From 6e448766919c42b9795adbc0778f529666454270 Mon Sep 17 00:00:00 2001 From: suvajit-sarkar Date: Thu, 4 Jan 2024 05:33:33 +0000 Subject: [PATCH] add prevent injection func to indy identity gen script Signed-off-by: suvajit-sarkar --- .../src/identity_crypto_generator.py | 31 ++++++++++++++--- .../src/identity_crypto_generator_v2.py | 33 +++++++++++++++---- 2 files changed, 53 insertions(+), 11 deletions(-) diff --git a/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator.py b/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator.py index a6ef13a81c5..231519cadf1 100644 --- a/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator.py +++ b/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator.py @@ -5,6 +5,7 @@ import string import ujson as json import base58 +import re from crypto.bls.bls_crypto import BlsGroupParamsLoader from crypto.bls.bls_factory import BlsFactoryCrypto @@ -256,7 +257,7 @@ def process_data(self, vault_paths, headers): def send_data(self, url, data, headers): print('url: {}'.format(url)) - requests.post(url=url, headers=headers, data=json.dumps(data), verify=False) + requests.post(url=url, headers=headers, data=json.dumps(data), verify=True) print('=====================') def read_data(self, url, headers): @@ -281,16 +282,36 @@ def path_iteration(dictionary, path): class IdentityCreator: + def prevent_injections(input_string): + # Regex pattern to prevent SQL injection + sql_injection_pattern = re.compile(r"\b(?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|CREATE|ALTER|EXEC|--)\b", re.IGNORECASE) + + # Regex pattern to prevent HTML injection + html_injection_pattern = re.compile(r"<[a-z][\s\S]*>", re.IGNORECASE) + + # Check for SQL injection + if sql_injection_pattern.search(input_string): + raise ValueError("Invalid input. Detected potential SQL injection attempt.") + + # Check for HTML injection + if html_injection_pattern.search(input_string): + raise ValueError("Invalid input. Detected potential HTML injection attempt.") + + # HTML escape the input + escaped_string = html.escape(input_string) + + return escaped_string + @classmethod def process(cls): parser = argparse.ArgumentParser(description="Generate pool transactions") - parser.add_argument('--identity_name', required=True, + parser.add_argument('--identity_name', type=prevent_injections, required=True, help='Identity name') - parser.add_argument('--vault_path', required=True, + parser.add_argument('--vault_path', type=prevent_injections, required=True, help='Vault path') - parser.add_argument('--target', required=False, default='console', + parser.add_argument('--target', type=prevent_injections, required=False, default='console', help='Output type for identity.') - parser.add_argument('--vault_address', required=False, default='http://vault:8200', + parser.add_argument('--vault_address', type=prevent_injections, required=False, default='https://localhost:8200', help='Address for vault server.') args = parser.parse_args() diff --git a/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator_v2.py b/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator_v2.py index a1a8cc3249d..5337f786495 100644 --- a/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator_v2.py +++ b/platforms/hyperledger-indy/images/indy-key-mgmt/src/identity_crypto_generator_v2.py @@ -5,6 +5,7 @@ import string import ujson as json import base58 +import re from crypto.bls.bls_crypto import BlsGroupParamsLoader from crypto.bls.bls_factory import BlsFactoryCrypto @@ -258,7 +259,7 @@ def process_data(self, vault_paths, headers): def send_data(self, url, data, headers): print('url: {}'.format(url)) - requests.post(url=url, headers=headers, data=json.dumps(data), verify=False) + requests.post(url=url, headers=headers, data=json.dumps(data), verify=True) print('=====================') def read_data(self, url, headers): @@ -287,19 +288,39 @@ def path_iteration(dictionary, path): class IdentityCreatorV2: + + def prevent_injections(input_string): + # Regex pattern to prevent SQL injection + sql_injection_pattern = re.compile(r"\b(?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|CREATE|ALTER|EXEC|--)\b", re.IGNORECASE) + + # Regex pattern to prevent HTML injection + html_injection_pattern = re.compile(r"<[a-z][\s\S]*>", re.IGNORECASE) + + # Check for SQL injection + if sql_injection_pattern.search(input_string): + raise ValueError("Invalid input. Detected potential SQL injection attempt.") + + # Check for HTML injection + if html_injection_pattern.search(input_string): + raise ValueError("Invalid input. Detected potential HTML injection attempt.") + + # HTML escape the input + escaped_string = html.escape(input_string) + + return escaped_string @classmethod def process(cls): parser = argparse.ArgumentParser(description="Generate pool transactions") - parser.add_argument('--identity_name', required=True, + parser.add_argument('--identity_name', type=prevent_injections, required=True, help='Identity name') - parser.add_argument('--vault_path', required=True, + parser.add_argument('--vault_path', type=prevent_injections, required=True, help='Vault path') - parser.add_argument('--target', required=False, default='console', + parser.add_argument('--target', type=prevent_injections, required=False, default='console', help='Output type for identity.') - parser.add_argument('--vault_address', required=False, default='http://localhost:8200', + parser.add_argument('--vault_address', type=prevent_injections, required=False, default='https://localhost:8200', help='Address for vault server.') - parser.add_argument('--version', required=False, default='1', + parser.add_argument('--version', type=prevent_injections, required=False, default='1', help='Vault KV version') args = parser.parse_args()