Skip to content

Commit

Permalink
Merge pull request #2467 from suvajit-sarkar/develop
Browse files Browse the repository at this point in the history
fix(indy): add func to prevent injection in indy identity gen script
  • Loading branch information
sownak authored Jan 4, 2024
2 parents c9fe792 + caf85bd commit 1f74ef1
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import string
import ujson as json
import base58
import re

from crypto.bls.bls_crypto import BlsGroupParamsLoader
from crypto.bls.bls_factory import BlsFactoryCrypto
Expand Down Expand Up @@ -256,7 +257,7 @@ def process_data(self, vault_paths, headers):

def send_data(self, url, data, headers):
print('url: {}'.format(url))
requests.post(url=url, headers=headers, data=json.dumps(data), verify=False)
requests.post(url=url, headers=headers, data=json.dumps(data), verify=True)
print('=====================')

def read_data(self, url, headers):
Expand All @@ -281,16 +282,36 @@ def path_iteration(dictionary, path):

class IdentityCreator:

def prevent_injections(input_string):
# Regex pattern to prevent SQL injection
sql_injection_pattern = re.compile(r"\b(?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|CREATE|ALTER|EXEC|--)\b", re.IGNORECASE)

# Regex pattern to prevent HTML injection
html_injection_pattern = re.compile(r"<[a-z][\s\S]*>", re.IGNORECASE)

# Check for SQL injection
if sql_injection_pattern.search(input_string):
raise ValueError("Invalid input. Detected potential SQL injection attempt.")

# Check for HTML injection
if html_injection_pattern.search(input_string):
raise ValueError("Invalid input. Detected potential HTML injection attempt.")

# HTML escape the input
escaped_string = html.escape(input_string)

return escaped_string

@classmethod
def process(cls):
parser = argparse.ArgumentParser(description="Generate pool transactions")
parser.add_argument('--identity_name', required=True,
parser.add_argument('--identity_name', type=prevent_injections, required=True,
help='Identity name')
parser.add_argument('--vault_path', required=True,
parser.add_argument('--vault_path', type=prevent_injections, required=True,
help='Vault path')
parser.add_argument('--target', required=False, default='console',
parser.add_argument('--target', type=prevent_injections, required=False, default='console',
help='Output type for identity.')
parser.add_argument('--vault_address', required=False, default='http://vault:8200',
parser.add_argument('--vault_address', type=prevent_injections, required=False, default='https://localhost:8200',
help='Address for vault server.')

args = parser.parse_args()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import string
import ujson as json
import base58
import re

from crypto.bls.bls_crypto import BlsGroupParamsLoader
from crypto.bls.bls_factory import BlsFactoryCrypto
Expand Down Expand Up @@ -258,7 +259,7 @@ def process_data(self, vault_paths, headers):

def send_data(self, url, data, headers):
print('url: {}'.format(url))
requests.post(url=url, headers=headers, data=json.dumps(data), verify=False)
requests.post(url=url, headers=headers, data=json.dumps(data), verify=True)
print('=====================')

def read_data(self, url, headers):
Expand Down Expand Up @@ -287,19 +288,39 @@ def path_iteration(dictionary, path):


class IdentityCreatorV2:

def prevent_injections(input_string):
# Regex pattern to prevent SQL injection
sql_injection_pattern = re.compile(r"\b(?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|CREATE|ALTER|EXEC|--)\b", re.IGNORECASE)

# Regex pattern to prevent HTML injection
html_injection_pattern = re.compile(r"<[a-z][\s\S]*>", re.IGNORECASE)

# Check for SQL injection
if sql_injection_pattern.search(input_string):
raise ValueError("Invalid input. Detected potential SQL injection attempt.")

# Check for HTML injection
if html_injection_pattern.search(input_string):
raise ValueError("Invalid input. Detected potential HTML injection attempt.")

# HTML escape the input
escaped_string = html.escape(input_string)

return escaped_string

@classmethod
def process(cls):
parser = argparse.ArgumentParser(description="Generate pool transactions")
parser.add_argument('--identity_name', required=True,
parser.add_argument('--identity_name', type=prevent_injections, required=True,
help='Identity name')
parser.add_argument('--vault_path', required=True,
parser.add_argument('--vault_path', type=prevent_injections, required=True,
help='Vault path')
parser.add_argument('--target', required=False, default='console',
parser.add_argument('--target', type=prevent_injections, required=False, default='console',
help='Output type for identity.')
parser.add_argument('--vault_address', required=False, default='http://localhost:8200',
parser.add_argument('--vault_address', type=prevent_injections, required=False, default='https://localhost:8200',
help='Address for vault server.')
parser.add_argument('--version', required=False, default='1',
parser.add_argument('--version', type=prevent_injections, required=False, default='1',
help='Vault KV version')

args = parser.parse_args()
Expand Down

0 comments on commit 1f74ef1

Please sign in to comment.