Don't allow "weird" characters in jsonp callback

This commit is contained in:
Howl 2016-06-13 21:17:43 +02:00
parent 25a4cfced2
commit da6fcb83f7

View File

@ -3,6 +3,7 @@ package app
import ( import (
"encoding/json" "encoding/json"
"io/ioutil" "io/ioutil"
"regexp"
"git.zxq.co/ripple/rippleapi/common" "git.zxq.co/ripple/rippleapi/common"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
@ -83,6 +84,9 @@ func initialCaretaker(c *gin.Context, f func(md common.MethodData) common.CodeMe
mkjson(c, resp) mkjson(c, resp)
} }
// Very restrictive, but this way it shouldn't completely fuck up.
var callbackJSONP = regexp.MustCompile(`^[a-zA-Z_\$][a-zA-Z0-9_\$]*$`)
// mkjson auto indents json, and wraps json into a jsonp callback if specified by the request. // mkjson auto indents json, and wraps json into a jsonp callback if specified by the request.
// then writes to the gin.Context the data. // then writes to the gin.Context the data.
func mkjson(c *gin.Context, data interface{}) { func mkjson(c *gin.Context, data interface{}) {
@ -92,7 +96,9 @@ func mkjson(c *gin.Context, data interface{}) {
exported = []byte(`{ "code": 500, "message": "something has gone really really really really really really wrong.", "data": null }`) exported = []byte(`{ "code": 500, "message": "something has gone really really really really really really wrong.", "data": null }`)
} }
cb := c.Query("callback") cb := c.Query("callback")
willcb := cb != "" && len(cb) < 100 willcb := cb != "" &&
len(cb) < 100 &&
callbackJSONP.MatchString(cb)
if willcb { if willcb {
c.Writer.Write([]byte("/**/ typeof " + cb + " === 'function' && " + cb + "(")) c.Writer.Write([]byte("/**/ typeof " + cb + " === 'function' && " + cb + "("))
} }