From 87b668b71b34c93e9ba85d4708a1c04f4020f6bf Mon Sep 17 00:00:00 2001
From: Likitha Shetty <likitha.shetty@citrix.com>
Date: Mon, 11 Feb 2013 16:53:12 +0530
Subject: [PATCH] CLOUDSTACK-863: Fix Non-printable characters in api call

Non-printable characters results in empty pages for all users loading the
corrupted object in the web interface. It also results in the API call results
getting truncated with an error when it encounters the non-printable characters.
Every decoded parameter value is checked for control character using OWASP's
ESAPI library.

Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
---
 server/src/com/cloud/api/ApiServer.java    | 6 ++++++
 utils/pom.xml                              | 5 +++++
 utils/src/com/cloud/utils/StringUtils.java | 5 +++++
 3 files changed, 16 insertions(+)

diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index d99d188b5d5..be02f5e48f5 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -326,6 +326,12 @@ public class ApiServer implements HttpRequestHandler {
                         continue;
                     }
                     String[] value = (String[]) params.get(key);
+                    // fail if parameter value contains ASCII control (non-printable) characters
+                    String newValue = StringUtils.stripControlCharacters(value[0]);
+                    if ( !newValue.equals(value[0]) ) {
+                        throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Received value " + value[0] + " for parameter "
+                                + key + " is invalid, contains illegal ASCII non-printable characters");
+                    }
                     paramMap.put(key, value[0]);
                 }
 
diff --git a/utils/pom.xml b/utils/pom.xml
index 937fad35c0f..e4fd2b0f7e6 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -157,6 +157,11 @@
       <artifactId>reflections</artifactId>
       <version>${cs.reflections.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.owasp.esapi</groupId>
+      <artifactId>esapi</artifactId>
+      <version>2.0.1</version>
+    </dependency>
   </dependencies>
   <build>
     <defaultGoal>install</defaultGoal>
diff --git a/utils/src/com/cloud/utils/StringUtils.java b/utils/src/com/cloud/utils/StringUtils.java
index 8f0a503abef..14ff4b1ae94 100644
--- a/utils/src/com/cloud/utils/StringUtils.java
+++ b/utils/src/com/cloud/utils/StringUtils.java
@@ -23,6 +23,8 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.regex.Pattern;
 
+import org.owasp.esapi.StringUtilities;
+
 // StringUtils exists in Apache Commons Lang, but rather than import the entire JAR to our system, for now
 // just implement the method needed
 public class StringUtils {
@@ -150,6 +152,9 @@ public class StringUtils {
         return cleanResult;
     }
 
+    public static String stripControlCharacters(String s) {
+        return StringUtilities.stripControls(s);
+    }
 
     public static int formatForOutput(String text, int start, int columns, char separator) {
         if (start >= text.length()) {