This adds some basic regex validation on query parameters to harden against attacks and reduce time to error. Address validation could likely be improved beyond just regex, but this will do for now

2017-08-16 16:31:57 -04:00 · 2017-08-16 16:31:57 -04:00 · 1218726ffc
commit 1218726ffc
parent c47f58f8e8
2 changed files with 30 additions and 0 deletions
--- a/server/lib/api/transaction.js
+++ b/server/lib/api/transaction.js
@ -2,6 +2,7 @@ const logger = require('../logger');
 const request = require('request');
 const config = require('../../config');
 const db = require('../db');
+const util = require('../util');

 const API_URL = `http://${config.bcoin_http}:${config.bcoin['http-port']}`;
 const MAX_TXS = config.api.max_txs;
@ -9,6 +10,12 @@ const MAX_TXS = config.api.max_txs;
 module.exports = function transactionAPI(router) {
  // Txs by txid
  router.get('/tx/:txid', (req, res) => {
+    if (!util.isTxid(req.params.txid)) {
+      return res.status(400).send({
+        error: 'Invalid transaction id',
+      });
+    }
+
    // Get max block height for calculating confirmations
    db.blocks.getBestHeight(
      (err, blockHeight) => {
@ -75,6 +82,12 @@ module.exports = function transactionAPI(router) {
    const rangeEnd   = rangeStart + MAX_TXS;
    // get txs for blockhash, start with best height to calc confirmations
    if (req.query.block) {
+      if (!util.isBlockHash(req.query.block)) {
+        return res.status(400).send({
+          error: 'Invalid block hash',
+        });
+      }
+
      db.blocks.getBestHeight(
        (err, blockHeight) => {
          if (err) {
@ -128,6 +141,12 @@ module.exports = function transactionAPI(router) {
          });
        });
    } else if (req.query.address) {
+      if (!util.isBitcoinAddress(req.query.address)) {
+        return res.status(400).send({
+          error: 'Invalid bitcoin address',
+        });
+      }
+
      // Get txs by address, start with best height to calc confirmations
      db.blocks.getBestHeight(
        (err, blockHeight) => {
--- a/server/lib/util/index.js
+++ b/server/lib/util/index.js
@ -21,8 +21,19 @@ function calcBlockReward(height) {
  return reward;
 }

+function is64HexString(value) {
+  return /^[0-9a-f]{64}$/i.test(value);
+}
+
+function isBitcoinAddress(value) {
+  return /^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$/.test(value);
+}
+
 module.exports = {
  revHex,
  calcBlockReward,
+  isBlockHash: is64HexString,
+  isTxid: is64HexString,
+  isBitcoinAddress,
 };