CLOUDSTACK-863: Fix Non-printable characters in api call

Non-printable characters results in empty pages for all users loading the corrupted object in the web interface. It also results in the API call results getting truncated with an error when it encounters the non-printable characters. Every decoded parameter value is checked for control character using OWASP's ESAPI library. Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
2013-02-11 16:53:12 +05:30 · 2013-02-11 16:53:12 +05:30 · 87b668b71b
parent a621048869
commit 87b668b71b
3 changed files with 16 additions and 0 deletions
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@ -326,6 +326,12 @@ public class ApiServer implements HttpRequestHandler {
                        continue;
                    }
                    String[] value = (String[]) params.get(key);
+                    // fail if parameter value contains ASCII control (non-printable) characters
+                    String newValue = StringUtils.stripControlCharacters(value[0]);
+                    if ( !newValue.equals(value[0]) ) {
+                        throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Received value " + value[0] + " for parameter "
+                                + key + " is invalid, contains illegal ASCII non-printable characters");
+                    }
                    paramMap.put(key, value[0]);
                }

--- a/utils/pom.xml
+++ b/utils/pom.xml
@ -157,6 +157,11 @@
      <artifactId>reflections</artifactId>
      <version>${cs.reflections.version}</version>
    </dependency>
+    <dependency>
+      <groupId>org.owasp.esapi</groupId>
+      <artifactId>esapi</artifactId>
+      <version>2.0.1</version>
+    </dependency>
  </dependencies>
  <build>
    <defaultGoal>install</defaultGoal>
--- a/utils/src/com/cloud/utils/StringUtils.java
+++ b/utils/src/com/cloud/utils/StringUtils.java
@ -23,6 +23,8 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.regex.Pattern;

+import org.owasp.esapi.StringUtilities;
+
 // StringUtils exists in Apache Commons Lang, but rather than import the entire JAR to our system, for now
 // just implement the method needed
 public class StringUtils {
@ -150,6 +152,9 @@ public class StringUtils {
        return cleanResult;
    }

+    public static String stripControlCharacters(String s) {
+        return StringUtilities.stripControls(s);
+    }

    public static int formatForOutput(String text, int start, int columns, char separator) {
        if (start >= text.length()) {