Skip to content

dispenser: add input validation#4713

Merged
algojohnlee merged 1 commit intoalgorand:masterfrom
algolucky:fix/dispenser
Nov 1, 2022
Merged

dispenser: add input validation#4713
algojohnlee merged 1 commit intoalgorand:masterfrom
algolucky:fix/dispenser

Conversation

@algolucky
Copy link
Copy Markdown
Contributor

@algolucky algolucky commented Oct 31, 2022
edited
Loading

Summary

  • adds some input validation to dispenser,
    • by first sanitizing the string to encode HTML tags
    • then a quick regular expression test to make sure it's at least something that resembles a wallet/address
  • moves the template to a separate file and embeds it instead
  • does some encoding on the server side to strip out any HTML tags
  • updates onload to use text() instead of html()

References

@algolucky algolucky requested a review from a team October 31, 2022 19:16
@algolucky algolucky self-assigned this Oct 31, 2022
@codecov
Copy link
Copy Markdown

codecov Bot commented Oct 31, 2022
edited
Loading

Codecov Report

Merging #4713 (456f0d9) into master (ab87a8a) will decrease coverage by 0.05%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #4713      +/-   ##
==========================================
- Coverage   54.49%   54.44%   -0.06%     
==========================================
  Files         407      407              
  Lines       52425    52425              
==========================================
- Hits        28569    28542      -27     
- Misses      21472    21492      +20     
- Partials     2384     2391       +7
Impacted Files Coverage Δ
ledger/voters.go 68.65% <0.00%> (-4.48%) ⬇️
network/wsPeer.go 66.50% <0.00%> (-2.67%) ⬇️
crypto/merkletrie/trie.go 66.42% <0.00%> (-2.19%) ⬇️
crypto/merkletrie/node.go 91.62% <0.00%> (-1.87%) ⬇️
ledger/catchpointtracker.go 61.84% <0.00%> (-1.05%) ⬇️
ledger/acctonline.go 77.60% <0.00%> (-0.53%) ⬇️
ledger/accountdb.go 72.69% <0.00%> (-0.32%) ⬇️
network/wsNetwork.go 65.52% <0.00%> (ø)
ledger/testing/randomAccounts.go 56.21% <0.00%> (ø)
ledger/acctupdates.go 69.89% <0.00%> (+0.29%) ⬆️
... and 4 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

excalq
excalq reviewed Oct 31, 2022
View reviewed changes
Comment thread cmd/dispenser/index.html.tpl Outdated
Copy link
Copy Markdown
Contributor

@excalq excalq Oct 31, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the curious: https://github.com/algorand/js-algorand-sdk/blob/master/src/encoding/address.ts#L10

excalq
excalq previously approved these changes Oct 31, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@excalq excalq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good on you for pulling this HTML template out of the server side code.

@algolucky
Copy link
Copy Markdown
Contributor Author

algolucky commented Oct 31, 2022

@excalq I mainly did it because it didn't like embeded backticks, but it's also cleaner.

@algolucky algolucky force-pushed the fix/dispenser branch 4 times, most recently from 25d3702 to 7fba75f Compare November 1, 2022 14:33
@algolucky algolucky marked this pull request as ready for review November 1, 2022 14:52
@algojohnlee algojohnlee merged commit f37bb6e into algorand:master Nov 1, 2022
@Algo-devops-service Algo-devops-service mentioned this pull request Nov 1, 2022
Merged
@Algo-devops-service Algo-devops-service mentioned this pull request Nov 10, 2022
Closed
@Algo-devops-service Algo-devops-service mentioned this pull request Nov 28, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@onetechnical onetechnical onetechnical approved these changes

@egieseke egieseke Awaiting requested review from egieseke egieseke was automatically assigned from algorand/devops

@algobarb algobarb Awaiting requested review from algobarb algobarb was automatically assigned from algorand/devops

+2 more reviewers

@algojack algojack algojack approved these changes

@excalq excalq excalq left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@algolucky algolucky

Labels

Bug-Fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@algolucky @onetechnical @excalq @algojack @algojohnlee