adulau/hashlookup-server
1
0
Fork 0
mirror of https://github.com/adulau/hashlookup-server.git synced 2024-11-21 17:47:06 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix: [api:bulk] add proper check of MD5 and SHA1 value before further processing

Browse source
This commit is contained in:
Alexandre Dulaunoy 2021-08-29 12:25:43 +02:00
parent a14e5aedf1
commit 4419052c4f
Signed by: adulau
GPG key ID: 09E2CD4944E6CBCD
1 changed files with 26 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
bin/server.py
View file

@ -25,6 +25,22 @@ def is_hex(s):
except ValueError: except ValueError:
return False return False
def check_md5(value=None):
if value is None or len(value) != 32:
return False
if not is_hex(value):
return False
k = value.upper()
return k
def check_sha1(value=None):
if value is None or len(value) != 40:
return False
if not is_hex(value):
return False
k = value.upper()
return k
def client_info(): def client_info():
if request.environ.get('HTTP_X_FORWARDED_FOR') is None: if request.environ.get('HTTP_X_FORWARDED_FOR') is None:
ip = request.environ['REMOTE_ADDR'] ip = request.environ['REMOTE_ADDR']
@ -59,11 +75,9 @@ def get_session():
@api.doc(description="Lookup MD5.") @api.doc(description="Lookup MD5.")
class lookup(Resource): class lookup(Resource):
def get(self, md5): def get(self, md5):
if md5 is None or len(md5) != 32: if check_md5(value=md5) is False:
return {'message': 'Expecting a MD5 hex value'}, 400 return {'message': 'MD5 value incorrect, expecting a MD5 value in hex format'}, 400
if not is_hex(md5): k = check_md5(value=md5)
return {'message': 'MD5 is not in hex format'}, 400
k = md5.upper()
ttl = False ttl = False
if session: if session:
ttl = get_session() ttl = get_session()
@ -110,11 +124,9 @@ class lookup(Resource):
@api.doc(description="Lookup SHA-1.") @api.doc(description="Lookup SHA-1.")
class lookup(Resource): class lookup(Resource):
def get(self, sha1): def get(self, sha1):
if sha1 is None or len(sha1) != 40: if check_sha1(value=sha1) is False:
return {'message': 'Expecting a SHA-1 hex value'}, 400 return {'message': 'SHA1 value incorrect, expecting a SHA1 value in hex format'}, 400
if not is_hex(sha1): k = check_sha1(value=sha1)
return {'message': 'SHA-1 is not in hex format'}, 400
k = sha1.upper()
ttl = False ttl = False
if session: if session:
ttl = get_session() ttl = get_session()
@ -182,6 +194,8 @@ class bulkmd5(Resource):
ret = [] ret = []
for val in json_data['hashes']: for val in json_data['hashes']:
k = val.upper() k = val.upper()
if check_md5(value=k) is False:
continue
if not rdb.exists("l:{}".format(k)): if not rdb.exists("l:{}".format(k)):
if stats_pubsub: if stats_pubsub:
pub_lookup(channel='nx', k=k) pub_lookup(channel='nx', k=k)
@ -204,6 +218,8 @@ class bulksha1(Resource):
ret = [] ret = []
for val in json_data['hashes']: for val in json_data['hashes']:
k = val.upper() k = val.upper()
if check_sha1(value=k) is False:
continue
if not rdb.exists("h:{}".format(k)): if not rdb.exists("h:{}".format(k)):
if stats_pubsub: if stats_pubsub:
pub_lookup(channel='nx', k=k) pub_lookup(channel='nx', k=k)