Add some default security

git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@14407 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-07-29 04:39:14 +00:00 · 2009-07-29 04:39:14 +00:00 · a384b4865a
parent d2270fcedf
commit a384b4865a
6 changed files with 30 additions and 13 deletions
--- a/src/mod/languages/mod_managed/managed/examples/easyroute/App.config
+++ b/src/mod/languages/mod_managed/managed/examples/easyroute/App.config
@ -1,10 +1,17 @@
 <?xml version="1.0"?>
 <configuration>
  <appSettings>
-    <add key="connectionString" value="DSN=easyroute;User=root;Password=;" />
+    <add key="connectionString" value="DSN=easyroute;User=root;Pwd=;" />
    <add key="defaultProfile" value="sofia/default"/>
    <add key="defaultGateway" value="192.168.1.1"/>
-    <!-- customQuery can be defined. Fields must be in the same order, and the number parameter must be %number% -->
-    <!-- <add key="customQuery" value="SELECT gateways.gateway_ip, gateways.group, gateways.limit, gateways.techprofile, numbers.acctcode, numbers.translated from gateways, numbers where numbers.number = %number% and numbers.gateway_id = gateways.gateway_id;" /> -->
+    <!-- query can be changed, but fields must be in the same order, and the number parameter must be %number% -->
+    <add key="query" value="SELECT gateways.gateway_ip, gateways.group, gateways.limit, gateways.techprofile, numbers.acctcode, numbers.translated from gateways, numbers where numbers.number = %number% and numbers.gateway_id = gateways.gateway_id;" />
+    
+    <!-- MySQL and other DBs improperly consider \ to be an escape character. easyroute will remove all backslashes from queries to be safe. 
+         if you can handle backlashes properly, set keepBackslashes to true. -->
+    <!-- <add key="keepBackslashes" value="false" -->
+    
+    <!-- To avoid other injections, the incoming number will remove characters matching this regex. Default [^0-9#\*] allows only digits, # and *.-->
+    <add key="numberRegexFilter" value="[^0-9#\*]" />
  </appSettings>
 </configuration>
--- a/src/mod/languages/mod_managed/managed/examples/easyroute/EasyRoute.suo
+++ b/src/mod/languages/mod_managed/managed/examples/easyroute/EasyRoute.suo
--- a/src/mod/languages/mod_managed/managed/examples/easyroute/easyroute.dll
+++ b/src/mod/languages/mod_managed/managed/examples/easyroute/easyroute.dll
--- a/src/mod/languages/mod_managed/managed/examples/easyroute/easyroute.dll.config
+++ b/src/mod/languages/mod_managed/managed/examples/easyroute/easyroute.dll.config
@ -1,10 +1,17 @@
 <?xml version="1.0"?>
 <configuration>
  <appSettings>
-    <add key="connectionString" value="DSN=easyroute;User=root;Password=;" />
+    <add key="connectionString" value="DSN=easyroute;User=root;Pwd=;" />
    <add key="defaultProfile" value="sofia/default"/>
    <add key="defaultGateway" value="192.168.1.1"/>
-    <!-- customQuery can be defined. Fields must be in the same order, and the number parameter must be %number% -->
-    <!-- <add key="customQuery" value="SELECT gateways.gateway_ip, gateways.group, gateways.limit, gateways.techprofile, numbers.acctcode, numbers.translated from gateways, numbers where numbers.number = %number% and numbers.gateway_id = gateways.gateway_id;" /> -->
+    <!-- query can be changed, but fields must be in the same order, and the number parameter must be %number% -->
+    <add key="query" value="SELECT gateways.gateway_ip, gateways.group, gateways.limit, gateways.techprofile, numbers.acctcode, numbers.translated from gateways, numbers where numbers.number = %number% and numbers.gateway_id = gateways.gateway_id;" />
+    
+    <!-- MySQL and other DBs improperly consider \ to be an escape character. easyroute will remove all backslashes from queries to be safe. 
+         if you can handle backlashes properly, set keepBackslashes to true. -->
+    <!-- <add key="keepBackslashes" value="false" -->
+    
+    <!-- To avoid other injections, the incoming number will remove characters matching this regex. Default [^0-9#\*] allows only digits, # and *.-->
+    <add key="numberRegexFilter" value="[^0-9#\*]" />
  </appSettings>
 </configuration>
--- a/src/mod/languages/mod_managed/managed/examples/easyroute/easyroute.fs
+++ b/src/mod/languages/mod_managed/managed/examples/easyroute/easyroute.fs
@ -6,14 +6,15 @@ open FreeSWITCH
 type QueryResult = { dialstring: string; group: string; acctcode: string; limit: int; translated: string }

 module easyroute =
+    let defaultStr def = function null | "" -> def | s -> s
    let getAppSetting (name:string) = match Configuration.ConfigurationManager.AppSettings.Get name with null -> "" | x -> x
    let connString      = getAppSetting "connectionString"
    let defaultProfile  = getAppSetting "defaultProfile"
    let defaultGateway  = getAppSetting "defaultGateway"
-    let query = match getAppSetting "customQuery" with
-                | "" -> "SELECT gateways.gateway_ip, gateways.group, gateways.limit, gateways.techprofile, numbers.acctcode, numbers.translated from gateways, numbers where numbers.number = %number% and numbers.gateway_id = gateways.gateway_id;"
-                | x  -> x            
+    let query = getAppSetting "query"
    let configOk = [ connString; defaultProfile; defaultGateway; query; ] |> List.forall (String.IsNullOrEmpty >> not)
+    let keepBackslashes = defaultStr "false" (getAppSetting "keepBackslashes") = "true"
+    let numberRegexFilter = defaultStr "[^0-9#]" (getAppSetting "numberRegexFilter")
                
    let formatDialstring number gateway profile separator = 
        match separator with 
@ -25,19 +26,21 @@ module easyroute =
        limit = 9999; group = ""; acctcode = ""; translated = number; }
        
    let readResult (r: IDataReader) number sep =
-        let defString def = function null | "" -> def | s -> s
-        let gw          = defString defaultGateway <| r.GetString(0)
+        let gw          = defaultStr defaultGateway <| r.GetString(0)
        let group       = r.GetString(1)
        let limit       = match r.GetInt32(2) with 0 -> 9999 | x -> x
-        let profile     = defString defaultProfile <| r.GetString(3)
+        let profile     = defaultStr defaultProfile <| r.GetString(3)
        let acctcode    = r.GetString(4)
        let translated  = r.GetString(5)
        let dialstring = formatDialstring number gw profile sep
        { dialstring = dialstring; limit = limit; group = group; acctcode = acctcode; translated = translated; }

+    let regexOpts = Text.RegularExpressions.RegexOptions.Compiled ||| Text.RegularExpressions.RegexOptions.CultureInvariant
    let lookup (number: string) sep =
        try
-            let query = query.Replace("%number%", sprintf "'%s'" (number.Replace(@"\'", "'").Replace("'", "''"))) // Don't use params cause some odbc drivers are awesome
+            let number = if numberRegexFilter = "" then number else Text.RegularExpressions.Regex.Replace(number, numberRegexFilter, "", regexOpts)
+            let number = if keepBackslashes        then number else number.Replace("\\", "") 
+            let query = query.Replace("%number%", sprintf "'%s'" (number.Replace("'", "''"))) // Don't use params cause some odbc drivers are awesome
            Log.WriteLine(LogLevel.Debug, "EasyRoute query prepared: {0}", query)
            use conn = new Odbc.OdbcConnection(connString)
            use comm = new Odbc.OdbcCommand(query, conn)
--- a/src/mod/languages/mod_managed/managed/examples/easyroute/easyroute.pdb
+++ b/src/mod/languages/mod_managed/managed/examples/easyroute/easyroute.pdb