Sanitize inputs

2025-01-24 20:20:10 +00:00 · 2025-01-24 20:20:10 +00:00 · ecf723239a
commit ecf723239a
parent 51bb5eb99a
6 changed files with 81 additions and 6 deletions
--- a/src/start-proxy.test.ts
+++ b/src/start-proxy.test.ts
@ -80,3 +80,31 @@ test("getCredentials returns all credentials when no language specified", async
  );
  t.is(credentials.length, 3);
 });
+
+test("getCredentials throws an error when non-printable characters are used", async (t) => {
+    const invalidCredentials = [
+      { type: "nuget_feed", host: "1nuget.pkg.github.com", token: "abc\u0000" }, // Non-printable character in token
+      { type: "nuget_feed", host: "2nuget.pkg.github.com\u0001" }, // Non-printable character in host
+      { type: "nuget_feed", host: "3nuget.pkg.github.com", password: "ghi\u0002" }, // Non-printable character in password
+      { type: "nuget_feed", host: "4nuget.pkg.github.com", password: "ghi\x00" }, // Non-printable character in password
+    ];
+
+    for (const invalidCredential of invalidCredentials) {
+      const credentialsInput = Buffer.from(
+        JSON.stringify([invalidCredential]),
+      ).toString("base64");
+
+      t.throws(
+        () =>
+          startProxyExports.getCredentials(
+            getRunnerLogger(true),
+            undefined,
+            credentialsInput,
+            undefined,
+          ),
+        {
+          message: "Invalid credentials - fields must contain only printable characters",
+        },
+      );
+    }
+  });
--- a/src/start-proxy.ts
+++ b/src/start-proxy.ts
@ -51,10 +51,19 @@ export function getCredentials(
  }

  // Parse and validate the credentials
-  const parsed = JSON.parse(credentialsStr) as Credential[];
-  const out: Credential[] = [];
+  let parsed: Credential[];
+  try {
+    parsed = JSON.parse(credentialsStr) as Credential[];
+  } catch (error) {
+    // Don't log the error since it might contain sensitive information.
+    logger.error("Failed to parse the credentials data.");
+    throw new Error("Invalid credentials format.");
+  }
+
+  let out: Credential[] = [];
  for (const e of parsed) {
    if (e.url === undefined && e.host === undefined) {
+      // The proxy needs one of these to work. If both are defined, the url has the precedence.
      throw new Error("Invalid credentials - must specify host or url");
    }

@ -64,6 +73,15 @@ export function getCredentials(
      continue;
    }

+
+    const isPrintable = (str: string | undefined): boolean => {
+      return str ? /^[\x20-\x7E]*$/.test(str) : true;
+    };
+
+    if (!isPrintable(e.type) || !isPrintable(e.host) || !isPrintable(e.url) || !isPrintable(e.username) || !isPrintable(e.password) || !isPrintable(e.token)) {
+      throw new Error("Invalid credentials - fields must contain only printable characters");
+    }
+
    out.push({
      type: e.type,
      host: e.host,