New way to neutralize and sanitize

TelefonicaTC2Tech · Jan 16, 2024 · d08ea34 · d08ea34
1 parent b6fc400
commit d08ea34
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 5 deletions.
diff --git a/steps/common/steps.go b/steps/common/steps.go
@@ -80,10 +80,11 @@ func (cs Steps) InitializeSteps(ctx context.Context, scenCtx *godog.ScenarioCont
 			return nil
 		}
 		domain := golium.ValueAsString(ctx, domainParam)
-		domainN := neutralize(domain)
+		domainN := neutralizeDomain(domain)
 
 		command := fmt.Sprintf("ping -c 1 %s | head -1 | grep -oe '[0-9]*\\.[0-9]*\\.[0-9]*\\.[0-9]*'", domainN)
-		cmd := exec.Command("/bin/sh", "-c", command)
+		commandN := neutralize(command)
+		cmd := exec.Command("/bin/sh", "-c", commandN)
 		stdoutStderr, err := cmd.CombinedOutput()
 		if err != nil {
 			return fmt.Errorf("error executing `%s` command %v", cmd, string(stdoutStderr))
@@ -95,6 +96,12 @@ func (cs Steps) InitializeSteps(ctx context.Context, scenCtx *godog.ScenarioCont
 	return ctx
 }
 
+func neutralize(p string) string {
+	p = strings.ReplaceAll(p, "\r", "")
+	p = strings.ReplaceAll(p, "\n", "")
+	return p
+}
+
 // StoreValueInContext stores a value in golium.Context using the key name.
 func StoreValueInContext(ctx context.Context, name, value string) error {
 	golium.GetContext(ctx).Put(name, value)
@@ -183,7 +190,7 @@ func getLocalIP(ctx context.Context, key string, ipVersion IPVersion) error {
 }
 
 // Neutralization for unwanted command injections in domain string
-func neutralize(input string) string {
+func neutralizeDomain(input string) string {
 	pattern := "^(?:https?://)?(?:www.)?([^:/\n&=?¿\"!| %]+)"
 	regex := regexp.MustCompile(pattern)
 	domainN := regex.FindString(input)

diff --git a/steps/dns/session.go b/steps/dns/session.go
@@ -23,6 +23,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"
 
 	"github.com/AdguardTeam/dnsproxy/upstream"
@@ -153,7 +154,10 @@ func (s *Session) SendDoHQuery(
 			return err
 		}
 
-		u.RawQuery = sanitize(s.DoHQueryParams)
+		rawQuery := sanitize(s.DoHQueryParams)
+		rawQueryN := neutralize(rawQuery)
+		u.RawQuery = rawQueryN
+
 		request, err = http.NewRequest("POST", u.String(), bytes.NewReader(data))
 		if err != nil {
 			return err
@@ -298,3 +302,9 @@ func sanitize(queryParams map[string][]string) string {
 	}
 	return params.Encode()
 }
+
+func neutralize(p string) string {
+	p = strings.ReplaceAll(p, "\r", "")
+	p = strings.ReplaceAll(p, "\n", "")
+	return p
+}
diff --git a/steps/http/session.go b/steps/http/session.go
@@ -83,7 +83,8 @@ func (s *Session) URL() (*url.URL, error) {
 	//  * - Docs: https://pkg.go.dev/path#Join
 	//  */
 
-	u.RawQuery = sanitize(s.Request.QueryParams)
+	rawQueryN := sanitize(s.Request.QueryParams)
+	u.RawQuery = rawQueryN
 
 	return u, nil
 }