Sanitize inputs

lib/start-proxy.js

@@ -37,10 +37,19 @@ function getCredentials(logger, registrySecrets, registriesCredentials, language
         return [];
     }
     // Parse and validate the credentials
-    const parsed = JSON.parse(credentialsStr);
-    const out = [];
+    let parsed;
+    try {
+        parsed = JSON.parse(credentialsStr);
+    }
+    catch (error) {
+        // Don't log the error since it might contain sensitive information.
+        logger.error("Failed to parse the credentials data.");
+        throw new Error("Invalid credentials format.");
+    }
+    let out = [];
     for (const e of parsed) {
         if (e.url === undefined && e.host === undefined) {
+            // The proxy needs one of these to work. If both are defined, the url has the precedence.
             throw new Error("Invalid credentials - must specify host or url");
         }
         // Filter credentials based on language if specified. `type` is the registry type.
@@ -48,6 +57,12 @@ function getCredentials(logger, registrySecrets, registriesCredentials, language
         if (registryTypeForLanguage && e.type !== registryTypeForLanguage) {
             continue;
         }
+        const isPrintable = (str) => {
+            return str ? /^[\x20-\x7E]*$/.test(str) : true;
+        };
+        if (!isPrintable(e.type) || !isPrintable(e.host) || !isPrintable(e.url) || !isPrintable(e.username) || !isPrintable(e.password) || !isPrintable(e.token)) {
+            throw new Error("Invalid credentials - fields must contain only printable characters");
+        }
         out.push({
             type: e.type,
             host: e.host,