Skip to content

[6.28] [http] sanitize URL options before use them#22363

Merged
linev merged 6 commits into
root-project:v6-28-00-patchesfrom
linev:http_sanity_628
May 21, 2026
Merged

[6.28] [http] sanitize URL options before use them#22363
linev merged 6 commits into
root-project:v6-28-00-patchesfrom
linev:http_sanity_628

Conversation

@linev
Copy link
Copy Markdown
Member

@linev linev commented May 21, 2026

Backport of #22186

linev added 5 commits May 21, 2026 07:54
@linev
[http] cleanup URL option before usage
54c1fcd 
Remove any special symbols
Add escape characters for quote and escape itself
Discard all URL options longer than 1K

Try to avoid manipulation of arguments for method execution
@linev
[http] cleanup draw option in image production
ae07669 
Avoid special characters as draw arguments
@linev
[http] strictly check arguments in ProduceExe
ace4d24 
Always use DecodeUrlOptionValue method when processing URL arguments
or URL string. Internally method provides escape symbols for quotes and backslash.
If expecting numeric value - remove all symbols
keeping alphanumeric, '.', '+', '-' and ':'
@linev
[http] introduce fAllowPostObject flag
78e0ebc 
It allows to deserialize post data as ROOT object when processing exe.json request.
While this can leads to arbitrary code loading and injection, disable this feature by default.
Can be enabled back with:
 ```
serv->SetAllowPostObject(kTRUE);
```
@linev
[http] analyze arguments of cmd.json
e473667 
While here arbitrary string injected into ProcessLine,
ensure that only numeric argument is not quoted.
All other arguments kinds will be quoted and prevent execution of potentially dangerous code
@linev linev requested a review from bellenot as a code owner May 21, 2026 05:55
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026
edited
Loading

Test Results

    4 files      4 suites   13h 30m 46s ⏱️
2 431 tests 2 431 ✅ 0 💤 0 ❌
9 597 runs  9 597 ✅ 0 💤 0 ❌

Results for commit 518009f.

♻️ This comment has been updated with latest results.

@linev linev force-pushed the http_sanity_628 branch 2 times, most recently from 32d1371 to 6c2dc21 Compare May 21, 2026 06:20
@linev
[test] add ROOT sniffer testing
518009f 
Verify execution of several supported requests
which can be handled by http server. Testing:
   - root.json
   - root.xml
   - file.root
   - exe.json
   - exe.json with POST data
   - item.json
   - cmd.json
   - multi.json

Also verify basic functionality of
TRootSniffer::DecodeUrlOptionValue method
@linev linev force-pushed the http_sanity_628 branch from 6c2dc21 to 518009f Compare May 21, 2026 07:06
@linev linev merged commit 9424dcb into root-project:v6-28-00-patches May 21, 2026
6 of 8 checks passed
@linev linev deleted the http_sanity_628 branch May 21, 2026 09:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bellenot bellenot Awaiting requested review from bellenot bellenot is a code owner

Assignees

@linev linev

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@linev