Add limits to ehs form fields

patrikjuvonen · botder · patrikjuvonen · commit 7642b05138f2 · 2023-05-21T22:27:32.000+03:00
Co-authored-by: Marek Kulik &lt;me@botder.com&gt;
diff --git a/vendor/ehs/formvalue.h b/vendor/ehs/formvalue.h
@@ -3,6 +3,7 @@
 #define FORMVALUE_H
 
 #include <string>
+#include <string_view>
 
 #include "contentdisposition.h"
 
@@ -43,6 +44,11 @@ class FormValue {
 #endif		
 	}
 
+	/// Constructor
+    explicit FormValue(std::string_view body) : sBody{body}
+    {
+    }
+
 #ifdef EHS_MEMORY
 	/// This is only for watching memory allocation
 	FormValue ( const FormValue & iroFormValue ) {
diff --git a/vendor/ehs/httprequest.cpp b/vendor/ehs/httprequest.cpp
@@ -4,33 +4,96 @@
 
 #include <assert.h>
 
-void HttpRequest::GetFormDataFromString ( const std::string & irsString ///< string to parse for form data
-	)
+void HttpRequest::ParseRequestURI(std::string_view uri)
 {
+	if (uri.empty())
+		return;
 
-	PME oNameValueRegex ( "[?]?([^?=]*)=([^&]*)&?", "g" );
-	while ( oNameValueRegex.match ( irsString ) ) {
+	// See: https://www.rfc-editor.org/rfc/rfc3986#section-3.4
+	if (size_t queryDelimiter = uri.find('?'); queryDelimiter != std::string_view::npos)
+	{
+		// Skip repeating '?' (question mark) characters after the first one.
+		if (queryDelimiter = uri.find_first_not_of('?', queryDelimiter + 1); queryDelimiter == std::string_view::npos)
+			return;
 
-		ContentDisposition oContentDisposition;
-		std::string sName = oNameValueRegex [ 1 ];
-		std::string sValue = oNameValueRegex [ 2 ];
+		std::string_view parameters = uri.substr(queryDelimiter);
 
-#ifdef EHS_DEBUG
-		fprintf ( stderr, "[EHS_DEBUG] Info: Got form data: '%s' => '%s'\n",
-				  sName.c_str ( ),
-				  sValue.c_str ( ) );
-#endif
+		// Discard any trailing fragment.
+		if (size_t fragmentDelimiter = parameters.find('#'); fragmentDelimiter != std::string_view::npos)
+		{
+			parameters = parameters.substr(0, fragmentDelimiter);
+		}
 
-		oFormValueMap [ sName ] =
-			FormValue ( sValue, oContentDisposition );
+		// Limit request uri parameters to 4096 bytes.
+		if (parameters.length() > 4096)
+		{
+			parameters = parameters.substr(0, 4096);
+		}
 
+		// According to the RFC, query can be anything, but this web server implementation only supports "key=value" pairs,
+		// which are parsable as form data.
+		ParseFormData(parameters);
 	}
-
 }
 
+void HttpRequest::ParseFormData(std::string_view formData)
+{
+	size_t counter = 0;
+
+	// Limit the maximum acceptable form data fields to 256.
+	while (!formData.empty() && counter < 256)
+	{
+		std::string_view parameter;
+
+		if (size_t delimiter = formData.find('&'); delimiter != std::string_view::npos)
+		{
+			parameter = formData.substr(0, delimiter);
+
+			// Skip repeating '&' (ampersand) characters after the first one.
+			if (delimiter = formData.find_first_not_of('&', delimiter + 1); delimiter != std::string_view::npos)
+			{
+				formData = formData.substr(delimiter);
+			}
+			else
+			{
+				formData = {};
+			}
+		}
+		else
+		{
+			parameter = formData;
+			formData = {};
+		}
+
+		if (!parameter.empty())
+		{
+			std::string_view key, value;
+
+			if (size_t delimiter = parameter.find('='); delimiter != std::string_view::npos)
+			{
+				key = parameter.substr(0, delimiter);
 
+				// Skip repeating '=' (equals) characters after the first one.
+				if (delimiter = parameter.find_first_not_of('=', delimiter + 1); delimiter != std::string_view::npos)
+				{
+					value = parameter.substr(delimiter);
+				}
+			}
+			else
+			{
+				key = parameter;
+				// NOTE: value is empty.
+			}
 
+			if (!key.empty())
+			{
+				oFormValueMap[std::string{key}] = FormValue{value};
+			}
+		}
 
+		counter += 1;
+	}
+}
 
 // this parses a single piece of a multipart form body
 // here are two examples -- first is an uploaded file, second is a
@@ -334,7 +397,7 @@ HttpRequest::HttpParseStates HttpRequest::ParseData ( std::string & irsData ///<
 					
 					
 					// check to see if the uri appeared to have form data in it
-					GetFormDataFromString ( sUri );
+					ParseRequestURI(sUri);
 
 					// on to the headers
 					nCurrentHttpParseState = HTTPPARSESTATE_HEADERS;
@@ -491,7 +554,7 @@ HttpRequest::HttpParseStates HttpRequest::ParseData ( std::string & irsData ///<
 				// else the body is just one piece
 				else {
 					// check for any form data
-					GetFormDataFromString ( sBody );
+					ParseFormData(sBody);
 					
 #ifdef EHS_DEBUG
 					fprintf ( stderr, "Done with body, done with entire request\n" );
diff --git a/vendor/ehs/httprequest.h b/vendor/ehs/httprequest.h
@@ -8,6 +8,7 @@
 #endif
 
 #include <map>
+#include <string_view>
 
 #include <pme.h>
 
@@ -87,8 +88,11 @@ class HttpRequest {
 	/// takes the cookie header and breaks it down into usable chunks -- returns number of name/value pairs found
 	int ParseCookieData ( std::string & irsData );
 
-	/// interprets the given string as if it's name=value pairs and puts them into oFormElements
-	void GetFormDataFromString ( const std::string & irsString );
+	/// parses the request uri, extracts the query segment and puts its key=value pairs into oFormElements
+	void ParseRequestURI(std::string_view uri);
+
+	/// parses the form data as if it's key=value pairs and puts them into oFormElements
+	void ParseFormData(std::string_view formData);
 
 	/// the current parse state -- where we are in looking at the data from the client
 	HttpParseStates nCurrentHttpParseState;
