[Geoserver-devel] Input Validation

Hi Folks,
So I’ve finally joined this one too.

I joined specifically because I have a security concern with regards to input validation. First and foremost: I’m not a security expert or even close but I have one or two of the basics down.

As a result of http://jira.codehaus.org/browse/GEOS-5556 - I’ve done some checking of other inputs and it seems quite a lot don’t have any input validation.
The list of ones I’ve tested that gave bad results (a Java Error) so far:

http://wppgeog3:8082/geoserver/wfs?service=wfs&version=pies

java.util.IllegalFormatConversionException: d != java.lang.String d != java.lang.String


The following three are based on: http://wppgeog3:8082/geoserver/wfs?service=wfs&request=GetFeature&version=2

“typeName=” (blank typename):
java.lang.ArrayStoreException
at org.eclipse.emf.common.util.BasicEList.assign(BasicEList.java:124)


&propertyName=39292
java.lang.RuntimeException: java.io.IOException java.io.IOException null ORA-00936: missing expression


BBOX=pies,40.212597,-72.361859,41.512517,

java.lang.IllegalArgumentException: Bounding box coordinate 0 is not parsable:pies Bounding box coordinate 0 is not parsable:pies


This URL is basically just a copied one from demo requests for the mathgetfeature. I just changed the layer.

http://wppgeog3:8082/geoserver/wfs?request=GetFeature&version=2&typeName=Test_DB:OS_CODEPOINT_WSHIRE&formatName=GML2&FILTER=%3Cogc:Filter%20xmlns:ogc=%22http://www.opengis.net/ogc%22%3E%3Cogc:PropertyIsGreaterThan%3E%3Cogc:Div%3E%3Cogc:PropertyName%3EMANUAL%3C/ogc:PropertyName%3E%3Cogc:PropertyName%3EWORKERS%3C/ogc:PropertyName%3E%3C/ogc:Div%3E%3Cogc:Literal%3E0.25%3C/ogc:Literal%3E%3C/ogc:PropertyIsGreaterThan%3E%3C/ogc:Filter%3E

java.lang.IllegalArgumentException: Property 'MANUAL' could not be found in OS_CODEPOINT_WSHIRE Property 'MANUAL' could not be found in OS_CODEPOINT_WSHIRE


change the above “manual” to -9999 and get:

java.lang.ClassCastException: java.lang.Double cannot be cast to org.opengis.feature.type.AttributeDescriptor java.lang.Double cannot be cast to org.opengis.feature.type.AttributeDescriptor


Change “formatName” to anything (i.e. “CSV”, “-999”, “pies”, “GML7”) and it gets ignored, no error.


“&filter=bad”
org.xml.sax.SAXParseException: Content is not allowed in prolog. Content is not allowed in prolog


&filter=%3Cogc:filter%20/%3E (I entered this as: “&filter=<ogc:filter />” )
java.lang.IndexOutOfBoundsException: Index: 0, Size: 0 Index: 0, Size: 0

That’s with just 10-15 minutes of fiddling, but I think it conveys the point. I’ve looked at the code for one or two of them (i.e. the count=0 one) and it does look like the point that’s producing the error isn’t a validation point.

So what’s the GeoServer policy on input validation?

Cheers,
Jonathan

This transmission is intended for the named addressee(s) only and may contain sensitive or protectively marked material up to RESTRICTED and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. All email traffic sent to or from us, including without limitation all GCSX traffic, may be subject to recording and/or monitoring in accordance with relevant legislation.