Validate edit locally token before sending to server

Signed-off-by: Claudio Cambra <[email protected]>
nextcloud · Oct 25, 2022 · df53ad1 · df53ad1
1 parent 5a861ed
commit df53ad1
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/src/gui/folderman.cpp b/src/gui/folderman.cpp
@@ -27,6 +27,8 @@
 #include <pushnotifications.h>
 #include <syncengine.h>
 
+#include <iostream>
+
 #ifdef Q_OS_MAC
 #include <CoreServices/CoreServices.h>
 #endif
@@ -1498,7 +1500,18 @@ void FolderMan::editFileLocally(const QString &userId, const QString &relPath, c
         showError(accountFound, tr("Could not find a folder to sync."), relPath);
         return;
     }
-
+
+    // Token is an alphanumeric string 128 chars long.
+    // Ensure that is what we received and what we are sending to the server.
+    const QRegularExpression tokenRegex("^[a-zA-Z0-9]{128}$");
+    const auto regexMatch = tokenRegex.match(token);
+
+    // Means invalid token type received, be cautious with bad token
+    if(!regexMatch.hasMatch()) {
+        showError(accountFound, tr("Invalid token received:"), token);
+        return;
+    }
+
     const auto relPathSplit = relPath.split(QLatin1Char('/'));
     if (relPathSplit.size() > 0) {
         Systray::instance()->createEditFileLocallyLoadingDialog(relPathSplit.last());
@@ -1507,7 +1520,9 @@ void FolderMan::editFileLocally(const QString &userId, const QString &relPath, c
         return;
     }
 
-    const auto checkTokenForEditLocally = new SimpleApiJob(accountFound->account(), QStringLiteral("/ocs/v2.php/apps/files/api/v1/openlocaleditor/%1").arg(token));
+    // Sanitise the token
+    const auto encodedToken = QString(QUrl::toPercentEncoding(token));
+    const auto checkTokenForEditLocally = new SimpleApiJob(accountFound->account(), QStringLiteral("/ocs/v2.php/apps/files/api/v1/openlocaleditor/%1").arg(encodedToken));
     checkTokenForEditLocally->setVerb(SimpleApiJob::Verb::Post);
     checkTokenForEditLocally->setBody(QByteArray{"path=/"}.append(relPath.toUtf8()));
     connect(checkTokenForEditLocally, &SimpleApiJob::resultReceived, checkTokenForEditLocally, [this, folderForFile, localFilePath, showError, accountFound, relPath] (int statusCode) {