violations; } + boolean isValidURL(String url) { + try { + new URL(url).toURI(); + return true; + } catch (MalformedURLException | URISyntaxException e) { + return false; + } + } + private Request initializeRequest(ApiCall apiCall, Map params, String queryString) { Request request = null; Checksum checksum;