From fc7bb97a37a5baee3308007b8832b2b68fe2bf03 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Sun, 28 Feb 2021 23:39:50 -0800 Subject: [PATCH] Added extra sysinfo validation. --- common.js | 21 +++++++++++++++++++++ meshagent.js | 4 ++++ 2 files changed, 25 insertions(+) diff --git a/common.js b/common.js index 97eccca0..4f840957 100644 --- a/common.js +++ b/common.js @@ -292,4 +292,25 @@ module.exports.meshServerRightsArrayToNumber = function (val) { return newAccRights; } return null; +} + + +// Validate an object to make sure it can be stored in MongoDB +module.exports.validateObjectForMongo = function (obj, maxStrLen) { + return validateObjectForMongoRec(obj, maxStrLen); +} + +function validateObjectForMongoRec(obj, maxStrLen) { + if (typeof obj != 'object') return false; + for (var i in obj) { + // Check the key name is not too long + if (i.length > 100) return false; + // Check if all chars are alpha-numeric or underscore. + for (var j in i) { const c = i.charCodeAt(j); if ((c < 48) || ((c > 57) && (c < 65)) || ((c > 90) && (c < 97) && (c != 95)) || (c > 122)) return false; } + // If the value is a string, check it's not too long + if ((typeof obj[i] == 'string') && (obj[i].length > maxStrLen)) return false; + // If the value is an object, check it. + if ((typeof obj[i] == 'object') && (Array.isArray(obj[i]) == false) && (validateObjectForMongoRec(obj[i], maxStrLen) == false)) return false; + } + return true; } \ No newline at end of file diff --git a/meshagent.js b/meshagent.js index a5069948..893c8a06 100644 --- a/meshagent.js +++ b/meshagent.js @@ -1360,6 +1360,10 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) { } case 'sysinfo': { if ((typeof command.data == 'object') && (typeof command.data.hash == 'string')) { + // Validate command.data. + if (common.validateObjectForMongo(command.data, 1024) == false) break; + + // Save to database command.data._id = 'si' + obj.dbNodeKey; command.data.type = 'sysinfo'; command.data.domain = domain.id;