BigBlueButton/bigbluebutton-Github
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request from GHSA-j42p-fh2w-24q6

Browse Source 
fix(sec): validate URL for external upload of presentation
This commit is contained in:
Anton Georgiev 2024-01-11 16:16:38 -05:00 committed by GitHub
commit fd8c927140
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
bbb-common-web/src/main/java/org/bigbluebutton/api/service/ValidationService.java
View File

@ -14,6 +14,9 @@ import javax.validation.Validation;
import javax.validation.Validator; import javax.validation.Validator;
import javax.validation.ValidatorFactory; import javax.validation.ValidatorFactory;
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLEncoder; import java.net.URLEncoder;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.util.*; import java.util.*;
@ -76,6 +79,11 @@ public class ValidationService {
if(request == null) { if(request == null) {
violations.put("validationError", "Request not recognized"); violations.put("validationError", "Request not recognized");
} else if(params.containsKey("presentationUploadExternalUrl")) {
String urlToValidate = params.get("presentationUploadExternalUrl")[0];
if(!this.isValidURL(urlToValidate)) {
violations.put("validationError", "Param 'presentationUploadExternalUrl' is not a valid URL");
}
} else { } else {
request.populateFromParamsMap(params); request.populateFromParamsMap(params);
violations = performValidation(request); violations = performValidation(request);
@ -84,6 +92,15 @@ public class ValidationService {
return violations; return violations;
} }
boolean isValidURL(String url) {
try {
new URL(url).toURI();
return true;
} catch (MalformedURLException | URISyntaxException e) {
return false;
}
}
private Request initializeRequest(ApiCall apiCall, Map<String, String[]> params, String queryString) { private Request initializeRequest(ApiCall apiCall, Map<String, String[]> params, String queryString) {
Request request = null; Request request = null;
Checksum checksum; Checksum checksum;