Add checks for illegal single quotes
diff --git a/api-gateway-config/scripts/lua/lib/redis.lua b/api-gateway-config/scripts/lua/lib/redis.lua
index c2df16e..4a88f24 100644
--- a/api-gateway-config/scripts/lua/lib/redis.lua
+++ b/api-gateway-config/scripts/lua/lib/redis.lua
@@ -409,17 +409,22 @@
-- res[3] format is "__keyspace@0__:resources:<tenantId>:<gatewayPath>"
local keyspacePrefix, resourcePrefix, tenant, gatewayPath = res[3]:match("([^,]+):([^,]+):([^,]+):([^,]+)")
local redisKey = utils.concatStrings({resourcePrefix, ":", tenant, ":", gatewayPath})
- local resourceObj = _M.getResource(redisGetClient, redisKey, REDIS_FIELD)
- if resourceObj == nil then
- logger.debug(utils.concatStrings({"Redis key deleted: ", redisKey}))
- local fileLocation = filemgmt.deleteResourceConf(BASE_CONF_DIR, tenant, ngx.escape_uri(gatewayPath))
- logger.debug(utils.concatStrings({"Deleted file: ", fileLocation}))
+ -- Don't allow single quotes in the gateway path
+ if string.match(gatewayPath, "'") then
+ logger.debug(utils.concatStrings({"Redis key \"", redisKey, "\" contains illegal character \"'\"."}))
else
- logger.debug(utils.concatStrings({"Redis key updated: ", redisKey}))
- local fileLocation = filemgmt.createResourceConf(BASE_CONF_DIR, tenant, ngx.escape_uri(gatewayPath), resourceObj)
- logger.debug(utils.concatStrings({"Updated file: ", fileLocation}))
+ local resourceObj = _M.getResource(redisGetClient, redisKey, REDIS_FIELD)
+ if resourceObj == nil then
+ logger.debug(utils.concatStrings({"Redis key deleted: ", redisKey}))
+ local fileLocation = filemgmt.deleteResourceConf(BASE_CONF_DIR, tenant, ngx.escape_uri(gatewayPath))
+ logger.debug(utils.concatStrings({"Deleted file: ", fileLocation}))
+ else
+ logger.debug(utils.concatStrings({"Redis key updated: ", redisKey}))
+ local fileLocation = filemgmt.createResourceConf(BASE_CONF_DIR, tenant, ngx.escape_uri(gatewayPath), resourceObj)
+ logger.debug(utils.concatStrings({"Updated file: ", fileLocation}))
+ end
+ redisUpdated = true
end
- redisUpdated = true
end
-- reload Nginx only if redis has been updated and it has been at least 1 second since last reload
local timeDiff = ngx.now() - startTime
diff --git a/api-gateway-config/scripts/lua/management.lua b/api-gateway-config/scripts/lua/management.lua
index 6859436..30972c2 100644
--- a/api-gateway-config/scripts/lua/management.lua
+++ b/api-gateway-config/scripts/lua/management.lua
@@ -119,7 +119,14 @@
if not object then
return false, { statusCode = 400, message = utils.concatStrings({"Missing field '", field, "' in request body."}) }
end
- -- Additional check f or tenantId
+ -- Additional check for basePath
+ if field == "basePath" then
+ local basePath = object
+ if string.match(basePath, "'") then
+ return false, { statusCode = 400, message = "basePath contains illegal character \"'\"." }
+ end
+ end
+ -- Additional check for tenantId
if field == "tenantId" then
local tenant = redis.getTenant(red, object)
if tenant == nil then
@@ -133,6 +140,10 @@
return false, { statusCode = 400, message = "Empty resources object." }
end
for path, resource in pairs(resources) do
+ -- Check resource path for illegal characters
+ if string.match(path, "'") then
+ return false, { statusCode = 400, message = "resource path contains illegal character \"'\"." }
+ end
-- Check that resource path begins with slash
if path:sub(1,1) ~= '/' then
return false, { statusCode = 400, message = "Resource path must begin with '/'." }
