✨ Sanitize plugins uuid parsing

2025-05-31 13:46:16 +02:00 · 2025-04-11 12:21:36 +02:00 · 2025-04-11 12:21:36 +02:00 · 38e5c161e7
commit 38e5c161e7
parent a7c1f7ba69
5 changed files with 17 additions and 8 deletions
--- a/common/src/app/common/uuid.cljc
+++ b/common/src/app/common/uuid.cljc
@ -17,9 +17,14 @@
           java.util.UUID
           java.nio.ByteBuffer)))

+(def ^:private uuid-regex
+  #"^[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]-[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]-[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]-[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]-[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]$")
+
 (defn uuid
  "Creates an UUID instance from string, expectes valid uuid strings,
-  the existense of validation is implementation detail"
+  the existense of validation is implementation detail.
+
+  UNSAFE: this can accept invalid uuids or incomplete uuids"
  [s]
  #?(:clj (UUID/fromString s)
     :cljs (c/uuid s)))
@ -27,8 +32,13 @@
 (defn parse
  "Parse string uuid representation into proper UUID instance, validates input"
  [s]
-  #?(:clj (UUID/fromString s)
-     :cljs (c/parse-uuid s)))
+  (if (and (string? s) ^boolean (re-matches uuid-regex s))
+    #?(:clj (UUID/fromString s)
+       :cljs (uuid s))
+
+    (let [message (str "invalid string '" s "' for uuid")]
+      (throw #?(:clj  (IllegalArgumentException. message)
+                :cljs (js/Error. message))))))

 (defn next
  []
--- a/frontend/src/app/main/ui/dashboard/sidebar.cljs
+++ b/frontend/src/app/main/ui/dashboard/sidebar.cljs
@ -283,8 +283,7 @@
         (fn [event]
           (let [team-id (-> (dom/get-current-target event)
                             (dom/get-data "value")
-                             (uuid/parse))]
-
+                             (uuid/uuid))]
             (st/emit! (dcm/go-to-dashboard-recent :team-id team-id)))))

        handle-select-default
--- a/frontend/src/app/plugins/library.cljs
+++ b/frontend/src/app/plugins/library.cljs
@ -969,7 +969,7 @@

             :else
             (let [file-id (:current-file-id @st/state)
-                   library-id (uuid/uuid library-id)]
+                   library-id (uuid/parse library-id)]
               (->> st/stream
                    (rx/filter (ptk/type? ::dwl/attach-library-finished))
                    (rx/take 1)
--- a/frontend/src/app/plugins/page.cljs
+++ b/frontend/src/app/plugins/page.cljs
@ -160,7 +160,7 @@
        (u/display-not-valid :getShapeById shape-id)

        :else
-        (let [shape-id (uuid/uuid shape-id)
+        (let [shape-id (uuid/parse shape-id)
              shape (u/locate-shape file-id id shape-id)]
          (when (some? shape)
            (shape/shape-proxy plugin-id file-id id shape-id)))))
--- a/frontend/src/app/plugins/parser.cljs
+++ b/frontend/src/app/plugins/parser.cljs
@ -13,7 +13,7 @@

 (defn parse-id
  [id]
-  (when id (uuid/uuid id)))
+  (when id (uuid/parse id)))

 (defn parse-keyword
  [kw]