Make sure room ids for dial-out are numeric.

2024-04-27 11:41:52 +02:00 · 2023-10-25 14:33:45 +02:00 · 2023-10-25 14:33:45 +02:00 · e333ddfd53
parent fdb4d74dd6
commit e333ddfd53
2 changed files with 40 additions and 0 deletions
--- a/backend_server.go
+++ b/backend_server.go
@ -36,6 +36,7 @@ import (
 	"net/http"
 	"net/url"
 	"reflect"
+	"regexp"
 	"strings"
 	"sync"
 	"sync/atomic"
@ -669,11 +670,21 @@ func returnDialoutError(status int, err *Error) (any, error) {
 	return response, nil
 }

+var checkNumeric = regexp.MustCompile(`^[0-9]+$`)
+
+func isNumeric(s string) bool {
+	return checkNumeric.MatchString(s)
+}
+
 func (b *BackendServer) startDialout(roomid string, backend *Backend, request *BackendServerRoomRequest) (any, error) {
 	if err := request.Dialout.ValidateNumber(); err != nil {
 		return returnDialoutError(http.StatusBadRequest, err)
 	}

+	if !isNumeric(roomid) {
+		return returnDialoutError(http.StatusBadRequest, NewError("invalid_roomid", "The room id must be numeric."))
+	}
+
 	var session *ClientSession
 	for s := range b.hub.dialoutSessions {
 		if s.GetClient() != nil {
--- a/backend_server_test.go
+++ b/backend_server_test.go
@ -1760,3 +1760,32 @@ func TestBackendServer_StatsAllowedIps(t *testing.T) {
 		})
 	}
 }
+
+func Test_IsNumeric(t *testing.T) {
+	numeric := []string{
+		"0",
+		"1",
+		"12345",
+	}
+	nonNumeric := []string{
+		"",
+		" ",
+		" 0",
+		"0 ",
+		" 0 ",
+		"-1",
+		"1.2",
+		"1a",
+		"a1",
+	}
+	for _, s := range numeric {
+		if !isNumeric(s) {
+			t.Errorf("%s should be numeric", s)
+		}
+	}
+	for _, s := range nonNumeric {
+		if isNumeric(s) {
+			t.Errorf("%s should not be numeric", s)
+		}
+	}
+}