Merge pull request #3115 from target/hardening-1

dev: hardening some of the dev tools and a few places in app code
target · Jun 22, 2023 · dc0e70f · dc0e70f
2 parents 3d31b1c + b67febb
commit dc0e70f
Show file tree

Hide file tree

Showing 9 changed files with 33 additions and 204 deletions.
diff --git a/devtools/configparams/run.go b/devtools/configparams/run.go
@@ -79,7 +79,7 @@ func ApplyConfigValues(cfg config.Config, vals []ConfigValueInput) (config.Confi
 		if v == "" {
 			return 0, nil
 		}
-		val, err := strconv.ParseInt(v, 10, 64)
+		val, err := strconv.ParseInt(v, 10, 32)
 		if err != nil {
 			return 0, validation.NewFieldError("\""+id+"\".Value", "integer value invalid: " + err.Error())
 		}

diff --git a/devtools/mockslack/oauthauthorize.go b/devtools/mockslack/oauthauthorize.go
diff --git a/devtools/mockslack/oauthauthorize.html b/devtools/mockslack/oauthauthorize.html
diff --git a/devtools/mockslack/server.go b/devtools/mockslack/server.go
@@ -43,7 +43,6 @@ func NewServer() *Server {
 	srv.mux.HandleFunc("/api/groups.create", srv.ServeGroupsCreate)
 	srv.mux.HandleFunc("/api/team.info", srv.ServeTeamInfo)
 	// TODO: history, leave, join
-	srv.mux.HandleFunc("/oauth/authorize", srv.ServeOAuthAuthorize)
 
 	srv.mux.HandleFunc("/stats", func(w http.ResponseWriter, req *http.Request) {
 		srv.state.mx.Lock()

diff --git a/devtools/mockslack/user.go b/devtools/mockslack/user.go
@@ -30,30 +30,3 @@ func (st *state) newUser(u User) User {
 
 	return u
 }
-
-func (st *state) addUserAppScope(userID, clientID string, scopes ...string) string {
-	st.mx.Lock()
-	defer st.mx.Unlock()
-
-	if st.users[userID].appTokens[clientID] == nil {
-		tok := &AuthToken{ID: st.gen.UserAccessToken(), User: userID, Scopes: scopes}
-		st.tokens[tok.ID] = tok
-		st.users[userID].appTokens[clientID] = tok
-
-		code := st.gen.TokenCode()
-		st.tokenCodes[code] = &tokenCode{AuthToken: tok, ClientID: clientID}
-		return code
-	}
-
-	tok := st.users[userID].appTokens[clientID]
-
-	for _, scope := range scopes {
-		if !contains(tok.Scopes, scope) {
-			tok.Scopes = append(tok.Scopes, scope)
-		}
-	}
-
-	code := st.gen.TokenCode()
-	st.tokenCodes[code] = &tokenCode{AuthToken: tok, ClientID: clientID}
-	return code
-}
diff --git a/devtools/procwrap/main.go b/devtools/procwrap/main.go
@@ -9,6 +9,7 @@ import (
 	"os"
 	"os/exec"
 	"os/signal"
+	"strings"
 	"sync"
 	"time"
 )
@@ -68,7 +69,27 @@ func handleStop(w http.ResponseWriter, req *http.Request) {
 
 func handleStart(w http.ResponseWriter, req *http.Request) {
 	_ = req.ParseForm()
-	start(req.Form["extra-arg"])
+	extraArgs := req.Form["extra-arg"]
+	if len(extraArgs) == 0 {
+		start(nil)
+		return
+	}
+
+	if len(extraArgs) != 2 {
+		http.Error(w, "invalid extra-arg", http.StatusBadRequest)
+		return
+	}
+	if extraArgs[0] != "--experimental" {
+		http.Error(w, "invalid extra-arg", http.StatusBadRequest)
+		return
+	}
+	flags := strings.Split(extraArgs[1], ",")
+	if extraArgs[1] == "" || len(flags) == 0 || len(flags) > 10 {
+		http.Error(w, "invalid extra-arg", http.StatusBadRequest)
+		return
+	}
+
+	start([]string{"--experimental", strings.Join(flags, ",")})
 }
 
 func handleSignal(w http.ResponseWriter, req *http.Request) {

diff --git a/graphql2/mapconfig.go b/graphql2/mapconfig.go
diff --git a/schedule/oncallnotificationrule.go b/schedule/oncallnotificationrule.go
@@ -91,7 +91,7 @@ func (r *RuleID) UnmarshalText(data []byte) error {
 	if err != nil {
 		return err
 	}
-	i, err := strconv.ParseInt(string(data[37:]), 10, 64)
+	i, err := strconv.ParseInt(string(data[37:]), 10, 32)
 	if err != nil {
 		return err
 	}

diff --git a/web/src/app/util/query_param.js b/web/src/app/util/query_param.js
@@ -1,58 +1,23 @@
-const quoteRx = (s) => (s || '').replace(/[.?*+^$[\]\\(){}|-]/g, '\\$&')
-
 export function getParameterByName(name, url = global.location.href) {
-  name = name.replace(/[[\]]/g, '\\$&')
-  const rx = new RegExp('[?&]' + quoteRx(name) + '(=([^&#]*)|&|#|$)')
-  const m = rx.exec(url)
-  if (!m) return null
-  if (!m[2]) return ''
-
-  return decodeURIComponent(m[2].replace(/\+/g, ' '))
+  return new URL(url).searchParams.get(name)
 }
 
 // returns hash of all parameters with keys and values
 export function getAllParameters(url = global.location.href) {
-  // match and select any parameters in the url
-  const rx = /[?&](\w+)=(?:([^&#]*)|&|#|$)/
-
-  const queries = {}
-  // find the first match
-  let m = rx.exec(url)
-  while (m) {
-    // while we have a match
-    url = url.replace(m[0], '')
-    queries[m[1]] = decodeURIComponent(m[2].replace(/\+/g, ' '))
-    m = rx.exec(url) // find the next match
+  const q = {}
+  for (const [key, value] of new URL(url).searchParams) {
+    q[key] = value
   }
 
-  return queries
+  return q
 }
 
 // takes in a var name, var value, and optionally a url to read previous params from.
 // returns a string of the params and the maintained hash (DOES NOT RETURN THE PATH)
 export function setParameterByName(name, value, url = global.location.href) {
-  // fetch all current url queries
-  const queries = getAllParameters(url)
-
-  // set new value
-  queries[name] = encodeURIComponent(value)
-
-  // rebuild the url -- omit the parameter `name` if value is null
-  const queryList = Object.keys(queries)
-    .sort((a, b) => (a < b ? -1 : 1))
-    .filter((i) => !(value === null && i === name))
-    .map((query) => {
-      return query + '=' + queries[query]
-    })
-
-  // match against anything that is after the # in the address
-  const rx = /(#.*)/
-  const m = rx.exec(url)
-  let hash = ''
-  if (m) hash = m[1]
-  const newURL = '?' + queryList.join('&') + hash
-
-  return newURL
+  const u = new URL(url)
+  u.searchParams.set(name, value)
+  return u.toString()
 }
 
 // clears the parameter given from the current url