Improve input validation

pablosnt · pablosnt · commit 1bb62b0d068e · 2024-03-30T01:28:56.000+01:00
diff --git a/src/backend/authentications/models.py b/src/backend/authentications/models.py
@@ -16,13 +16,13 @@ class Authentication(BaseInput, BaseEncrypted):
 
     name = models.TextField(
         max_length=100,
-        validators=[Validator(Regex.NAME.value, code="name")],
+        validators=[Validator(Regex.NAME.value, code="name", deny_injections=True)],
         null=True,
         blank=True,
     )
     _secret = models.TextField(
         max_length=500,
-        validators=[Validator(Regex.SECRET.value, code="secret")],
+        validators=[Validator(Regex.SECRET.value, code="secret", deny_injections=True)],
         null=True,
         blank=True,
         db_column="secret",
diff --git a/src/backend/http_headers/models.py b/src/backend/http_headers/models.py
@@ -26,10 +26,10 @@ class HttpHeader(BaseInput):
         null=True,
     )
     key = models.TextField(
-        max_length=100, validators=[Validator(Regex.NAME.value, code="key")]
+        max_length=100, validators=[Validator(Regex.NAME.value, code="key", deny_injections=True)]
     )
     value = models.TextField(
-        max_length=500, validators=[Validator(Regex.TEXT.value, code="value")]
+        max_length=500, validators=[Validator(Regex.TEXT.value, code="value", deny_injections=True)]
     )
 
     filters = [BaseInput.Filter(type=str, field="key")]
diff --git a/src/backend/parameters/models.py b/src/backend/parameters/models.py
@@ -16,11 +16,11 @@ class InputTechnology(BaseInput):
         Target, related_name="input_technologies", on_delete=models.CASCADE
     )
     name = models.TextField(
-        max_length=100, validators=[Validator(Regex.NAME.value, code="name")]
+        max_length=100, validators=[Validator(Regex.NAME.value, code="name", deny_injections=True)]
     )
     version = models.TextField(
         max_length=100,
-        validators=[Validator(Regex.NAME.value, code="version")],
+        validators=[Validator(Regex.NAME.value, code="version", deny_injections=True)],
         blank=True,
         null=True,
     )
@@ -69,7 +69,7 @@ class InputVulnerability(BaseInput):
         Target, related_name="input_vulnerabilities", on_delete=models.CASCADE
     )
     cve = models.TextField(
-        max_length=20, validators=[Validator(Regex.CVE.value, code="cve")]
+        max_length=20, validators=[Validator(Regex.CVE.value, code="cve", deny_injections=True)]
     )
 
     filters = [
diff --git a/src/backend/security/validators/input_validator.py b/src/backend/security/validators/input_validator.py
@@ -21,6 +21,7 @@ class Regex(Enum):
     PATH_WITH_QUERYPARAMS = r"[\w\.\-_/\\#?&%$]{0,500}"
     CVE = r"CVE-\d{4}-\d{1,7}"
     SECRET = r"[\w\./\-=\+,:<>¿?¡!#&$()@%\[\]\{\}\*]{1,500}"
+    IS_INJECTION = r"[^;\"&</>$]*"
 
 
 class Validator(RegexValidator):
@@ -31,7 +32,9 @@ def __init__(
         code: str | None = None,
         inverse_match: bool | None = ...,  # type: ignore
         flags: RegexFlag | None = None,
+        deny_injections: bool = False
     ) -> None:
+        self.deny_injections = deny_injections
         super().__init__(regex, message, code, inverse_match, flags)
 
     def __call__(self, value: str | None) -> None:
@@ -43,7 +46,8 @@ def __call__(self, value: str | None) -> None:
         invalid_input = (
             not bool(regex_matches) if self.inverse_match else bool(regex_matches)
         )
-        if invalid_input:
+        is_injection = bool(re.fullmatch(Regex.IS_INJECTION, value)) if self.deny_injections else False
+        if invalid_input or is_injection:
             logger.warning(
                 f"[Security] Invalid value that doesn't match the regex '{self.regex}'"
             )

Original file line number	Diff line number	Diff line change
`@@ -26,10 +26,10 @@ class HttpHeader(BaseInput):`
`26`	`26`	`null=True,`
`27`	`27`	`)`
`28`	`28`	`key = models.TextField(`
`29`		`- max_length=100, validators=[Validator(Regex.NAME.value, code="key")]`
	`29`	`+ max_length=100, validators=[Validator(Regex.NAME.value, code="key", deny_injections=True)]`
`30`	`30`	`)`
`31`	`31`	`value = models.TextField(`
`32`		`- max_length=500, validators=[Validator(Regex.TEXT.value, code="value")]`
	`32`	`+ max_length=500, validators=[Validator(Regex.TEXT.value, code="value", deny_injections=True)]`
`33`	`33`	`)`
`34`	`34`
`35`	`35`	`filters = [BaseInput.Filter(type=str, field="key")]`
Original file line number	Diff line number	Diff line change
`@@ -16,11 +16,11 @@ class InputTechnology(BaseInput):`
`16`	`16`	`Target, related_name="input_technologies", on_delete=models.CASCADE`
`17`	`17`	`)`
`18`	`18`	`name = models.TextField(`
`19`		`- max_length=100, validators=[Validator(Regex.NAME.value, code="name")]`
	`19`	`+ max_length=100, validators=[Validator(Regex.NAME.value, code="name", deny_injections=True)]`
`20`	`20`	`)`
`21`	`21`	`version = models.TextField(`
`22`	`22`	`max_length=100,`
`23`		`- validators=[Validator(Regex.NAME.value, code="version")],`
	`23`	`+ validators=[Validator(Regex.NAME.value, code="version", deny_injections=True)],`
`24`	`24`	`blank=True,`
`25`	`25`	`null=True,`
`26`	`26`	`)`
`@@ -69,7 +69,7 @@ class InputVulnerability(BaseInput):`
`69`	`69`	`Target, related_name="input_vulnerabilities", on_delete=models.CASCADE`
`70`	`70`	`)`
`71`	`71`	`cve = models.TextField(`
`72`		`- max_length=20, validators=[Validator(Regex.CVE.value, code="cve")]`
	`72`	`+ max_length=20, validators=[Validator(Regex.CVE.value, code="cve", deny_injections=True)]`
`73`	`73`	`)`
`74`	`74`
`75`	`75`	`filters = [`