From 2e7101b4198730fce351c9d422f328d5314a8f18 Mon Sep 17 00:00:00 2001 From: Bhaskara Ram Date: Wed, 14 Aug 2024 15:29:59 +0530 Subject: [PATCH] Input Validation and Sanitization --- container/shim/src/index.js | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/container/shim/src/index.js b/container/shim/src/index.js index 9c9ef9c8..da66a32e 100644 --- a/container/shim/src/index.js +++ b/container/shim/src/index.js @@ -43,7 +43,6 @@ app.get("/favicon.ico", (req, res) => { const handleCID = asyncHandler(async (req, res) => { // Prevent Service Worker registration on namespace roots - // https://github.com/ipfs/kubo/issues/4025 const isRootCid = rootCidRegex.test(req.path); if (req.headers["service-worker"] === "script" && isRootCid) { const msg = "navigator.serviceWorker: registration is not allowed for this scope"; @@ -73,9 +72,13 @@ const handleCID = asyncHandler(async (req, res) => { res.set("Content-Type", mimeTypes.lookup(req.path) || "application/octet-stream"); if (req.headers.range && cid === TESTING_CID) { - let [start, end] = req.headers.range.split("=")[1].split("-"); - start = parseInt(start, 10); - end = parseInt(end, 10); + const range = req.headers.range.split("=")[1].split("-"); + let start = parseInt(range[0], 10); + let end = parseInt(range[1], 10); + + if (isNaN(start) || isNaN(end) || start < 0 || end < start) { + return res.status(400).end("Invalid range values"); + } res.set({ "Accept-Ranges": "bytes",