Prevent null character input for project browsing

This isn't valid input, and is someone fuzzing the API.

Author: tobias

src/clojars/web.clj

@@ -22,7 +22,7 @@
    [clojars.routes.user :as user]
    [clojars.routes.verify :as verify]
    [clojars.web.browse :refer [browse]]
-   [clojars.web.common :refer [html-doc]]
+   [clojars.web.common :as common :refer [html-doc]]
    [clojars.web.dashboard :refer [dashboard index-page]]
    [clojars.web.safe-hiccup :refer [raw]]
    [clojars.web.search :as search]
@@ -36,18 +36,19 @@
    [ring.middleware.not-modified :refer [wrap-not-modified]]
    [ring.util.response :refer [bad-request content-type]]))
 
-(defn try-parse-page
+(defn- try-parse-page
   "Will throw a targeted error if maybe-page doesn't parse as an integer."
   [maybe-page]
-  (try
-    (Integer/parseInt maybe-page)
-    (catch Exception _
-      (throw (ex-info
-              "page must be an integer"
-              {:report? false
-               :title "Bad Request"
-               :error-message "The page query parameter must be an integer."
-               :status 400})))))
+  (when maybe-page
+    (try
+      (Integer/parseInt maybe-page)
+      (catch Exception _
+        (throw (ex-info
+                "page must be an integer"
+                {:report? false
+                 :title "Bad Request"
+                 :error-message "The page query parameter must be an integer."
+                 :status 400}))))))
 
 (defn- main-routes
   [{:as _system :keys [db event-emitter hcaptcha mailer search stats]}]
@@ -60,15 +61,15 @@
               (index-page db stats %))))
      (GET "/search" {:keys [params]}
           (try-account
-           #(let [validated-params (if (:page params)
-                                     (assoc params :page (try-parse-page (:page params)))
-                                     params)]
+           #(let [validated-params (-> params
+                                       (update :page try-parse-page))]
               (search/search search % validated-params))))
      (GET "/projects" {:keys [params]}
           (try-account
-           #(let [validated-params (if (:page params)
-                                     (assoc params :page (try-parse-page (:page params)))
-                                     params)]
+           #(let [validated-params
+                  (-> params
+                      (update :from (partial common/check-no-null-bytes "from"))
+                      (update :page try-parse-page))]
               (browse db % validated-params))))
      (GET "/security" []
           (try-account

src/clojars/web/common.clj

@@ -459,3 +459,18 @@
      (for [[label input] label-input-pairs]
        [:tr [:td label] [:td input]])]
     extra-inputs]))
+
+(defn check-no-null-bytes
+  "Will throw a targeted error if s contains 0x00, as postgres will not allow
+  the null byte in strings."
+  [param-name ^String s]
+  (if (and s
+           (>= (.indexOf s 0x00) 0))
+    (throw (ex-info
+            "value must be a UTF-8 string"
+            {:report? false
+             :title "Bad Request"
+             :error-message (format "The %s parameter must not contain null bytes."
+                                    param-name)
+             :status 400}))
+    s))

test/clojars/integration/web_test.clj

@@ -106,3 +106,20 @@
                [:div enlive/first-of-type]
                [:a enlive/first-of-type]]
         (has (text? "tester/tester123a")))))
+
+(deftest browse-page-rejects-invalid-utf-jump
+  (help/add-verified-group "test-user" "tester")
+  (doseq [i (range 100 125)]
+    (db/add-jar
+     help/*db*
+     "test-user"
+     {:name (str "tester" i "a") :group "tester" :version "0.1" :description "Huh" :authors ["Zz"]}))
+  (let [{:keys [response]}
+        (-> (session (help/app))
+            (visit "/projects")
+            (fill-in "Enter a few letters..." (String. (byte-array [0x00])))
+            (press "Jump"))]
+    (is (match?
+         {:status 400
+          :body #"The from parameter must not contain null bytes"}
+         response))))