Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2024-11-22 12:15:36 +01:00
Code Issues Projects Releases Wiki Activity

sanitize notification hub tag inputs (#1697)

Browse Source
This commit is contained in:
Kyle Spearrin 2021-11-09 11:25:18 -05:00 committed by GitHub
parent fcc1a4e10c
commit 2f0638ce8c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/Core/Services/Implementations/NotificationHubPushNotificationService.cs
View File

@ -11,6 +11,7 @@ using Bit.Core.Models;
using Bit.Core.Models.Data;
using Bit.Core.Repositories;
using Bit.Core.Settings;
using System.Text.RegularExpressions;
namespace Bit.Core.Services
{
@ -181,7 +182,7 @@ namespace Bit.Core.Services
public async Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
string deviceId = null)
{
var tag = BuildTag($"template:payload_userId:{userId}", identifier);
var tag = BuildTag($"template:payload_userId:{SanitizeTagInput(userId)}", identifier);
await SendPayloadAsync(tag, type, payload);
if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId))
{
@ -192,7 +193,7 @@ namespace Bit.Core.Services
public async Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
string deviceId = null)
{
var tag = BuildTag($"template:payload && organizationId:{orgId}", identifier);
var tag = BuildTag($"template:payload && organizationId:{SanitizeTagInput(orgId)}", identifier);
await SendPayloadAsync(tag, type, payload);
if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId))
{
@ -216,7 +217,7 @@ namespace Bit.Core.Services
{
if (!string.IsNullOrWhiteSpace(identifier))
{
tag += $" && !deviceIdentifier:{identifier}";
tag += $" && !deviceIdentifier:{SanitizeTagInput(identifier)}";
}
return $"({tag})";
@ -231,5 +232,11 @@ namespace Bit.Core.Services
{ "payload", JsonConvert.SerializeObject(payload) }
}, tag);
}
private string SanitizeTagInput(string input)
{
// Only allow a-z, A-Z, 0-9, and special characters -_:
return Regex.Replace(input, "[^a-zA-Z0-9-_:]", string.Empty);
}
}
}