Return BadRequest for invalid parameter (#10064)

liliankasem · web-flow · commit 3d6f87410199 · 2024-04-24T16:42:10.000-07:00
diff --git a/src/WebJobs.Script.WebHost/Controllers/ExtensionsController.cs b/src/WebJobs.Script.WebHost/Controllers/ExtensionsController.cs
@@ -67,6 +67,12 @@ public async Task<IActionResult> Get()
         [Route("admin/host/extensions/{id}")]
         public async Task<IActionResult> Delete(string id)
         {
+            // We are using a file name check, but the API expects a NuGet package name/ID
+            if (!FileUtility.IsValidFileName(id))
+            {
+                return BadRequest();
+            }
+
             if (_extensionBundleManager.IsExtensionBundleConfigured())
             {
                 return BadRequest(Resources.ExtensionBundleBadRequestDelete);
@@ -92,6 +98,11 @@ await _extensionsManager.DeleteExtensions(id)
         [Route("admin/host/extensions/jobs/{id}")]
         public async Task<IActionResult> GetJobs(string id)
         {
+            if (!IsValidGuid(id))
+            {
+                return BadRequest();
+            }
+
             ExtensionsRestoreJob job = await GetJob(id);
 
             if (job == null)
@@ -258,5 +269,10 @@ private async Task<IEnumerable<ExtensionsRestoreJob>> GetInProgressJobs()
 
             return jobs;
         }
+
+        private bool IsValidGuid(string value)
+        {
+            return Guid.TryParse(value, out _);
+        }
     }
 }
diff --git a/src/WebJobs.Script/Extensions/FileUtility.cs b/src/WebJobs.Script/Extensions/FileUtility.cs
@@ -5,6 +5,7 @@
 using System.Collections.Generic;
 using System.IO;
 using System.IO.Abstractions;
+using System.Linq;
 using System.Reflection;
 using System.Text;
 using System.Threading.Tasks;
@@ -13,6 +14,7 @@ namespace Microsoft.Azure.WebJobs.Script
 {
     public static class FileUtility
     {
+        private static readonly char[] InvalidFileNameChars = Path.GetInvalidFileNameChars();
         private static IFileSystem _default = new FileSystem();
         private static IFileSystem _instance;
 
@@ -282,5 +284,30 @@ private static void DoSafeAction(Action action, bool ignoreErrors)
             {
             }
         }
+
+        /// <summary>
+        /// Checks if a file name is valid.
+        /// </summary>
+        /// <param name="input">The string to sanitize.</param>
+        /// <returns>Boolean value determining if file name is valid or not.</returns>
+        public static bool IsValidFileName(string fileName)
+        {
+            if (string.IsNullOrEmpty(fileName))
+            {
+                return false;
+            }
+
+            if (fileName.Contains("..") || Path.IsPathRooted(fileName))
+            {
+                return false;
+            }
+
+            if (fileName.Contains(Path.DirectorySeparatorChar) || fileName.Contains(Path.AltDirectorySeparatorChar))
+            {
+                return false;
+            }
+
+            return fileName.IndexOfAny(InvalidFileNameChars) >= 0 ? false : true;
+        }
     }
 }
diff --git a/test/WebJobs.Script.Tests/IO/FileUtilityTests.cs b/test/WebJobs.Script.Tests/IO/FileUtilityTests.cs
@@ -1,11 +1,7 @@
 ﻿// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
+using System.IO;
 using Xunit;
 
 namespace Microsoft.Azure.WebJobs.Script.Tests.IO
@@ -23,5 +19,22 @@ public void GetRelativePath_ReturnsExpectedPath(string path1, string path2, stri
 
             Assert.Equal(expectedPath, result);
         }
+
+        [Theory]
+        [InlineData("file/name", false)]
+        [InlineData("file\0name", false)]
+        [InlineData("file\\name", false)]
+        [InlineData("..\\..\\filename", false)]
+        [InlineData("../../filename", false)]
+        [InlineData("..filename", false)]
+        [InlineData("filename", true)]
+        [InlineData("file-name", true)]
+        [InlineData("file_name", true)]
+        [InlineData("filename123", true)]
+        public void IsValidFileName_ReturnsBool(string input, bool expectedOutput)
+        {
+            var result = FileUtility.IsValidFileName(input);
+            Assert.Equal(expectedOutput, result);
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,12 @@ public async Task<IActionResult> Get()`
`67`	`67`	`[Route("admin/host/extensions/{id}")]`
`68`	`68`	`public async Task<IActionResult> Delete(string id)`
`69`	`69`	`{`
	`70`	`+ // We are using a file name check, but the API expects a NuGet package name/ID`
	`71`	`+ if (!FileUtility.IsValidFileName(id))`
	`72`	`+ {`
	`73`	`+ return BadRequest();`
	`74`	`+ }`
	`75`	`+`
`70`	`76`	`if (_extensionBundleManager.IsExtensionBundleConfigured())`
`71`	`77`	`{`
`72`	`78`	`return BadRequest(Resources.ExtensionBundleBadRequestDelete);`
`@@ -92,6 +98,11 @@ await _extensionsManager.DeleteExtensions(id)`
`92`	`98`	`[Route("admin/host/extensions/jobs/{id}")]`
`93`	`99`	`public async Task<IActionResult> GetJobs(string id)`
`94`	`100`	`{`
	`101`	`+ if (!IsValidGuid(id))`
	`102`	`+ {`
	`103`	`+ return BadRequest();`
	`104`	`+ }`
	`105`	`+`
`95`	`106`	`ExtensionsRestoreJob job = await GetJob(id);`
`96`	`107`
`97`	`108`	`if (job == null)`
`@@ -258,5 +269,10 @@ private async Task<IEnumerable<ExtensionsRestoreJob>> GetInProgressJobs()`
`258`	`269`
`259`	`270`	`return jobs;`
`260`	`271`	`}`
	`272`	`+`
	`273`	`+ private bool IsValidGuid(string value)`
	`274`	`+ {`
	`275`	`+ return Guid.TryParse(value, out _);`
	`276`	`+ }`
`261`	`277`	`}`
`262`	`278`	`}`