nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-06 05:28:15 -05:00
Code

sanitize notification hub tag inputs (#1697)

Browse Source
This commit is contained in:
Kyle Spearrin 2021-11-09 11:25:18 -05:00 committed by GitHub
parent fcc1a4e10c
commit 2f0638ce8c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/Core/Services/Implementations/NotificationHubPushNotificationService.cs
View File

@ -11,6 +11,7 @@ using Bit.Core.Models;
using Bit.Core.Models.Data; using Bit.Core.Models.Data;
using Bit.Core.Repositories; using Bit.Core.Repositories;
using Bit.Core.Settings; using Bit.Core.Settings;
using System.Text.RegularExpressions;
namespace Bit.Core.Services namespace Bit.Core.Services
{ {
@ -181,7 +182,7 @@ namespace Bit.Core.Services
public async Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier, public async Task SendPayloadToUserAsync(string userId, PushType type, object payload, string identifier,
string deviceId = null) string deviceId = null)
{ {
var tag = BuildTag($"template:payload_userId:{userId}", identifier); var tag = BuildTag($"template:payload_userId:{SanitizeTagInput(userId)}", identifier);
await SendPayloadAsync(tag, type, payload); await SendPayloadAsync(tag, type, payload);
if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId)) if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId))
{ {
@ -192,7 +193,7 @@ namespace Bit.Core.Services
public async Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier, public async Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string identifier,
string deviceId = null) string deviceId = null)
{ {
var tag = BuildTag($"template:payload && organizationId:{orgId}", identifier); var tag = BuildTag($"template:payload && organizationId:{SanitizeTagInput(orgId)}", identifier);
await SendPayloadAsync(tag, type, payload); await SendPayloadAsync(tag, type, payload);
if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId)) if (InstallationDeviceEntity.IsInstallationDeviceId(deviceId))
{ {
@ -216,7 +217,7 @@ namespace Bit.Core.Services
{ {
if (!string.IsNullOrWhiteSpace(identifier)) if (!string.IsNullOrWhiteSpace(identifier))
{ {
tag += $" && !deviceIdentifier:{identifier}"; tag += $" && !deviceIdentifier:{SanitizeTagInput(identifier)}";
} }
return $"({tag})"; return $"({tag})";
@ -231,5 +232,11 @@ namespace Bit.Core.Services
{ "payload", JsonConvert.SerializeObject(payload) } { "payload", JsonConvert.SerializeObject(payload) }
}, tag); }, tag);
} }
private string SanitizeTagInput(string input)
{
// Only allow a-z, A-Z, 0-9, and special characters -_:
return Regex.Replace(input, "[^a-zA-Z0-9-_:]", string.Empty);
}
} }
} }