[TT-16337] prevent use of special characters in policyID

Author: NurayAhmadova

gateway/api.go

@@ -39,6 +39,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"regexp"
 	"sort"
 	"strconv"
 	"strings"
@@ -80,6 +81,7 @@ const (
 
 var (
 	ErrRequestMalformed = errors.New("request malformed")
+	validPolicyIDRegex  = regexp.MustCompile(`^[a-zA-Z0-9.\-_~]+$`)
 )
 
 // apiModifyKeySuccess represents when a Key modification was successful
@@ -1110,6 +1112,11 @@ func (gw *Gateway) handleAddOrUpdatePolicy(polID string, r *http.Request) (inter
 		return apiError("Request malformed"), http.StatusBadRequest
 	}
 
+	if newPol.ID != "" && !isValidPolicyID(newPol.ID) {
+		log.WithField("id", newPol.ID).Error("Policy ID contains invalid characters")
+		return apiError("Invalid Policy ID in body. Allowed characters: a-z, A-Z, 0-9, ., _, -"), http.StatusBadRequest
+	}
+
 	if polID != "" && newPol.ID != polID && r.Method == http.MethodPut {
 		log.Error("PUT operation on different IDs")
 		return apiError("Request ID does not match that in policy! For Update operations these must match."), http.StatusBadRequest
@@ -1555,6 +1562,12 @@ func (gw *Gateway) handleDeleteAPI(apiID string) (interface{}, int) {
 func (gw *Gateway) polHandler(w http.ResponseWriter, r *http.Request) {
 	polID := mux.Vars(r)["polID"]
 
+	if polID != "" && !isValidPolicyID(polID) {
+		log.WithField("id", polID).Error("Policy ID contains invalid characters")
+		doJSONWrite(w, http.StatusBadRequest, apiError("Invalid Policy ID. Allowed characters: a-z, A-Z, 0-9, ., _, -"))
+		return
+	}
+
 	var obj interface{}
 	var code int
 
@@ -1589,6 +1602,13 @@ func (gw *Gateway) polHandler(w http.ResponseWriter, r *http.Request) {
 	doJSONWrite(w, code, obj)
 }
 
+func isValidPolicyID(id string) bool {
+	if id == "" {
+		return true
+	}
+	return validPolicyIDRegex.MatchString(id)
+}
+
 func (gw *Gateway) apiHandler(w http.ResponseWriter, r *http.Request) {
 	apiID := mux.Vars(r)["apiID"]
 

gateway/api_test.go

@@ -173,6 +173,51 @@ func TestPolicyAPI(t *testing.T) {
 			Code:      http.StatusOK,
 		})
 	})
+
+	t.Run("fails if ID contains invalid characters", func(t *testing.T) {
+		invalidURLID := "invalid@id"
+
+		ts.Run(t, test.TestCase{
+			Path:      "/tyk/policies/" + invalidURLID,
+			Method:    http.MethodGet,
+			AdminAuth: true,
+			Code:      http.StatusBadRequest,
+			BodyMatch: `Invalid Policy ID`,
+		})
+
+		invalidBodyPol := user.Policy{
+			ID:           "invalid/id",
+			Rate:         100,
+			Per:          1,
+			OrgID:        "54de205930c55e15bd000001",
+			AccessRights: make(map[string]user.AccessDefinition),
+			MetaData:     nil,
+			Tags:         nil,
+		}
+
+		ts.Run(t, test.TestCase{
+			Path:      "/tyk/policies",
+			Method:    http.MethodPost,
+			AdminAuth: true,
+			Data:      serializePolicy(t, invalidBodyPol),
+			Code:      http.StatusBadRequest,
+			BodyMatch: `Invalid Policy ID in body`,
+		})
+
+		validID := "valid-id"
+		ts.Gw.policiesMu.Lock()
+		ts.Gw.policiesByID[validID] = invalidBodyPol
+		ts.Gw.policiesMu.Unlock()
+
+		ts.Run(t, test.TestCase{
+			Path:      "/tyk/policies/" + validID,
+			Method:    http.MethodPut,
+			AdminAuth: true,
+			Data:      serializePolicy(t, invalidBodyPol),
+			Code:      http.StatusBadRequest,
+			BodyMatch: `Invalid Policy ID in body`,
+		})
+	})
 }
 
 func serializePolicy(t *testing.T, pol user.Policy) string {