limit input size

Author: henrythasler

src/tileserver.ts

@@ -21,8 +21,8 @@ export class Log {
         this.loglevel = level;
     }
 
-    show(msg: any, level: number) {
-        if (level <= this.loglevel) console.log(msg);
+    show(msg: string, level: number) {
+        if (level <= this.loglevel) console.log(msg.replace(/\n|\r/g, ""));
     }
 }
 
@@ -103,6 +103,10 @@ export class Tileserver {
      * @return a tile for subsequent use or null if no valid Tile could be extracted. 
      */
     extractTile(path: string): Tile | null {
+        if (path.length > 1000) {
+            this.log.show(`extractTile(): input path length exceeds limit`, LogLevels.ERROR);
+            return null;
+        }
         const tile: Tile = { x: 0, y: 0, z: 0 };
         const tilepath: RegExpMatchArray | null = path.match(/\d+\/\d+\/\d+(?=\.mvt\b)/g);
         if (tilepath) {
@@ -121,6 +125,10 @@ export class Tileserver {
      * @return the name of the source if found
      */
     extractSource(path: string): string | null {
+        if (path.length > 1000) {
+            this.log.show(`extractSource(): input path length exceeds limit`, LogLevels.ERROR);
+            return null;
+        }
         // match the last word between slashes before the actual tile (3-numbers + extension)
         const sourceCandidates: RegExpMatchArray | null = path.match(/(?!\/)\w+(?=\/\d+\/\d+\/\d+\.mvt\b)/g)
         if (sourceCandidates != null && sourceCandidates.length > 0) {
@@ -352,7 +360,7 @@ export class Tileserver {
                 const error: Error = _e as Error;
                 mvt.res = -4;
                 mvt.status = `[ERROR] - Database error: ${error.message}`;
-                this.log.show(error, LogLevels.ERROR);
+                this.log.show(error.message, LogLevels.ERROR);
                 return mvt;
             }
         }
@@ -365,7 +373,7 @@ export class Tileserver {
             data = Buffer.from("");
         }
 
-        this.log.show(data, LogLevels.TRACE);
+        this.log.show(data.toString("base64"), LogLevels.TRACE);
 
         const uncompressedBytes = data.byteLength;
         if (this.gzip) mvt.data = await asyncgzip(data) as Buffer;

test/parser.test.ts

@@ -35,11 +35,16 @@ describe("Parsing functions", function () {
         let tile: Tile | null = tileserver.extractTile("foo");
         expect(tile).to.be.null;
     });
-    it("extractTile negative #3 - invalid extension", function () {
+    it("extractTile negative #4 - invalid extension", function () {
         let tile: Tile | null = tileserver.extractTile("/local/14/8691/5677.mvtinvalid");
         expect(tile).to.be.null;
     });
-        
+    it("extractTile negative #5 - oversized input", function () {
+        const longString = '9'.repeat(1024);
+        let tile: Tile | null = tileserver.extractTile(longString);
+        expect(tile).to.be.null;
+    });
+
 
     it("extractSource regular #1 - simple path", function () {
         let source: string | null = tileserver.extractSource("/local/0/0/0.mvt");
@@ -58,6 +63,11 @@ describe("Parsing functions", function () {
         let source: string | null = tileserver.extractSource("foo");
         expect(source).to.be.null;
     });
+    it("extractSource negative #3 - input length limit exceeded", function () {
+        const longString = '9'.repeat(1024);
+        let source: string | null = tileserver.extractSource(longString);
+        expect(source).to.be.null;
+    });    
     it("extractSource SQL-Injection #1 - `select now()`", function () {
         let source: string | null = tileserver.extractSource("/select+now%28%29/0/0/0.mvt");
         expect(source).to.be.equal('29');