From c73d875661b96789047dd5cdccff82f1f639924d Mon Sep 17 00:00:00 2001 From: Jan Odvarko Date: Wed, 12 Feb 2020 11:52:30 +0000 Subject: [PATCH] Bug 1607742 - Escape method argument r=Gijs Differential Revision: https://phabricator.services.mozilla.com/D60413 --HG-- extra : moz-landing-system : lando --- devtools/client/shared/curl.js | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/devtools/client/shared/curl.js b/devtools/client/shared/curl.js index 30d8382..6d862be 100644 --- a/devtools/client/shared/curl.js +++ b/devtools/client/shared/curl.js @@ -59,6 +59,17 @@ const Curl = { const utils = CurlUtils; let command = ["curl"]; + // Make sure to use the following helpers to sanitize arguments before execution. + const addParam = value => { + const safe = /^[a-zA-Z-]+$/.test(value) ? value : escapeString(value); + command.push(safe); + }; + + const addPostData = value => { + const safe = /^[a-zA-Z-]+$/.test(value) ? value : escapeString(value); + postData.push(safe); + }; + const ignoredHeaders = new Set(); // The cURL command is expected to run on the same platform that Firefox runs @@ -67,7 +78,7 @@ const Curl = { utils.escapeStringWin : utils.escapeStringPosix; // Add URL. - command.push(escapeString(data.url)); + addParam(data.url); let postDataText = null; const multipartRequest = utils.isMultipartRequest(data); @@ -77,15 +88,15 @@ const Curl = { if (utils.isUrlEncodedRequest(data) || ["PUT", "POST", "PATCH"].includes(data.method)) { postDataText = data.postDataText; - postData.push("--data"); - postData.push(escapeString(utils.writePostDataTextParams(postDataText))); + addPostData("--data"); + addPostData(utils.writePostDataTextParams(postDataText)); ignoredHeaders.add("content-length"); } else if (multipartRequest) { postDataText = data.postDataText; - postData.push("--data-binary"); + addPostData("--data-binary"); const boundary = utils.getMultipartBoundary(data); const text = utils.removeBinaryDataFromMultipartText(postDataText, boundary); - postData.push(escapeString(text)); + addPostData(text); ignoredHeaders.add("content-length"); } // curl generates the host header itself based on the given URL @@ -95,13 +106,13 @@ const Curl = { // For servers that supports HEAD. // This will fetch the header of a document only. if (data.method == "HEAD") { - command.push("-I"); + addParam("-I"); } else if (!(data.method == "GET" || data.method == "POST")) { // Add method. // For HEAD, GET and POST requests this is not necessary. GET is the // default, if --data or --binary is added POST is used, -I implies HEAD. - command.push("-X"); - command.push(data.method); + addParam("-X"); + addParam(data.method); } // Add request headers. @@ -113,14 +124,14 @@ const Curl = { for (let i = 0; i < headers.length; i++) { const header = headers[i]; if (header.name.toLowerCase() === "accept-encoding") { - command.push("--compressed"); + addParam("--compressed"); continue; } if (ignoredHeaders.has(header.name.toLowerCase())) { continue; } - command.push("-H"); - command.push(escapeString(header.name + ": " + header.value)); + addParam("-H"); + addParam(header.name + ": " + header.value); } // Add post data. -- 2.23.0