From e333ddfd539cc39ff69ae9fcf6447bbfa0336c0a Mon Sep 17 00:00:00 2001
From: Joachim Bauch <bauch@struktur.de>
Date: Wed, 25 Oct 2023 14:33:45 +0200
Subject: [PATCH] Make sure room ids for dial-out are numeric.

---
 backend_server.go      | 11 +++++++++++
 backend_server_test.go | 29 +++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/backend_server.go b/backend_server.go
index 32efa16..1705f8e 100644
--- a/backend_server.go
+++ b/backend_server.go
@@ -36,6 +36,7 @@ import (
 	"net/http"
 	"net/url"
 	"reflect"
+	"regexp"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -669,11 +670,21 @@ func returnDialoutError(status int, err *Error) (any, error) {
 	return response, nil
 }
 
+var checkNumeric = regexp.MustCompile(`^[0-9]+$`)
+
+func isNumeric(s string) bool {
+	return checkNumeric.MatchString(s)
+}
+
 func (b *BackendServer) startDialout(roomid string, backend *Backend, request *BackendServerRoomRequest) (any, error) {
 	if err := request.Dialout.ValidateNumber(); err != nil {
 		return returnDialoutError(http.StatusBadRequest, err)
 	}
 
+	if !isNumeric(roomid) {
+		return returnDialoutError(http.StatusBadRequest, NewError("invalid_roomid", "The room id must be numeric."))
+	}
+
 	var session *ClientSession
 	for s := range b.hub.dialoutSessions {
 		if s.GetClient() != nil {
diff --git a/backend_server_test.go b/backend_server_test.go
index e9d25bd..983924e 100644
--- a/backend_server_test.go
+++ b/backend_server_test.go
@@ -1760,3 +1760,32 @@ func TestBackendServer_StatsAllowedIps(t *testing.T) {
 		})
 	}
 }
+
+func Test_IsNumeric(t *testing.T) {
+	numeric := []string{
+		"0",
+		"1",
+		"12345",
+	}
+	nonNumeric := []string{
+		"",
+		" ",
+		" 0",
+		"0 ",
+		" 0 ",
+		"-1",
+		"1.2",
+		"1a",
+		"a1",
+	}
+	for _, s := range numeric {
+		if !isNumeric(s) {
+			t.Errorf("%s should be numeric", s)
+		}
+	}
+	for _, s := range nonNumeric {
+		if isNumeric(s) {
+			t.Errorf("%s should not be numeric", s)
+		}
+	}
+}