ensure request ids contain alphanumerics,dashes,underscores

topherbullock · topherbullock · commit 3661b11c9d26 · 2025-10-27T11:51:47.000-04:00
prevent potential for XSS by rejecting ids with special characters
diff --git a/lib/json_rpc_handler.rb b/lib/json_rpc_handler.rb
@@ -17,6 +17,8 @@ class ErrorCode
     ParseError = -32700
   end
 
+  ALLOWED_ID_CHARACTERS = /\A[a-zA-Z0-9_-]+\z/.freeze
+
   module_function
 
   def handle(request, &method_finder)
@@ -67,7 +69,7 @@ def process_request(request, &method_finder)
 
     error = case
       when !valid_version?(request[:jsonrpc]) then 'JSON-RPC version must be 2.0'
-      when !valid_id?(request[:id]) then 'Request ID must be a string or an integer or null'
+      when !valid_id?(request[:id]) then 'Request ID must contain only alphanumerics, dashes, or underscores, or be an integer or null'
       when !valid_method_name?(request[:method]) then 'Method name must be a string and not start with "rpc."'
     end
 
@@ -115,8 +117,12 @@ def valid_version?(version)
     version == Version::V2_0
   end
 
+
   def valid_id?(id)
-    id.is_a?(String) || id.is_a?(Integer) || id.nil?
+    return true if id.nil? || id.is_a?(Integer)
+    return false unless id.is_a?(String)
+
+    id.match?(ALLOWED_ID_CHARACTERS)
   end
 
   def valid_method_name?(method)
diff --git a/test/json_rpc_handler_test.rb b/test/json_rpc_handler_test.rb
@@ -90,9 +90,9 @@
     #   The Server MUST reply with the same value in the Response object if included. This member is used to correlate the
     #   context between the two objects.
 
-    it "returns a response with the same request id when the id is a string" do
+    it "returns a response with the same request id when the id is a valid string" do
       register("add") { |params| params[:a] + params[:b] }
-      id = "rpc-call-42"
+      id = "request-123_abc"
 
       handle jsonrpc: "2.0", id:, method: "add", params: { a: 1, b: 2 }
 
@@ -116,7 +116,67 @@
       assert_rpc_error expected_error: {
         code: -32600,
         message: "Invalid Request",
-        data: "Request ID must be a string or an integer or null",
+        data: "Request ID must contain only alphanumerics, dashes, or underscores, or be an integer or null",
+      }
+    end
+
+    it "accepts string id with alphanumerics, dashes, and underscores" do
+      register("add") { |params| params[:a] + params[:b] }
+      id = "request-123_ABC"
+
+      handle jsonrpc: "2.0", id:, method: "add", params: { a: 1, b: 2 }
+
+      assert_rpc_success expected_result: 3
+      assert_equal id, @response[:id]
+    end
+
+    it "accepts UUID format strings" do
+      register("add") { |params| params[:a] + params[:b] }
+      id = "550e8400-e29b-41d4-a716-446655440000"
+
+      handle jsonrpc: "2.0", id:, method: "add", params: { a: 1, b: 2 }
+
+      assert_rpc_success expected_result: 3
+      assert_equal id, @response[:id]
+    end
+
+    it "returns an error when request id contains HTML content (XSS prevention)" do
+      handle jsonrpc: "2.0", id: "<script>alert('xss')</script>", method: "add", params: { a: 1, b: 2 }
+
+      assert_rpc_error expected_error: {
+        code: -32600,
+        message: "Invalid Request",
+        data: "Request ID must contain only alphanumerics, dashes, or underscores, or be an integer or null",
+      }
+    end
+
+    it "returns an error when request id contains spaces" do
+      handle jsonrpc: "2.0", id: "request 123", method: "add", params: { a: 1, b: 2 }
+
+      assert_rpc_error expected_error: {
+        code: -32600,
+        message: "Invalid Request",
+        data: "Request ID must contain only alphanumerics, dashes, or underscores, or be an integer or null",
+      }
+    end
+
+    it "returns an error when request id contains special characters" do
+      handle jsonrpc: "2.0", id: "request@123", method: "add", params: { a: 1, b: 2 }
+
+      assert_rpc_error expected_error: {
+        code: -32600,
+        message: "Invalid Request",
+        data: "Request ID must contain only alphanumerics, dashes, or underscores, or be an integer or null",
+      }
+    end
+
+    it "returns an error when request id is an empty string" do
+      handle jsonrpc: "2.0", id: "", method: "add", params: { a: 1, b: 2 }
+
+      assert_rpc_error expected_error: {
+        code: -32600,
+        message: "Invalid Request",
+        data: "Request ID must contain only alphanumerics, dashes, or underscores, or be an integer or null",
       }
     end
 
@@ -126,7 +186,7 @@
       assert_rpc_error expected_error: {
         code: -32600,
         message: "Invalid Request",
-        data: "Request ID must be a string or an integer or null",
+        data: "Request ID must contain only alphanumerics, dashes, or underscores, or be an integer or null",
       }
     end
 
@@ -250,7 +310,7 @@
       assert_rpc_error expected_error: {
         code: -32600,
         message: "Invalid Request",
-        data: "Request ID must be a string or an integer or null",
+        data: "Request ID must contain only alphanumerics, dashes, or underscores, or be an integer or null",
       }
       assert_nil @response[:id]
     end
