From 308173ba5281de704aa1deab3625e59bfcf4b73a Mon Sep 17 00:00:00 2001
From: Guillaume Mazoyer <gmazoyer@gravitons.in>
Date: Thu, 18 Feb 2016 10:57:58 +0100
Subject: Reject AS path regex containing ; and ".

An AS path regex will be considered as invalid if any of the ; and "
characters are used. These characters could be used to inject arbitrary
command due to the router command line interpretation.

This is a temporary fix for issue #13 while waiting for something better.
---
 includes/config.defaults.php |  2 +-
 includes/utils.php           | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

(limited to 'includes')

diff --git a/includes/config.defaults.php b/includes/config.defaults.php
index 9b7defe..6473aa4 100644
--- a/includes/config.defaults.php
+++ b/includes/config.defaults.php
@@ -122,7 +122,7 @@ $config = array(
     'as-path-regex' => array(
       'command' => 'show route as-path-regex AS_PATH_REGEX',
       'description' => 'Show the routes matching the given AS path regular expression.',
-      'parameter' => 'The parameter must be a valid AS path regular expression.<br />Please note that these expression can change depending on the router and its software.<br /><br />Here are some examples:<ul><li><strong>Juniper</strong> - ^AS1 AS2 .*$</li><li><strong>Cisco</strong> - ^AS1_</li><li><strong>BIRD</strong> - AS1 AS2 AS3 &hellip; ASZ</li></ul><br />You may find some help with the following link:<br /><ul><li><a href="http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/command-summary/show-route-aspath-regex.html" title="Juniper Documentation">Juniper Documentation</a></li><li><a href="http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/26634-bgp-toc.html#asregexp" title="Cisco Documentation">Cisco Documentation</a></li><li><a href="http://bird.network.cz/?get_doc&f=bird-5.html" title="BIRD Documentation">BIRD Documentation</a> (search for bgpmask)</li></ul>'
+      'parameter' => 'The parameter must be a valid AS path regular expression and must not contain any " characters (the input will be automatically quoted if needed).<br />Please note that these expressions can change depending on the router and its software.<br /><br />Here are some examples:<ul><li><strong>Juniper</strong> - ^AS1 AS2 .*$</li><li><strong>Cisco</strong> - ^AS1_</li><li><strong>BIRD</strong> - AS1 AS2 AS3 &hellip; ASZ</li></ul><br />You may find some help with the following link:<br /><ul><li><a href="http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/command-summary/show-route-aspath-regex.html" title="Juniper Documentation">Juniper Documentation</a></li><li><a href="http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/26634-bgp-toc.html#asregexp" title="Cisco Documentation">Cisco Documentation</a></li><li><a href="http://bird.network.cz/?get_doc&f=bird-5.html" title="BIRD Documentation">BIRD Documentation</a> (search for bgpmask)</li></ul>'
     ),
     // Documentation for the 'as' query
     'as' => array(
diff --git a/includes/utils.php b/includes/utils.php
index 96982ea..4dfe132 100644
--- a/includes/utils.php
+++ b/includes/utils.php
@@ -209,10 +209,22 @@ function match_as($as) {
 }
 
 function match_aspath_regex($aspath_regex) {
+  // Empty AS path regex
   if (empty($aspath_regex)) {
     return false;
   }
 
+  // AS path containing a ; (not a valid character)
+  if (strpos($aspath_regex, ';') !== false) {
+    return false;
+  }
+
+  // AS path containing a " (not a valid character, the string is automatically
+  // quoted if needed)
+  if (strpos($aspath_regex, '"') !== false) {
+    return false;
+  }
+
   // TODO: validate a regex with a regex?
   return true;
 }
-- 
cgit v1.2.3