Merge pull request #1795 from telefonicaid/hardening/1793_forbidden_i…

…d_chars_in_uri

Check forbidden chars for ids/attr names in URIs

CHANGES_NEXT_RELEASE

@@ -17,4 +17,4 @@
 - Add: support for geo:point type as a way of specifying location attribute in NGSIv2 (Issue #1038)
 - Add: type param for PUT entity in v2 (Issue #988, #992, #1000)
 - Fix: not detecting forbidden chars in entityID for PATCH v2 (Issue #1782)
-
+- Add: detect forbidden chars in entity ids and attr names in URI (Issue #1793)

src/lib/common/errorMessages.h

@@ -27,6 +27,6 @@
 */
 
 #define MORE_MATCHING_ENT "More than one matching entity. Please refine your query"
-
+#define INVAL_CHAR_URI    "invalid character in URI"
 
 #endif // SRC_LIB_COMMON_ERRORMESSAGES_H

src/lib/serviceRoutinesV2/deleteEntity.cpp

@@ -27,6 +27,7 @@
 
 #include "common/statistics.h"
 #include "common/clockFunctions.h"
+#include "common/errorMessages.h"
 
 #include "rest/ConnectionInfo.h"
 #include "ngsi/ParseData.h"
@@ -36,6 +37,8 @@
 #include "apiTypesV2/ErrorCode.h"
 #include "serviceRoutinesV2/deleteEntity.h"
 #include "serviceRoutines/postUpdateContext.h"
+#include "parse/forbiddenChars.h"
+
 
 
 /* ****************************************************************************
@@ -68,6 +71,12 @@ std::string deleteEntity
   eP->id   = compV[2];
   eP->type = ciP->uriParam["type"];
 
+  if (forbiddenIdChars(ciP->apiVersion, compV[2].c_str() , NULL))
+  {
+    OrionError oe(SccBadRequest, INVAL_CHAR_URI);
+    return oe.render(ciP, "");
+  }
+
   if (compV.size() == 5)  // Deleting an attribute
   {
     ContextAttribute *ca = new ContextAttribute;

src/lib/serviceRoutinesV2/getEntity.cpp

@@ -28,14 +28,16 @@
 #include "common/statistics.h"
 #include "common/clockFunctions.h"
 #include "common/string.h"
+#include "common/errorMessages.h"
 
 #include "rest/ConnectionInfo.h"
 #include "ngsi/ParseData.h"
 #include "apiTypesV2/Entities.h"
 #include "rest/EntityTypeInfo.h"
 #include "serviceRoutinesV2/getEntities.h"
 #include "serviceRoutines/postQueryContext.h"
-
+#include "rest/OrionError.h"
+#include "parse/forbiddenChars.h"
 
 
 /* ****************************************************************************
@@ -64,6 +66,12 @@ std::string getEntity
    std::string attrs  = ciP->uriParam["attrs"];
    std::string type   = ciP->uriParam["type"];
 
+   if (forbiddenIdChars(ciP->apiVersion, compV[2].c_str() , NULL))
+   {
+     OrionError oe(SccBadRequest, INVAL_CHAR_URI);
+     return oe.render(ciP, "");
+   }
+
   // Fill in QueryContextRequest
   parseDataP->qcr.res.fill(compV[2], type, "false", EntityTypeEmptyOrNotEmpty, "");
 

src/lib/serviceRoutinesV2/getEntityAttribute.cpp

@@ -27,15 +27,16 @@
 
 #include "common/statistics.h"
 #include "common/clockFunctions.h"
+#include "common/errorMessages.h"
 
 #include "apiTypesV2/Attribute.h"
 #include "rest/ConnectionInfo.h"
 #include "ngsi/ParseData.h"
 #include "rest/EntityTypeInfo.h"
 #include "serviceRoutines/postQueryContext.h"
 #include "serviceRoutinesV2/getEntityAttribute.h"
-
-
+#include "parse/forbiddenChars.h"
+#include "rest/OrionError.h"
 
 /* ****************************************************************************
 *
@@ -64,6 +65,17 @@ std::string getEntityAttribute
   std::string  answer;
   Attribute    attribute;
 
+  if (forbiddenIdChars(ciP->apiVersion, compV[2].c_str() , NULL))
+  {
+    OrionError oe(SccBadRequest, INVAL_CHAR_URI);
+    return oe.render(ciP, "");
+  }
+
+  if (forbiddenIdChars(ciP->apiVersion, compV[4].c_str() , NULL))
+  {
+    OrionError oe(SccBadRequest, INVAL_CHAR_URI);
+    return oe.render(ciP, "");
+  }
 
   // 01. Fill in QueryContextRequest
   parseDataP->qcr.res.fill(compV[2], type, "false", EntityTypeEmptyOrNotEmpty, "");

src/lib/serviceRoutinesV2/getEntityAttributeValue.cpp

@@ -36,6 +36,8 @@
 #include "rest/EntityTypeInfo.h"
 #include "serviceRoutines/postQueryContext.h"
 #include "serviceRoutinesV2/getEntityAttribute.h"
+#include "parse/forbiddenChars.h"
+#include "rest/OrionError.h"
 
 
 
@@ -65,6 +67,18 @@ std::string getEntityAttributeValue
   std::string  type       = ciP->uriParam["type"];
   bool         text       = (ciP->uriParamOptions["options"] == true || ciP->outFormat == TEXT);
 
+  if (forbiddenIdChars(ciP->apiVersion, compV[2].c_str() , NULL))
+  {
+    OrionError oe(SccBadRequest, INVAL_CHAR_URI);
+    return oe.render(ciP, "");
+  }
+
+  if (forbiddenIdChars(ciP->apiVersion, compV[4].c_str() , NULL))
+  {
+    OrionError oe(SccBadRequest, INVAL_CHAR_URI);
+    return oe.render(ciP, "");
+  }
+
   // Fill in QueryContextRequest
   parseDataP->qcr.res.fill(compV[2], type, "false", EntityTypeEmptyOrNotEmpty, "");
 

src/lib/serviceRoutinesV2/postEntity.cpp

@@ -30,6 +30,7 @@
 
 #include "common/statistics.h"
 #include "common/clockFunctions.h"
+#include "common/errorMessages.h"
 
 #include "apiTypesV2/Entities.h"
 #include "ngsi/ParseData.h"
@@ -38,7 +39,7 @@
 #include "rest/OrionError.h"
 #include "serviceRoutinesV2/postEntity.h"
 #include "serviceRoutines/postUpdateContext.h"
-
+#include "parse/forbiddenChars.h"
 
 
 /* ****************************************************************************
@@ -67,6 +68,12 @@ std::string postEntity
   eP->id   = compV[2];
   eP->type = ciP->uriParam["type"];
 
+  if (forbiddenIdChars(ciP->apiVersion, compV[2].c_str() , NULL))
+  {
+    OrionError oe(SccBadRequest, INVAL_CHAR_URI);
+    return oe.render(ciP, "");
+  }
+
   if (ciP->uriParamOptions["append"] == true) // pure-append
   {
     op = "APPEND_STRICT";

src/lib/serviceRoutinesV2/putEntity.cpp

@@ -36,7 +36,7 @@
 #include "serviceRoutinesV2/putEntity.h"
 #include "serviceRoutines/postUpdateContext.h"
 #include "rest/OrionError.h"
-
+#include "parse/forbiddenChars.h"
 
 
 /* ****************************************************************************
@@ -71,6 +71,12 @@ std::string putEntity
   eP->id   = compV[2];
   eP->type = ciP->uriParam["type"];
 
+  if (forbiddenIdChars(ciP->apiVersion, compV[2].c_str() , NULL))
+  {
+    OrionError oe(SccBadRequest, INVAL_CHAR_URI);
+    return oe.render(ciP, "");
+  }
+
   // 01. Fill in UpdateContextRequest
   parseDataP->upcr.res.fill(eP, "REPLACE");
 

src/lib/serviceRoutinesV2/putEntityAttribute.cpp

@@ -27,13 +27,15 @@
 
 #include "common/statistics.h"
 #include "common/clockFunctions.h"
+#include "common/errorMessages.h"
 
 #include "rest/ConnectionInfo.h"
 #include "ngsi/ParseData.h"
 #include "rest/EntityTypeInfo.h"
 #include "serviceRoutines/postUpdateContext.h"
 #include "serviceRoutinesV2/putEntityAttribute.h"
 #include "rest/OrionError.h"
+#include "parse/forbiddenChars.h"
 
 
 
@@ -66,6 +68,18 @@ std::string putEntityAttribute
   std::string  attributeName  = compV[4];
   std::string  type           = ciP->uriParam["type"];
 
+  if (forbiddenIdChars(ciP->apiVersion, entityId.c_str() , NULL))
+  {
+    OrionError oe(SccBadRequest, INVAL_CHAR_URI);
+    return oe.render(ciP, "");
+  }
+
+  if (forbiddenIdChars(ciP->apiVersion, attributeName.c_str() , NULL))
+  {
+    OrionError oe(SccBadRequest, INVAL_CHAR_URI);
+    return oe.render(ciP, "");
+  }
+
   // 01. Fill in UpdateContextRequest from URL and payload
   parseDataP->attr.attribute.name = attributeName;
 

src/lib/serviceRoutinesV2/putEntityAttributeValue.cpp

@@ -33,7 +33,8 @@
 #include "rest/EntityTypeInfo.h"
 #include "serviceRoutines/postUpdateContext.h"
 #include "serviceRoutinesV2/putEntityAttributeValue.h"
-
+#include "rest/OrionError.h"
+#include "parse/forbiddenChars.h"
 
 
 /* ****************************************************************************
@@ -64,6 +65,17 @@ std::string putEntityAttributeValue
   std::string  attributeName  = compV[4];
   std::string  type           = ciP->uriParam["type"];
 
+  if (forbiddenIdChars(ciP->apiVersion, entityId.c_str() , NULL))
+  {
+    OrionError oe(SccBadRequest, INVAL_CHAR_URI);
+    return oe.render(ciP, "");
+  }
+
+  if (forbiddenIdChars(ciP->apiVersion, attributeName.c_str() , NULL))
+  {
+    OrionError oe(SccBadRequest, INVAL_CHAR_URI);
+    return oe.render(ciP, "");
+  }
 
   // 01. Fill in UpdateContextRequest with data from URI and payload
   parseDataP->av.attribute.name = attributeName;