Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dispenser: add input validation #4713

Merged
merged 1 commit into from
Nov 1, 2022
Merged

dispenser: add input validation #4713

merged 1 commit into from
Nov 1, 2022

Conversation

algolucky
Copy link
Contributor

@algolucky algolucky commented Oct 31, 2022
edited
Loading

Summary

  • adds some input validation to dispenser,
    • by first sanitizing the string to encode HTML tags
    • then a quick regular expression test to make sure it's at least something that resembles a wallet/address
  • moves the template to a separate file and embeds it instead
  • does some encoding on the server side to strip out any HTML tags
  • updates onload to use text() instead of html()

References

@algolucky algolucky requested a review from a team October 31, 2022 19:16
@algolucky algolucky self-assigned this Oct 31, 2022
@codecov
Copy link

codecov bot commented Oct 31, 2022
edited
Loading

Codecov Report

Merging #4713 (456f0d9) into master (ab87a8a) will decrease coverage by 0.05%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #4713      +/-   ##
==========================================
- Coverage   54.49%   54.44%   -0.06%     
==========================================
  Files         407      407              
  Lines       52425    52425              
==========================================
- Hits        28569    28542      -27     
- Misses      21472    21492      +20     
- Partials     2384     2391       +7
Impacted Files Coverage Δ
ledger/voters.go 68.65% <0.00%> (-4.48%) ⬇️
network/wsPeer.go 66.50% <0.00%> (-2.67%) ⬇️
crypto/merkletrie/trie.go 66.42% <0.00%> (-2.19%) ⬇️
crypto/merkletrie/node.go 91.62% <0.00%> (-1.87%) ⬇️
ledger/catchpointtracker.go 61.84% <0.00%> (-1.05%) ⬇️
ledger/acctonline.go 77.60% <0.00%> (-0.53%) ⬇️
ledger/accountdb.go 72.69% <0.00%> (-0.32%) ⬇️
network/wsNetwork.go 65.52% <0.00%> (ø)
ledger/testing/randomAccounts.go 56.21% <0.00%> (ø)
ledger/acctupdates.go 69.89% <0.00%> (+0.29%) ⬆️
... and 4 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

excalq
excalq reviewed Oct 31, 2022
View reviewed changes
cmd/dispenser/index.html.tpl Outdated
const queryString = window.location.search;
const urlParams = new URLSearchParams(queryString);
const account = sanitize(urlParams.get('account'))
const pattern = /[A-Z0-9]{58}/
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the curious: https://github.com/algorand/js-algorand-sdk/blob/master/src/encoding/address.ts#L10

excalq
excalq previously approved these changes Oct 31, 2022
View reviewed changes
Copy link
Contributor

@excalq excalq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good on you for pulling this HTML template out of the server side code.

@algolucky
Copy link
Contributor Author

@excalq I mainly did it because it didn't like embeded backticks, but it's also cleaner.

@algolucky algolucky force-pushed the fix/dispenser branch 4 times, most recently from 25d3702 to 7fba75f Compare November 1, 2022 14:33
@algolucky algolucky marked this pull request as ready for review November 1, 2022 14:52
@algojohnlee algojohnlee merged commit f37bb6e into algorand:master Nov 1, 2022
@Algo-devops-service Algo-devops-service mentioned this pull request Nov 1, 2022
Merged
@Algo-devops-service Algo-devops-service mentioned this pull request Nov 10, 2022
Closed
@Algo-devops-service Algo-devops-service mentioned this pull request Nov 28, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@algojack algojack algojack approved these changes

@onetechnical onetechnical onetechnical approved these changes

@excalq excalq excalq left review comments

@egieseke egieseke Awaiting requested review from egieseke egieseke was automatically assigned from algorand/devops

@algobarb algobarb Awaiting requested review from algobarb algobarb was automatically assigned from algorand/devops

Assignees

@algolucky algolucky

Labels
Bug-Fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@algolucky @onetechnical @excalq @algojack @algojohnlee