From e2c94544308b8f8c6c4d382256798899c9f4f579 Mon Sep 17 00:00:00 2001 From: Lukas Schulte Pelkum Date: Sat, 17 Jun 2023 20:36:15 +0200 Subject: [PATCH] restrict paste metadata dimensions --- internal/maps/map_utils.go | 24 ++++++++++++++++++++++++ internal/static/static.go | 6 ++++++ internal/web/v2_end_create_paste.go | 7 +++++++ internal/web/v2_end_modify_paste.go | 7 +++++++ 4 files changed, 44 insertions(+) create mode 100644 internal/maps/map_utils.go create mode 100644 internal/static/static.go diff --git a/internal/maps/map_utils.go b/internal/maps/map_utils.go new file mode 100644 index 0000000..2a79a81 --- /dev/null +++ b/internal/maps/map_utils.go @@ -0,0 +1,24 @@ +package maps + +func ExceedsDimensions(src map[string]any, width, depth int) bool { + if width < 0 || depth < 1 || len(src) > width { + return true + } + + for _, value := range src { + childMap, ok := value.(map[string]any) + if !ok { + continue + } + + if depth == 1 { + return true + } + + if ExceedsDimensions(childMap, width, depth-1) { + return true + } + } + + return false +} diff --git a/internal/static/static.go b/internal/static/static.go new file mode 100644 index 0000000..77c4762 --- /dev/null +++ b/internal/static/static.go @@ -0,0 +1,6 @@ +package static + +var ( + MaxMetadataWidth = 10 + MaxMetadataDepth = 5 +) diff --git a/internal/web/v2_end_create_paste.go b/internal/web/v2_end_create_paste.go index e114043..d28e4fe 100644 --- a/internal/web/v2_end_create_paste.go +++ b/internal/web/v2_end_create_paste.go @@ -2,8 +2,11 @@ package web import ( "encoding/json" + "fmt" + "github.com/lus/pasty/internal/maps" "github.com/lus/pasty/internal/pastes" "github.com/lus/pasty/internal/randx" + "github.com/lus/pasty/internal/static" "io" "net/http" "time" @@ -34,6 +37,10 @@ func (server *Server) v2EndpointCreatePaste(writer http.ResponseWriter, request writeString(writer, http.StatusBadRequest, "too large paste content") return } + if payload.Metadata != nil && maps.ExceedsDimensions(payload.Metadata, static.MaxMetadataWidth, static.MaxMetadataDepth) { + writeString(writer, http.StatusBadRequest, fmt.Sprintf("metadata exceeds maximum dimensions (max. width: %d; max. depth: %d)", static.MaxMetadataWidth, static.MaxMetadataDepth)) + return + } id, err := pastes.GenerateID(request.Context(), server.Storage.Pastes(), server.PasteIDCharset, server.PasteIDLength) if err != nil { diff --git a/internal/web/v2_end_modify_paste.go b/internal/web/v2_end_modify_paste.go index 6c58882..d7e8937 100644 --- a/internal/web/v2_end_modify_paste.go +++ b/internal/web/v2_end_modify_paste.go @@ -2,7 +2,10 @@ package web import ( "encoding/json" + "fmt" + "github.com/lus/pasty/internal/maps" "github.com/lus/pasty/internal/pastes" + "github.com/lus/pasty/internal/static" "io" "net/http" ) @@ -38,6 +41,10 @@ func (server *Server) v2EndpointModifyPaste(writer http.ResponseWriter, request writeString(writer, http.StatusBadRequest, "too large paste content") return } + if payload.Metadata != nil && maps.ExceedsDimensions(payload.Metadata, static.MaxMetadataWidth, static.MaxMetadataDepth) { + writeString(writer, http.StatusBadRequest, fmt.Sprintf("metadata exceeds maximum dimensions (max. width: %d; max. depth: %d)", static.MaxMetadataWidth, static.MaxMetadataDepth)) + return + } // Modify the paste itself if payload.Content != nil {