fiware-orion
fiware-orion copied to clipboard
Published
20 hours ago •
telefonicaid
telefonicaid
[BUG] in POST v2/subscriptions, in entities idPattern field invalid chars are allowed
in POST v2/subscriptions, in entities idPattern field invalid chars are allowed
Dataset
| type |
|-------------|
| house<flat> |
| house=flat |
| house"flat" |
| house'flat' |
| house;flat |
| house(flat) |
| house_? |
| house_& |
| house_/ |
| house_# |
| my house |
subscription request
POST http://localhost:1026/v2/subscriptions
Content-Type: application/json
Fiware-Service: test_entities_id_pattern_error
Fiware-ServicePath: /test
{"notification": {"callback": "http://localhost:1234", "attributes": ["temperature_0"]}, "expires": "2016-04-05T14:00:00.00Z", "subject": {"entities": [{"idPattern": "house_#"}], "condition": {"attributes": ["temperature"]}}}
subscription response
http code: 201
date: Thu, 31 Mar 2016 13:27:53 GMT
connection: Keep-Alive
content-length: 0
location: /v2/subscriptions/56fd25d960d22fce8ecedf28
docs in mongoDB
{ "_id" : ObjectId("56fd25d360d22fce8ecedf1f"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "throttling" : NumberLong(0), "servicePath" : "/test", "entities" : [ { "id" : "house<flat>", "isPattern" : "true" } ], "attrs" : [ "temperature_0" ], "conditions" : [ { "type" : "ONCHANGE", "value" : [ "temperature" ] } ], "expression" : { "q" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "JSON" }
{ "_id" : ObjectId("56fd25d460d22fce8ecedf20"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "throttling" : NumberLong(0), "servicePath" : "/test", "entities" : [ { "id" : "house=flat", "isPattern" : "true" } ], "attrs" : [ "temperature_0" ], "conditions" : [ { "type" : "ONCHANGE", "value" : [ "temperature" ] } ], "expression" : { "q" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "JSON" }
{ "_id" : ObjectId("56fd25d460d22fce8ecedf21"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "throttling" : NumberLong(0), "servicePath" : "/test", "entities" : [ { "id" : "house\"flat\"", "isPattern" : "true" } ], "attrs" : [ "temperature_0" ], "conditions" : [ { "type" : "ONCHANGE", "value" : [ "temperature" ] } ], "expression" : { "q" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "JSON" }
{ "_id" : ObjectId("56fd25d560d22fce8ecedf22"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "throttling" : NumberLong(0), "servicePath" : "/test", "entities" : [ { "id" : "house'flat'", "isPattern" : "true" } ], "attrs" : [ "temperature_0" ], "conditions" : [ { "type" : "ONCHANGE", "value" : [ "temperature" ] } ], "expression" : { "q" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "JSON" }
{ "_id" : ObjectId("56fd25d660d22fce8ecedf23"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "throttling" : NumberLong(0), "servicePath" : "/test", "entities" : [ { "id" : "house;flat", "isPattern" : "true" } ], "attrs" : [ "temperature_0" ], "conditions" : [ { "type" : "ONCHANGE", "value" : [ "temperature" ] } ], "expression" : { "q" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "JSON" }
{ "_id" : ObjectId("56fd25d660d22fce8ecedf24"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "throttling" : NumberLong(0), "servicePath" : "/test", "entities" : [ { "id" : "house(flat)", "isPattern" : "true" } ], "attrs" : [ "temperature_0" ], "conditions" : [ { "type" : "ONCHANGE", "value" : [ "temperature" ] } ], "expression" : { "q" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "JSON" }
{ "_id" : ObjectId("56fd25d760d22fce8ecedf25"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "throttling" : NumberLong(0), "servicePath" : "/test", "entities" : [ { "id" : "house_?", "isPattern" : "true" } ], "attrs" : [ "temperature_0" ], "conditions" : [ { "type" : "ONCHANGE", "value" : [ "temperature" ] } ], "expression" : { "q" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "JSON" }
{ "_id" : ObjectId("56fd25d860d22fce8ecedf26"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "throttling" : NumberLong(0), "servicePath" : "/test", "entities" : [ { "id" : "house_&", "isPattern" : "true" } ], "attrs" : [ "temperature_0" ], "conditions" : [ { "type" : "ONCHANGE", "value" : [ "temperature" ] } ], "expression" : { "q" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "JSON" }
{ "_id" : ObjectId("56fd25d860d22fce8ecedf27"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "throttling" : NumberLong(0), "servicePath" : "/test", "entities" : [ { "id" : "house_/", "isPattern" : "true" } ], "attrs" : [ "temperature_0" ], "conditions" : [ { "type" : "ONCHANGE", "value" : [ "temperature" ] } ], "expression" : { "q" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "JSON" }
{ "_id" : ObjectId("56fd25d960d22fce8ecedf28"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "throttling" : NumberLong(0), "servicePath" : "/test", "entities" : [ { "id" : "house_#", "isPattern" : "true" } ], "attrs" : [ "temperature_0" ], "conditions" : [ { "type" : "ONCHANGE", "value" : [ "temperature" ] } ], "expression" : { "q" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "JSON" }
{ "_id" : ObjectId("56fd25d960d22fce8ecedf29"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "throttling" : NumberLong(0), "servicePath" : "/test", "entities" : [ { "id" : "my house", "isPattern" : "true" } ], "attrs" : [ "temperature_0" ], "conditions" : [ { "type" : "ONCHANGE", "value" : [ "temperature" ] } ], "expression" : { "q" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "JSON" }
expected response
http code: 400
{"error":"BadRequest","description":"Invalid characters in entities idPattern"}
IdPattern is a regular expression, should not have the same restrictions as id
IdPattern is a regular expression, should not have the same restrictions as id
+1
OK, but Forbidden character should be avoided, to avoid script injections attack (Security) These cases:
| type |
|-------------|
| house<flat> |
| house=flat |
| house"flat" |
| house'flat' |
| house;flat |
| house(flat) |
Checking is done by regcomp() in the first layer at Orion code, thus avoiding any injection attack. I'd suggest to re-orient the test in order to test with invalid regex and check that Orion is able to return the proper error in these cases.
Re-tested in the CB version. It issue still fails and returns 201-Created
"version" : "1.2.0-next",
"git_hash" : "d81dcf28e71d8d63dc0929ef7a6b73d7db47421b"
Re-tested in CB version. It issue still fails and returns 201-Created in each case of the dataset.
"version" : "1.6.0-next",
"git_hash" : "e8a4ced4a17adfce9317064a28be1f1840a0ed82"
dataset:
| id_pattern |
|-------------|
| house<flat> |
| house=flat |
| house"flat" |
| house'flat' |
| house;flat |
| house(flat) |
mongo docs
{ "_id" : ObjectId("5881e6d67f9f18a86f60dc39"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "custom" : false, "throttling" : NumberLong(0), "servicePath" : "/test", "status" : "active", "entities" : [ { "id" : "house<flat>", "isPattern" : "true" } ], "attrs" : [ "temperature" ], "metadata" : [ ], "blacklist" : false, "conditions" : [ "temperature" ], "expression" : { "q" : "", "mq" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "normalized" }
{ "_id" : ObjectId("5881e6d77f9f18a86f60dc3a"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "custom" : false, "throttling" : NumberLong(0), "servicePath" : "/test", "status" : "active", "entities" : [ { "id" : "house=flat", "isPattern" : "true" } ], "attrs" : [ "temperature" ], "metadata" : [ ], "blacklist" : false, "conditions" : [ "temperature" ], "expression" : { "q" : "", "mq" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "normalized" }
{ "_id" : ObjectId("5881e6d77f9f18a86f60dc3b"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "custom" : false, "throttling" : NumberLong(0), "servicePath" : "/test", "status" : "active", "entities" : [ { "id" : "house\"flat\"", "isPattern" : "true" } ], "attrs" : [ "temperature" ], "metadata" : [ ], "blacklist" : false, "conditions" : [ "temperature" ], "expression" : { "q" : "", "mq" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "normalized" }
{ "_id" : ObjectId("5881e6d77f9f18a86f60dc3c"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "custom" : false, "throttling" : NumberLong(0), "servicePath" : "/test", "status" : "active", "entities" : [ { "id" : "house'flat'", "isPattern" : "true" } ], "attrs" : [ "temperature" ], "metadata" : [ ], "blacklist" : false, "conditions" : [ "temperature" ], "expression" : { "q" : "", "mq" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "normalized" }
{ "_id" : ObjectId("5881e6d77f9f18a86f60dc3d"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "custom" : false, "throttling" : NumberLong(0), "servicePath" : "/test", "status" : "active", "entities" : [ { "id" : "house;flat", "isPattern" : "true" } ], "attrs" : [ "temperature" ], "metadata" : [ ], "blacklist" : false, "conditions" : [ "temperature" ], "expression" : { "q" : "", "mq" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "normalized" }
{ "_id" : ObjectId("5881e6d77f9f18a86f60dc3e"), "expiration" : NumberLong(1459864800), "reference" : "http://localhost:1234", "custom" : false, "throttling" : NumberLong(0), "servicePath" : "/test", "status" : "active", "entities" : [ { "id" : "house(flat)", "isPattern" : "true" } ], "attrs" : [ "temperature" ], "metadata" : [ ], "blacklist" : false, "conditions" : [ "temperature" ], "expression" : { "q" : "", "mq" : "", "geometry" : "", "coords" : "", "georel" : "" }, "format" : "normalized" }
Hello @fgalan sir, I would like to contribute on this issue. Please confirm if this issue needs to be fixed?
@Aniket-NEC thank you for your willingness to work in this issue!
First should be to check if the issue is still happening. From existing comments:
Checking is done by regcomp() in the first layer at Orion code, thus avoiding any injection attack. I'd suggest to re-orient the test in order to test with invalid regex and check that Orion is able to return the proper error in these cases.
I'd suggest to test it as described above in order to check if the issue is still there or not.