Change neutralize methods to private

TelefonicaTC2Tech · Jan 16, 2024 · e22918e · e22918e
1 parent 28cf35f
commit e22918e
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 39 deletions.
diff --git a/steps/common/sanitize.go b/steps/common/sanitize.go
diff --git a/steps/common/steps.go b/steps/common/steps.go
@@ -21,6 +21,7 @@ import (
 	"net"
 	"net/url"
 	"os/exec"
+	"regexp"
 	"strings"
 	"time"
 
@@ -79,14 +80,9 @@ func (cs Steps) InitializeSteps(ctx context.Context, scenCtx *godog.ScenarioCont
 			return nil
 		}
 		domain := golium.ValueAsString(ctx, domainParam)
-		domainN := NeutralizeDomain(domain)
+		domainN := neutralize(domain)
 
-		uri, err := url.Parse(domainN)
-		if err != nil {
-			return fmt.Errorf("failed parsing domain '%s': %w", domainN, err)
-		}
-
-		command := fmt.Sprintf("ping -c 1 %s | head -1 | grep -oe '[0-9]*\\.[0-9]*\\.[0-9]*\\.[0-9]*'", uri)
+		command := fmt.Sprintf("ping -c 1 %s | head -1 | grep -oe '[0-9]*\\.[0-9]*\\.[0-9]*\\.[0-9]*'", domainN)
 		cmd := exec.Command("/bin/sh", "-c", command)
 		stdoutStderr, err := cmd.CombinedOutput()
 		if err != nil {
@@ -185,3 +181,17 @@ func getLocalIP(ctx context.Context, key string, ipVersion IPVersion) error {
 	golium.GetContext(ctx).Put(golium.ValueAsString(ctx, key), localAddress.IP.String())
 	return nil
 }
+
+// Neutralization for unwanted command injections in domain string
+func neutralize(input string) string {
+	pattern := "^(?:https?://)?(?:www.)?([^:/\n&=?¿\"!| %]+)"
+	regex := regexp.MustCompile(pattern)
+	domainN := regex.FindString(input)
+
+	uri, err := url.Parse(domainN)
+	if err != nil {
+		return ""
+	}
+
+	return uri.String()
+}
diff --git a/steps/dns/session.go b/steps/dns/session.go
@@ -26,7 +26,6 @@ import (
 	"time"
 
 	"github.com/AdguardTeam/dnsproxy/upstream"
-	"github.com/TelefonicaTC2Tech/golium/steps/common"
 	"github.com/google/uuid"
 	"github.com/miekg/dns"
 )
@@ -153,8 +152,8 @@ func (s *Session) SendDoHQuery(
 		if errParse != nil {
 			return err
 		}
-		// Resolves HTTP parameter pollution. CWE:235
-		u.RawQuery = common.NeutralizeParamPollution(s.DoHQueryParams)
+
+		u.RawQuery = neutralize(s.DoHQueryParams)
 		request, err = http.NewRequest("POST", u.String(), bytes.NewReader(data))
 		if err != nil {
 			return err
@@ -286,3 +285,16 @@ func (s *Session) ValidateResponseWithRecords(
 	}
 	return nil
 }
+
+// Neutralization HTTP parameter pollution. CWE:235
+func neutralize(queryParams map[string][]string) string {
+	params := url.Values{}
+	for key, values := range queryParams {
+		for _, value := range values {
+			if !params.Has(key) {
+				params.Add(key, value)
+			}
+		}
+	}
+	return params.Encode()
+}
diff --git a/steps/http/session.go b/steps/http/session.go
@@ -30,7 +30,6 @@ import (
 	"time"
 
 	"github.com/TelefonicaTC2Tech/golium"
-	"github.com/TelefonicaTC2Tech/golium/steps/common"
 	"github.com/TelefonicaTC2Tech/golium/steps/http/model"
 	"github.com/TelefonicaTC2Tech/golium/steps/http/schema"
 	"github.com/cucumber/godog"
@@ -84,8 +83,7 @@ func (s *Session) URL() (*url.URL, error) {
 	//  * - Docs: https://pkg.go.dev/path#Join
 	//  */
 
-	// Resolves HTTP parameter pollution. CWE:235
-	u.RawQuery = common.NeutralizeParamPollution(s.Request.QueryParams)
+	u.RawQuery = neutralize(s.Request.QueryParams)
 
 	return u, nil
 }
@@ -689,3 +687,16 @@ func (s *Session) GetURL(ctx context.Context) (string, error) {
 	}
 	return URL, nil
 }
+
+// Neutralization HTTP parameter pollution. CWE:235
+func neutralize(queryParams map[string][]string) string {
+	params := url.Values{}
+	for key, values := range queryParams {
+		for _, value := range values {
+			if !params.Has(key) {
+				params.Add(key, value)
+			}
+		}
+	}
+	return params.Encode()
+}