diff --git a/api/authenticate.go b/api/authenticate.go index a31903f72..4f14465b0 100644 --- a/api/authenticate.go +++ b/api/authenticate.go @@ -9,15 +9,13 @@ import ( "fmt" "net/http" + "github.com/gin-gonic/gin" "github.com/go-vela/server/database" "github.com/go-vela/server/router/middleware/token" "github.com/go-vela/server/scm" "github.com/go-vela/server/util" - "github.com/go-vela/types" "github.com/go-vela/types/library" - - "github.com/gin-gonic/gin" "github.com/google/uuid" "github.com/sirupsen/logrus" ) @@ -247,8 +245,8 @@ func AuthenticateType(c *gin.Context) { logrus.Info("redirecting for final auth flow destination") // capture the path elements - t := c.Param("type") - p := c.Param("port") + t := util.PathParameter(c, "type") + p := util.PathParameter(c, "port") // capture the current query parameters - // they should contain the "code" and "state" values diff --git a/api/badge.go b/api/badge.go index 79ef4e008..799de69ab 100644 --- a/api/badge.go +++ b/api/badge.go @@ -7,13 +7,12 @@ package api import ( "net/http" + "github.com/gin-gonic/gin" "github.com/go-vela/server/database" "github.com/go-vela/server/router/middleware/org" "github.com/go-vela/server/router/middleware/repo" - + "github.com/go-vela/server/util" "github.com/go-vela/types/constants" - - "github.com/gin-gonic/gin" "github.com/sirupsen/logrus" ) @@ -47,7 +46,7 @@ func GetBadge(c *gin.Context) { // capture middleware values o := org.Retrieve(c) r := repo.Retrieve(c) - branch := c.DefaultQuery("branch", r.GetBranch()) + branch := util.QueryParameter(c, "branch", r.GetBranch()) // update engine logger with API metadata // diff --git a/api/deployment.go b/api/deployment.go index fda280d15..293dbbc6e 100644 --- a/api/deployment.go +++ b/api/deployment.go @@ -9,17 +9,14 @@ import ( "net/http" "strconv" - "github.com/go-vela/server/router/middleware/org" - + "github.com/gin-gonic/gin" "github.com/go-vela/server/database" + "github.com/go-vela/server/router/middleware/org" "github.com/go-vela/server/router/middleware/repo" "github.com/go-vela/server/router/middleware/user" "github.com/go-vela/server/scm" "github.com/go-vela/server/util" - "github.com/go-vela/types/library" - - "github.com/gin-gonic/gin" "github.com/sirupsen/logrus" ) @@ -305,7 +302,7 @@ func GetDeployment(c *gin.Context) { o := org.Retrieve(c) r := repo.Retrieve(c) u := user.Retrieve(c) - deployment := c.Param("deployment") + deployment := util.PathParameter(c, "deployment") entry := fmt.Sprintf("%s/%s", r.GetFullName(), deployment) diff --git a/api/hook.go b/api/hook.go index 76af6f11f..29a1ffae9 100644 --- a/api/hook.go +++ b/api/hook.go @@ -10,17 +10,14 @@ import ( "strconv" "time" + "github.com/gin-gonic/gin" + "github.com/go-vela/server/database" "github.com/go-vela/server/router/middleware/org" + "github.com/go-vela/server/router/middleware/repo" "github.com/go-vela/server/router/middleware/user" "github.com/go-vela/server/scm" - - "github.com/go-vela/server/database" - "github.com/go-vela/server/router/middleware/repo" "github.com/go-vela/server/util" - "github.com/go-vela/types/library" - - "github.com/gin-gonic/gin" "github.com/sirupsen/logrus" ) @@ -305,7 +302,7 @@ func GetHook(c *gin.Context) { o := org.Retrieve(c) r := repo.Retrieve(c) u := user.Retrieve(c) - hook := c.Param("hook") + hook := util.PathParameter(c, "hook") entry := fmt.Sprintf("%s/%s", r.GetFullName(), hook) @@ -397,7 +394,7 @@ func UpdateHook(c *gin.Context) { o := org.Retrieve(c) r := repo.Retrieve(c) u := user.Retrieve(c) - hook := c.Param("hook") + hook := util.PathParameter(c, "hook") entry := fmt.Sprintf("%s/%s", r.GetFullName(), hook) @@ -544,7 +541,7 @@ func DeleteHook(c *gin.Context) { o := org.Retrieve(c) r := repo.Retrieve(c) u := user.Retrieve(c) - hook := c.Param("hook") + hook := util.PathParameter(c, "hook") entry := fmt.Sprintf("%s/%s", r.GetFullName(), hook) @@ -641,7 +638,7 @@ func RedeliverHook(c *gin.Context) { o := org.Retrieve(c) r := repo.Retrieve(c) u := user.Retrieve(c) - hook := c.Param("hook") + hook := util.PathParameter(c, "hook") entry := fmt.Sprintf("%s/%s", r.GetFullName(), hook) diff --git a/api/login.go b/api/login.go index 1aa816730..74ac91226 100644 --- a/api/login.go +++ b/api/login.go @@ -9,9 +9,9 @@ import ( "net/http" "net/url" - "github.com/go-vela/types" - "github.com/gin-gonic/gin" + "github.com/go-vela/server/util" + "github.com/go-vela/types" "github.com/sirupsen/logrus" ) @@ -43,8 +43,8 @@ func Login(c *gin.Context) { m := c.MustGet("metadata").(*types.Metadata) // capture query params - t := c.Request.FormValue("type") - p := c.Request.FormValue("port") + t := util.FormParameter(c, "type") + p := util.FormParameter(c, "port") // temp variable to hold redirect destination r := "" diff --git a/api/pipeline/output.go b/api/pipeline/output.go index c9adfbd97..46fcace56 100644 --- a/api/pipeline/output.go +++ b/api/pipeline/output.go @@ -9,6 +9,7 @@ import ( "strings" "github.com/gin-gonic/gin" + "github.com/go-vela/server/util" ) const ( @@ -20,7 +21,7 @@ const ( // request based off the output query parameter provided. If no output // query parameter is provided, then YAML is used by default. func writeOutput(c *gin.Context, value interface{}) { - output := c.DefaultQuery("output", outputYAML) + output := util.QueryParameter(c, "output", outputYAML) // format response body based off output query parameter switch strings.ToLower(output) { diff --git a/api/repo.go b/api/repo.go index 1a3c7a89a..b0347a489 100644 --- a/api/repo.go +++ b/api/repo.go @@ -11,18 +11,15 @@ import ( "strconv" "strings" - "github.com/go-vela/server/router/middleware/org" - + "github.com/gin-gonic/gin" "github.com/go-vela/server/database" + "github.com/go-vela/server/router/middleware/org" "github.com/go-vela/server/router/middleware/repo" "github.com/go-vela/server/router/middleware/user" "github.com/go-vela/server/scm" "github.com/go-vela/server/util" - "github.com/go-vela/types/constants" "github.com/go-vela/types/library" - - "github.com/gin-gonic/gin" "github.com/google/uuid" "github.com/sirupsen/logrus" ) @@ -462,16 +459,16 @@ func GetRepos(c *gin.Context) { // of repos for an org from the configured backend. func GetOrgRepos(c *gin.Context) { // capture middleware values + o := org.Retrieve(c) u := user.Retrieve(c) - org := c.Param("org") // update engine logger with API metadata // // https://pkg.go.dev/github.com/sirupsen/logrus?tab=doc#Entry.WithFields logrus.WithFields(logrus.Fields{ - "org": org, + "org": o, "user": u.GetName(), - }).Infof("reading repos for org %s", org) + }).Infof("reading repos for org %s", o) // capture page query parameter if present page, err := strconv.Atoi(c.DefaultQuery("page", "1")) @@ -497,12 +494,12 @@ func GetOrgRepos(c *gin.Context) { perPage = util.MaxInt(1, util.MinInt(100, perPage)) // capture the sort_by query parameter if present - sortBy := c.DefaultQuery("sort_by", "name") + sortBy := util.QueryParameter(c, "sort_by", "name") // See if the user is an org admin to bypass individual permission checks - perm, err := scm.FromContext(c).OrgAccess(u, org) + perm, err := scm.FromContext(c).OrgAccess(u, o) if err != nil { - logrus.Errorf("unable to get user %s access level for org %s", u.GetName(), org) + logrus.Errorf("unable to get user %s access level for org %s", u.GetName(), o) } filters := map[string]string{} @@ -511,12 +508,12 @@ func GetOrgRepos(c *gin.Context) { filters["visibility"] = "public" } - filters["active"] = c.DefaultQuery("active", "true") + filters["active"] = util.QueryParameter(c, "active", "true") // send API call to capture the total number of repos for the org - t, err := database.FromContext(c).GetOrgRepoCount(org, filters) + t, err := database.FromContext(c).GetOrgRepoCount(o, filters) if err != nil { - retErr := fmt.Errorf("unable to get repo count for org %s: %w", org, err) + retErr := fmt.Errorf("unable to get repo count for org %s: %w", o, err) util.HandleError(c, http.StatusInternalServerError, retErr) @@ -524,9 +521,9 @@ func GetOrgRepos(c *gin.Context) { } // send API call to capture the list of repos for the org - r, err := database.FromContext(c).GetOrgRepoList(org, filters, page, perPage, sortBy) + r, err := database.FromContext(c).GetOrgRepoList(o, filters, page, perPage, sortBy) if err != nil { - retErr := fmt.Errorf("unable to get repos for org %s: %w", org, err) + retErr := fmt.Errorf("unable to get repos for org %s: %w", o, err) util.HandleError(c, http.StatusInternalServerError, retErr) diff --git a/api/secret.go b/api/secret.go index ab293b58c..bb35c80f6 100644 --- a/api/secret.go +++ b/api/secret.go @@ -11,15 +11,13 @@ import ( "strings" "time" + "github.com/gin-gonic/gin" "github.com/go-vela/server/router/middleware/user" "github.com/go-vela/server/scm" "github.com/go-vela/server/secret" "github.com/go-vela/server/util" - "github.com/go-vela/types/constants" "github.com/go-vela/types/library" - - "github.com/gin-gonic/gin" "github.com/sirupsen/logrus" ) @@ -83,10 +81,10 @@ import ( func CreateSecret(c *gin.Context) { // capture middleware values u := user.Retrieve(c) - e := c.Param("engine") - t := c.Param("type") - o := c.Param("org") - n := c.Param("name") + e := util.PathParameter(c, "engine") + t := util.PathParameter(c, "type") + o := util.PathParameter(c, "org") + n := util.PathParameter(c, "name") entry := fmt.Sprintf("%s/%s/%s", t, o, n) @@ -260,10 +258,10 @@ func CreateSecret(c *gin.Context) { func GetSecrets(c *gin.Context) { // capture middleware values u := user.Retrieve(c) - e := c.Param("engine") - t := c.Param("type") - o := c.Param("org") - n := c.Param("name") + e := util.PathParameter(c, "engine") + t := util.PathParameter(c, "type") + o := util.PathParameter(c, "org") + n := util.PathParameter(c, "name") var teams []string // get list of user's teams if type is shared secret and team is '*' @@ -428,11 +426,11 @@ func GetSecrets(c *gin.Context) { func GetSecret(c *gin.Context) { // capture middleware values u := user.Retrieve(c) - e := c.Param("engine") - t := c.Param("type") - o := c.Param("org") - n := c.Param("name") - s := strings.TrimPrefix(c.Param("secret"), "/") + e := util.PathParameter(c, "engine") + t := util.PathParameter(c, "type") + o := util.PathParameter(c, "org") + n := util.PathParameter(c, "name") + s := strings.TrimPrefix(util.PathParameter(c, "secret"), "/") entry := fmt.Sprintf("%s/%s/%s/%s", t, o, n, s) @@ -548,11 +546,11 @@ func GetSecret(c *gin.Context) { func UpdateSecret(c *gin.Context) { // capture middleware values u := user.Retrieve(c) - e := c.Param("engine") - t := c.Param("type") - o := c.Param("org") - n := c.Param("name") - s := strings.TrimPrefix(c.Param("secret"), "/") + e := util.PathParameter(c, "engine") + t := util.PathParameter(c, "type") + o := util.PathParameter(c, "org") + n := util.PathParameter(c, "name") + s := strings.TrimPrefix(util.PathParameter(c, "secret"), "/") entry := fmt.Sprintf("%s/%s/%s/%s", t, o, n, s) @@ -695,11 +693,11 @@ func UpdateSecret(c *gin.Context) { func DeleteSecret(c *gin.Context) { // capture middleware values u := user.Retrieve(c) - e := c.Param("engine") - t := c.Param("type") - o := c.Param("org") - n := c.Param("name") - s := strings.TrimPrefix(c.Param("secret"), "/") + e := util.PathParameter(c, "engine") + t := util.PathParameter(c, "type") + o := util.PathParameter(c, "org") + n := util.PathParameter(c, "name") + s := strings.TrimPrefix(util.PathParameter(c, "secret"), "/") entry := fmt.Sprintf("%s/%s/%s/%s", t, o, n, s) diff --git a/api/user.go b/api/user.go index 315514c34..87e0922f1 100644 --- a/api/user.go +++ b/api/user.go @@ -10,15 +10,13 @@ import ( "net/http" "strconv" + "github.com/gin-gonic/gin" "github.com/go-vela/server/database" "github.com/go-vela/server/router/middleware/token" "github.com/go-vela/server/router/middleware/user" "github.com/go-vela/server/scm" "github.com/go-vela/server/util" - "github.com/go-vela/types/library" - - "github.com/gin-gonic/gin" "github.com/google/uuid" "github.com/sirupsen/logrus" ) @@ -355,7 +353,7 @@ func UpdateCurrentUser(c *gin.Context) { func GetUser(c *gin.Context) { // capture middleware values u := user.Retrieve(c) - user := c.Param("user") + user := util.PathParameter(c, "user") // update engine logger with API metadata // @@ -528,7 +526,7 @@ func GetUserSourceRepos(c *gin.Context) { func UpdateUser(c *gin.Context) { // capture middleware values u := user.Retrieve(c) - user := c.Param("user") + user := util.PathParameter(c, "user") // update engine logger with API metadata // @@ -625,7 +623,7 @@ func UpdateUser(c *gin.Context) { func DeleteUser(c *gin.Context) { // capture middleware values u := user.Retrieve(c) - user := c.Param("user") + user := util.PathParameter(c, "user") // update engine logger with API metadata // diff --git a/router/middleware/build/build.go b/router/middleware/build/build.go index 5b521bf36..87b25185b 100644 --- a/router/middleware/build/build.go +++ b/router/middleware/build/build.go @@ -9,15 +9,13 @@ import ( "net/http" "strconv" - "github.com/go-vela/server/router/middleware/org" - "github.com/go-vela/server/router/middleware/user" - + "github.com/gin-gonic/gin" "github.com/go-vela/server/database" + "github.com/go-vela/server/router/middleware/org" "github.com/go-vela/server/router/middleware/repo" + "github.com/go-vela/server/router/middleware/user" "github.com/go-vela/server/util" "github.com/go-vela/types/library" - - "github.com/gin-gonic/gin" "github.com/sirupsen/logrus" ) @@ -34,13 +32,13 @@ func Establish() gin.HandlerFunc { u := user.Retrieve(c) if r == nil { - retErr := fmt.Errorf("repo %s/%s not found", c.Param("org"), c.Param("repo")) + retErr := fmt.Errorf("repo %s/%s not found", util.PathParameter(c, "org"), util.PathParameter(c, "repo")) util.HandleError(c, http.StatusNotFound, retErr) return } - bParam := c.Param("build") + bParam := util.PathParameter(c, "build") if len(bParam) == 0 { retErr := fmt.Errorf("no build parameter provided") util.HandleError(c, http.StatusBadRequest, retErr) diff --git a/router/middleware/executors/executors.go b/router/middleware/executors/executors.go index 87eeb248f..ac775ac27 100644 --- a/router/middleware/executors/executors.go +++ b/router/middleware/executors/executors.go @@ -7,19 +7,16 @@ package executors import ( "context" "encoding/json" + "fmt" "io/ioutil" + "net/http" "time" - "github.com/go-vela/types/library" - + "github.com/gin-gonic/gin" "github.com/go-vela/server/database" "github.com/go-vela/server/router/middleware/build" "github.com/go-vela/server/util" - - "fmt" - "net/http" - - "github.com/gin-gonic/gin" + "github.com/go-vela/types/library" ) // Retrieve gets the executors in the given context. diff --git a/router/middleware/logger.go b/router/middleware/logger.go index 6e8506059..2d49023c6 100644 --- a/router/middleware/logger.go +++ b/router/middleware/logger.go @@ -7,15 +7,15 @@ package middleware import ( "time" - "github.com/go-vela/server/router/middleware/org" - "github.com/gin-gonic/gin" "github.com/go-vela/server/router/middleware/build" + "github.com/go-vela/server/router/middleware/org" "github.com/go-vela/server/router/middleware/repo" "github.com/go-vela/server/router/middleware/service" "github.com/go-vela/server/router/middleware/step" "github.com/go-vela/server/router/middleware/user" "github.com/go-vela/server/router/middleware/worker" + "github.com/go-vela/server/util" "github.com/sirupsen/logrus" ) @@ -31,7 +31,7 @@ func Logger(logger *logrus.Logger, timeFormat string, utc bool) gin.HandlerFunc return func(c *gin.Context) { start := time.Now() // some evil middlewares modify this values - path := c.Request.URL.Path + path := util.EscapeValue(c.Request.URL.Path) c.Next() @@ -45,13 +45,13 @@ func Logger(logger *logrus.Logger, timeFormat string, utc bool) gin.HandlerFunc // prevent us from logging the health endpoint if c.Request.URL.Path != "/health" { fields := logrus.Fields{ - "ip": c.ClientIP(), + "ip": util.EscapeValue(c.ClientIP()), "latency": latency, "method": c.Request.Method, "path": path, "status": c.Writer.Status(), - "user-agent": c.Request.UserAgent(), - "version": c.GetHeader("X-Vela-Version"), + "user-agent": util.EscapeValue(c.Request.UserAgent()), + "version": util.EscapeValue(c.GetHeader("X-Vela-Version")), } body := c.Value("payload") diff --git a/router/middleware/org/org.go b/router/middleware/org/org.go index 17b384234..153807e4b 100644 --- a/router/middleware/org/org.go +++ b/router/middleware/org/org.go @@ -5,12 +5,11 @@ package org import ( - "github.com/go-vela/server/util" - "fmt" "net/http" "github.com/gin-gonic/gin" + "github.com/go-vela/server/util" ) // Retrieve gets the org in the given context. @@ -21,7 +20,7 @@ func Retrieve(c *gin.Context) string { // Establish used to check if org param is used only. func Establish() gin.HandlerFunc { return func(c *gin.Context) { - oParam := c.Param("org") + oParam := util.PathParameter(c, "org") if len(oParam) == 0 { retErr := fmt.Errorf("no org parameter provided") util.HandleError(c, http.StatusBadRequest, retErr) @@ -30,6 +29,7 @@ func Establish() gin.HandlerFunc { } ToContext(c, oParam) + c.Next() } } diff --git a/router/middleware/perm/perm.go b/router/middleware/perm/perm.go index 60056df9e..92a7e8687 100644 --- a/router/middleware/perm/perm.go +++ b/router/middleware/perm/perm.go @@ -9,17 +9,15 @@ import ( "net/http" "strings" + "github.com/gin-gonic/gin" "github.com/go-vela/server/database" "github.com/go-vela/server/router/middleware/org" "github.com/go-vela/server/router/middleware/repo" "github.com/go-vela/server/router/middleware/user" "github.com/go-vela/server/scm" "github.com/go-vela/server/util" - "github.com/go-vela/types/constants" "github.com/go-vela/types/library" - - "github.com/gin-gonic/gin" "github.com/sirupsen/logrus" ) @@ -52,10 +50,10 @@ func MustPlatformAdmin() gin.HandlerFunc { func MustSecretAdmin() gin.HandlerFunc { return func(c *gin.Context) { u := user.Retrieve(c) - e := c.Param("engine") - t := c.Param("type") - o := c.Param("org") - n := c.Param("name") + e := util.PathParameter(c, "engine") + t := util.PathParameter(c, "type") + o := util.PathParameter(c, "org") + n := util.PathParameter(c, "name") m := c.Request.Method // create log fields from API metadata diff --git a/router/middleware/pipeline/pipeline.go b/router/middleware/pipeline/pipeline.go index b4cdca1c4..c0b5e2790 100644 --- a/router/middleware/pipeline/pipeline.go +++ b/router/middleware/pipeline/pipeline.go @@ -31,14 +31,14 @@ func Establish() gin.HandlerFunc { u := user.Retrieve(c) if r == nil { - retErr := fmt.Errorf("repo %s/%s not found", c.Param("org"), c.Param("repo")) + retErr := fmt.Errorf("repo %s/%s not found", util.PathParameter(c, "org"), util.PathParameter(c, "repo")) util.HandleError(c, http.StatusNotFound, retErr) return } - p := c.Param("pipeline") + p := util.PathParameter(c, "pipeline") if len(p) == 0 { retErr := fmt.Errorf("no pipeline parameter provided") diff --git a/router/middleware/repo/repo.go b/router/middleware/repo/repo.go index 68b0cc24c..94d85a4c3 100644 --- a/router/middleware/repo/repo.go +++ b/router/middleware/repo/repo.go @@ -5,18 +5,16 @@ package repo import ( - "github.com/go-vela/server/router/middleware/org" - "github.com/go-vela/server/router/middleware/user" - "github.com/go-vela/types/library" - "github.com/sirupsen/logrus" - - "github.com/go-vela/server/database" - "github.com/go-vela/server/util" - "fmt" "net/http" "github.com/gin-gonic/gin" + "github.com/go-vela/server/database" + "github.com/go-vela/server/router/middleware/org" + "github.com/go-vela/server/router/middleware/user" + "github.com/go-vela/server/util" + "github.com/go-vela/types/library" + "github.com/sirupsen/logrus" ) // Retrieve gets the repo in the given context. @@ -30,7 +28,7 @@ func Establish() gin.HandlerFunc { o := org.Retrieve(c) u := user.Retrieve(c) - rParam := c.Param("repo") + rParam := util.PathParameter(c, "repo") if len(rParam) == 0 { retErr := fmt.Errorf("no repo parameter provided") util.HandleError(c, http.StatusBadRequest, retErr) diff --git a/router/middleware/service/service.go b/router/middleware/service/service.go index 66adaa082..be36fb7b6 100644 --- a/router/middleware/service/service.go +++ b/router/middleware/service/service.go @@ -9,16 +9,14 @@ import ( "net/http" "strconv" - "github.com/go-vela/server/router/middleware/org" - "github.com/go-vela/server/router/middleware/user" - + "github.com/gin-gonic/gin" "github.com/go-vela/server/database" "github.com/go-vela/server/router/middleware/build" + "github.com/go-vela/server/router/middleware/org" "github.com/go-vela/server/router/middleware/repo" + "github.com/go-vela/server/router/middleware/user" "github.com/go-vela/server/util" "github.com/go-vela/types/library" - - "github.com/gin-gonic/gin" "github.com/sirupsen/logrus" ) @@ -37,20 +35,20 @@ func Establish() gin.HandlerFunc { u := user.Retrieve(c) if r == nil { - retErr := fmt.Errorf("repo %s/%s not found", o, c.Param("repo")) + retErr := fmt.Errorf("repo %s/%s not found", o, util.PathParameter(c, "repo")) util.HandleError(c, http.StatusNotFound, retErr) return } if b == nil { - retErr := fmt.Errorf("build %s not found for repo %s", c.Param("build"), r.GetFullName()) + retErr := fmt.Errorf("build %s not found for repo %s", util.PathParameter(c, "build"), r.GetFullName()) util.HandleError(c, http.StatusNotFound, retErr) return } - sParam := c.Param("service") + sParam := util.PathParameter(c, "service") if len(sParam) == 0 { retErr := fmt.Errorf("no service parameter provided") util.HandleError(c, http.StatusBadRequest, retErr) diff --git a/router/middleware/step/step.go b/router/middleware/step/step.go index 1413cbf35..7dbd2d6c5 100644 --- a/router/middleware/step/step.go +++ b/router/middleware/step/step.go @@ -9,16 +9,14 @@ import ( "net/http" "strconv" - "github.com/go-vela/server/router/middleware/org" - "github.com/go-vela/server/router/middleware/user" - + "github.com/gin-gonic/gin" "github.com/go-vela/server/database" "github.com/go-vela/server/router/middleware/build" + "github.com/go-vela/server/router/middleware/org" "github.com/go-vela/server/router/middleware/repo" + "github.com/go-vela/server/router/middleware/user" "github.com/go-vela/server/util" "github.com/go-vela/types/library" - - "github.com/gin-gonic/gin" "github.com/sirupsen/logrus" ) @@ -37,20 +35,20 @@ func Establish() gin.HandlerFunc { u := user.Retrieve(c) if r == nil { - retErr := fmt.Errorf("repo %s/%s not found", o, c.Param("repo")) + retErr := fmt.Errorf("repo %s/%s not found", o, util.PathParameter(c, "repo")) util.HandleError(c, http.StatusNotFound, retErr) return } if b == nil { - retErr := fmt.Errorf("build %s not found for repo %s", c.Param("build"), r.GetFullName()) + retErr := fmt.Errorf("build %s not found for repo %s", util.PathParameter(c, "build"), r.GetFullName()) util.HandleError(c, http.StatusNotFound, retErr) return } - sParam := c.Param("step") + sParam := util.PathParameter(c, "step") if len(sParam) == 0 { retErr := fmt.Errorf("no step parameter provided") util.HandleError(c, http.StatusBadRequest, retErr) diff --git a/router/middleware/worker/worker.go b/router/middleware/worker/worker.go index f4fc5e524..2f68b811f 100644 --- a/router/middleware/worker/worker.go +++ b/router/middleware/worker/worker.go @@ -5,15 +5,13 @@ package worker import ( - "github.com/go-vela/server/database" - "github.com/go-vela/types/library" - - "github.com/go-vela/server/util" - "fmt" "net/http" "github.com/gin-gonic/gin" + "github.com/go-vela/server/database" + "github.com/go-vela/server/util" + "github.com/go-vela/types/library" "github.com/sirupsen/logrus" ) @@ -25,7 +23,7 @@ func Retrieve(c *gin.Context) *library.Worker { // Establish sets the worker in the given context. func Establish() gin.HandlerFunc { return func(c *gin.Context) { - wParam := c.Param("worker") + wParam := util.PathParameter(c, "worker") if len(wParam) == 0 { retErr := fmt.Errorf("no worker parameter provided") util.HandleError(c, http.StatusBadRequest, retErr) diff --git a/util/util.go b/util/util.go index 6e7813807..24ac89b67 100644 --- a/util/util.go +++ b/util/util.go @@ -5,8 +5,10 @@ package util import ( - "github.com/gin-gonic/gin" + "html" + "strings" + "github.com/gin-gonic/gin" "github.com/go-vela/types" ) @@ -41,3 +43,30 @@ func MinInt(a, b int) int { return b } + +// FormParameter safely captures a form parameter from the context +// by removing any new lines and HTML escaping the value. +func FormParameter(c *gin.Context, parameter string) string { + return EscapeValue(c.Request.FormValue(parameter)) +} + +// QueryParameter safely captures a query parameter from the context +// by removing any new lines and HTML escaping the value. +func QueryParameter(c *gin.Context, parameter, value string) string { + return EscapeValue(c.DefaultQuery(parameter, value)) +} + +// PathParameter safely captures a path parameter from the context +// by removing any new lines and HTML escaping the value. +func PathParameter(c *gin.Context, parameter string) string { + return EscapeValue(c.Param(parameter)) +} + +// EscapeValue safely escapes any string by removing any new lines and HTML escaping it. +func EscapeValue(value string) string { + // replace all new lines in the value + escaped := strings.Replace(strings.Replace(value, "\n", "", -1), "\r", "", -1) + + // HTML escape the new line escaped value + return html.EscapeString(escaped) +}