leonetienne/Tubio
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix really bad security vulnerability.

Browse Source
This commit is contained in:
Leonetienne 2022-03-24 19:48:51 +01:00
parent fc0ae6fb40
commit 46f32badc6
7 changed files with 256 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Tubio/CMakeLists.txt
View File

@ -4,7 +4,7 @@ project(Tubio)
# Set C++ standard
set(CMAKE_CXX_STANDARD 17)
# Add StringTools src dir to include dir list
# Add external-directories dir to include dir list
include_directories(./external_dependencies/)
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++17")
@ -43,7 +43,9 @@ add_executable(Tubio
XGControl.h
external_dependencies/casenta/mongoose/mongoose.c
external_dependencies/casenta/mongoose/mongoose.h
external_dependencies/leonetienne/JasonPP/JasonPP.hpp
external_dependencies/leonetienne/JasonPP/JasonPP.cpp
external_dependencies/leonetienne/JasonPP/JasonPP.hpp
external_dependencies/leonetienne/stringtools/StringTools.cpp
external_dependencies/leonetienne/stringtools/StringTools.h
)

13
Tubio/HttpServer.cpp
View File

@ -1,4 +1,5 @@
#include "HttpServer.h"
#include "external_dependencies/leonetienne/stringtools/StringTools.h"
using namespace Logging;
using namespace Rest;
@ -137,6 +138,15 @@ void HttpServer::EventHandler(mg_connection* pNc, int ev, void* p)
return;
}
std::string HttpServer::SanitizeString(std::string in) {
in = StringTools::Replace(in, '`', "\\\\`");
in = StringTools::Replace(in, '|', "\\\\|");
in = StringTools::Replace(in, '$', "\\\\$");
in = StringTools::Replace(in, "&&", "\\\\&\\\\&");
return in;
}
void HttpServer::ProcessAPIRequest(mg_connection* pNc, int ev, void* p, std::string peerAddress)
{
// Get struct with http message informations
@ -145,6 +155,9 @@ void HttpServer::ProcessAPIRequest(mg_connection* pNc, int ev, void* p, std::str
// Get the transmitted message body
std::string requestBodyRaw = FixUnterminatedString(hpm->body.p, hpm->body.len);
// Sanitize it
requestBodyRaw = SanitizeString(requestBodyRaw);
// Check for the body being valid json
if (IsJsonValid(requestBodyRaw))
{

2
Tubio/HttpServer.h
View File

@ -31,6 +31,8 @@ namespace Rest
static bool IsConnectionAllowed(std::string peer_address, std::string& denialReason);
//! Will remove all `, | and && from a string to prevent remote code execution
static std::string SanitizeString(std::string in);
struct mg_mgr* pMgr;
struct mg_connection* pNc;

2
Tubio/Version.h
View File

@ -1,2 +1,2 @@
#pragma once
#define TUBIO_SERVER_VERSION (0.6)
#define TUBIO_SERVER_VERSION (0.65)

155
Tubio/external_dependencies/leonetienne/stringtools/StringTools.cpp Normal file
View File

@ -0,0 +1,155 @@
#include "StringTools.h"
#include <sstream>
std::string StringTools::Replace(const std::string& str, const char find, const std::string& subst) {
std::stringstream ss;
for (std::size_t i = 0; i < str.length(); i++)
{
if (str[i] != find)
ss << str[i];
else
ss << subst;
}
return ss.str();
}
std::string StringTools::Replace(const std::string& str, const std::string& find, const std::string& subst) {
if (find.length() == 0)
return str;
std::stringstream ss;
std::size_t posFound = 0;
std::size_t lastFound = 0;
while (posFound != std::string::npos)
{
lastFound = posFound;
posFound = str.find(find, posFound);
if (posFound != std::string::npos)
{
ss << str.substr(lastFound, posFound - lastFound) << subst;
posFound += find.length();
}
else
{
ss << str.substr(lastFound, (str.length()) - lastFound);
}
}
return ss.str();
}
std::string StringTools::Replace(const std::string& str, const char find, const char subst) {
std::stringstream ss;
ss << subst;
return Replace(str, find, ss.str());
}
std::string StringTools::Replace(const std::string& str, const std::string& find, const char subst) {
std::stringstream ss;
ss << subst;
return Replace(str, find, ss.str());
}
std::string StringTools::Lower(const std::string& str) {
std::stringstream ss;
for (std::size_t i = 0; i < str.size(); i++)
{
const char c = str[i];
// Quick-accept: regular letters
if ((c >= 'A') && (c <= 'Z'))
ss << (char)(c | 32);
// Else: keep the character as is
else ss << c;
}
return ss.str();
}
std::string StringTools::Upper(const std::string& str) {
std::stringstream ss;
for (std::size_t i = 0; i < str.size(); i++)
{
const char c = str[i];
// Quick-accept: regular letters
if ((c >= 'a') && (c <= 'z'))
ss << (char)(c & ~32);
// Else: keep the character as is
else ss << c;
}
return ss.str();
}
std::vector<std::string> StringTools::Split(const std::string& str, const std::string& seperator) {
std::vector<std::string> toRet;
// Quick-accept: str length is 0
if (str.length() == 0)
toRet.push_back("");
// Quick-accept: seperator length is 0
else if (seperator.length() == 0) {
for (const char c : str)
toRet.push_back(std::string(&c, (&c) + 1));
}
else {
std::size_t idx = 0;
while (idx != std::string::npos) {
std::size_t lastIdx = idx;
idx = str.find(seperator, idx);
// Grab our substring until the next finding of sep
if (idx != std::string::npos) {
toRet.push_back(str.substr(
lastIdx,
idx - lastIdx
));
idx += seperator.length();
}
// No more seperator found. Grab the rest until the end of the string
else {
toRet.push_back(str.substr(
lastIdx
));
}
}
}
return toRet;
}
std::string StringTools::PadLeft(const std::string& str, const char pad, const std::size_t len) {
std::stringstream ss;
for (std::size_t i = str.length(); i < len; i++)
ss << pad;
ss << str;
return ss.str();
}
std::string StringTools::PadRight(const std::string& str, const char pad, const std::size_t len) {
std::stringstream ss;
ss << str;
for (std::size_t i = str.length(); i < len; i++)
ss << pad;
return ss.str();
}

43
Tubio/external_dependencies/leonetienne/stringtools/StringTools.h Normal file
View File

@ -0,0 +1,43 @@
#ifndef STRINGTOOLS_STRINGTOOLS_H
#define STRINGTOOLS_STRINGTOOLS_H
#include <string>
#include <vector>
/* Handy utensils to manipulate strings */
class StringTools
{
public:
//! Will replace every occurence of `find` in `str` by `subst`.
static std::string Replace(const std::string& str, const char find, const std::string& subst);
//! Will replace every occurence of `find` in `str` by `subst`.
static std::string Replace(const std::string& str, const std::string& find, const std::string& subst);
//! Will replace every occurence of `find` in `str` by `subst`.
static std::string Replace(const std::string& str, const char find, const char subst);
//! Will replace every occurence of `find` in `str` by `subst`.
static std::string Replace(const std::string& str, const std::string& find, const char subst);
//! Will make a string all-lowercase.
static std::string Lower(const std::string& str);
//! Will make a string all-uppercase.
static std::string Upper(const std::string& str);
//! Will split a string by a string seperator
static std::vector<std::string> Split(const std::string& str, const std::string& seperator);
//! Will pad a string to the left to length l
static std::string PadLeft(const std::string& str, const char pad, const std::size_t len);
//! Will pad a string to the right to length l
static std::string PadRight(const std::string& str, const char pad, const std::size_t len);
private:
// No instanciation! >:(
StringTools();
};
#endif //STRINGTOOLS_STRINGTOOLS_H

38
Tubio/main.cpp
View File

@ -1,7 +1,45 @@
#include "Framework.h"
#ifndef _WIN
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/stat.h>
void Deamonize() {
// Fork me, kernel-san :o
pid_t fork_res = fork();
// Error handling...
if (fork_res < 0) {
std::cerr << "Aww shit! Deamonizing failed! Couldn't get forked..." << std::endl;
exit(-1);
}
// Close launcher process...
if (fork_res > 0) {
std::cout << "Successfully spawned tubio daemon... Exiting launcher gracefully..." << std::endl;
exit(0);
}
// And set the daemon process free
if (setsid() < 0) {
std::cerr << "Aww shit! Deamonizing failed! Couldn't create new session..." << std::endl;
exit(-1);
}
}
#endif
int main()
{
#ifndef _WIN
// Deamonize();
#endif
Framework framework;
framework.Run();