mediaapi/writers/download: Allow only media IDs matching [A-Za-z0-9_=-]+

2024-11-22 11:41:38 +00:00 · 2017-05-26 14:42:51 +02:00 · 2017-05-26 14:42:51 +02:00 · 4dfbae81cd
commit 4dfbae81cd
parent 0affdae889
1 changed files with 9 additions and 3 deletions
--- a/src/github.com/matrix-org/dendrite/mediaapi/writers/download.go
+++ b/src/github.com/matrix-org/dendrite/mediaapi/writers/download.go
@ -16,7 +16,9 @@ package writers

 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
+	"regexp"

 	log "github.com/Sirupsen/logrus"
 	"github.com/matrix-org/dendrite/clientapi/jsonerror"
@ -26,6 +28,11 @@ import (
 	"github.com/matrix-org/util"
 )

+const mediaIDCharacters = "A-Za-z0-9_=-"
+
+// Note: unfortunately regex.MustCompile() cannot be assigned to a const
+var mediaIDRegex = regexp.MustCompile("[" + mediaIDCharacters + "]+")
+
 // downloadRequest metadata included in or derivable from an download request
 // https://matrix.org/docs/spec/client_server/r0.2.0.html#get-matrix-media-r0-download-servername-mediaid
 type downloadRequest struct {
@ -78,11 +85,10 @@ func (r *downloadRequest) jsonErrorResponse(w http.ResponseWriter, res util.JSON

 // Validate validates the downloadRequest fields
 func (r *downloadRequest) Validate() *util.JSONResponse {
-	// maybe give the URL pattern in the routing, these are not even possible as the handler would not be hit...?
-	if r.MediaMetadata.MediaID == "" {
+	if mediaIDRegex.MatchString(string(r.MediaMetadata.MediaID)) == false {
 		return &util.JSONResponse{
 			Code: 404,
-			JSON: jsonerror.NotFound("mediaId must be a non-empty string"),
+			JSON: jsonerror.NotFound(fmt.Sprintf("mediaId must be a non-empty string using only characters in %v", mediaIDCharacters)),
 		}
 	}
 	if r.MediaMetadata.Origin == "" {