Merge pull request from GHSA-j42p-fh2w-24q6

fix(sec): validate URL for external upload of presentation
2024-01-11 16:16:38 -05:00 · 2024-01-11 16:16:38 -05:00 · fd8c927140
commit fd8c927140
parent 59cdb136ad bba51c38fa
1 changed files with 17 additions and 0 deletions
--- a/bbb-common-web/src/main/java/org/bigbluebutton/api/service/ValidationService.java
+++ b/bbb-common-web/src/main/java/org/bigbluebutton/api/service/ValidationService.java
@ -14,6 +14,9 @@ import javax.validation.Validation;
 import javax.validation.Validator;
 import javax.validation.ValidatorFactory;
 import java.io.UnsupportedEncodingException;
+import java.net.MalformedURLException;
+import java.net.URISyntaxException;
+import java.net.URL;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.util.*;
@ -76,6 +79,11 @@ public class ValidationService {

        if(request == null) {
            violations.put("validationError", "Request not recognized");
+        } else if(params.containsKey("presentationUploadExternalUrl")) {
+            String urlToValidate = params.get("presentationUploadExternalUrl")[0];
+            if(!this.isValidURL(urlToValidate)) {
+                violations.put("validationError", "Param 'presentationUploadExternalUrl' is not a valid URL");
+            }
        } else {
            request.populateFromParamsMap(params);
            violations = performValidation(request);
@ -84,6 +92,15 @@ public class ValidationService {
        return violations;
    }

+    boolean isValidURL(String url) {
+        try {
+            new URL(url).toURI();
+            return true;
+        } catch (MalformedURLException | URISyntaxException e) {
+            return false;
+        }
+    }
+
    private Request initializeRequest(ApiCall apiCall, Map<String, String[]> params, String queryString) {
        Request request = null;
        Checksum checksum;