From 1218726ffc0363ef5c1b885e8c2972991e670207 Mon Sep 17 00:00:00 2001
From: Rob Riddle <rob@bitpay.com>
Date: Wed, 16 Aug 2017 16:31:57 -0400
Subject: [PATCH] This adds some basic regex validation on query parameters to
 harden against attacks and reduce time to error. Address validation could
 likely be improved beyond just regex, but this will do for now

---
 server/lib/api/transaction.js | 19 +++++++++++++++++++
 server/lib/util/index.js      | 11 +++++++++++
 2 files changed, 30 insertions(+)

diff --git a/server/lib/api/transaction.js b/server/lib/api/transaction.js
index fb79b87..af5b7bd 100644
--- a/server/lib/api/transaction.js
+++ b/server/lib/api/transaction.js
@@ -2,6 +2,7 @@ const logger = require('../logger');
 const request = require('request');
 const config = require('../../config');
 const db = require('../db');
+const util = require('../util');
 
 const API_URL = `http://${config.bcoin_http}:${config.bcoin['http-port']}`;
 const MAX_TXS = config.api.max_txs;
@@ -9,6 +10,12 @@ const MAX_TXS = config.api.max_txs;
 module.exports = function transactionAPI(router) {
   // Txs by txid
   router.get('/tx/:txid', (req, res) => {
+    if (!util.isTxid(req.params.txid)) {
+      return res.status(400).send({
+        error: 'Invalid transaction id',
+      });
+    }
+
     // Get max block height for calculating confirmations
     db.blocks.getBestHeight(
       (err, blockHeight) => {
@@ -75,6 +82,12 @@ module.exports = function transactionAPI(router) {
     const rangeEnd   = rangeStart + MAX_TXS;
     // get txs for blockhash, start with best height to calc confirmations
     if (req.query.block) {
+      if (!util.isBlockHash(req.query.block)) {
+        return res.status(400).send({
+          error: 'Invalid block hash',
+        });
+      }
+
       db.blocks.getBestHeight(
         (err, blockHeight) => {
           if (err) {
@@ -128,6 +141,12 @@ module.exports = function transactionAPI(router) {
           });
         });
     } else if (req.query.address) {
+      if (!util.isBitcoinAddress(req.query.address)) {
+        return res.status(400).send({
+          error: 'Invalid bitcoin address',
+        });
+      }
+
       // Get txs by address, start with best height to calc confirmations
       db.blocks.getBestHeight(
         (err, blockHeight) => {
diff --git a/server/lib/util/index.js b/server/lib/util/index.js
index 5215dcf..ba0b444 100644
--- a/server/lib/util/index.js
+++ b/server/lib/util/index.js
@@ -21,8 +21,19 @@ function calcBlockReward(height) {
   return reward;
 }
 
+function is64HexString(value) {
+  return /^[0-9a-f]{64}$/i.test(value);
+}
+
+function isBitcoinAddress(value) {
+  return /^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$/.test(value);
+}
+
 module.exports = {
   revHex,
   calcBlockReward,
+  isBlockHash: is64HexString,
+  isTxid: is64HexString,
+  isBitcoinAddress,
 };