Add checks for valid UUID

keepassxreboot · Sep 8, 2021 · 8997118 · 8997118
1 parent 2be370f
commit 8997118
Show file tree

Hide file tree

Showing 8 changed files with 54 additions and 13 deletions.
diff --git a/src/browser/BrowserAction.cpp b/src/browser/BrowserAction.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2020 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2021 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -22,6 +22,7 @@
 #include "BrowserShared.h"
 #include "config-keepassx.h"
 #include "core/Global.h"
+#include "core/Tools.h"
 
 #include <QJsonArray>
 #include <QJsonDocument>
@@ -52,7 +53,7 @@ namespace
         ERROR_KEEPASS_NO_LOGINS_FOUND = 15,
         ERROR_KEEPASS_NO_GROUPS_FOUND = 16,
         ERROR_KEEPASS_CANNOT_CREATE_NEW_GROUP = 17,
-        ERROR_KEEPASS_NO_UUID_PROVIDED = 18
+        ERROR_KEEPASS_NO_VALID_UUID_PROVIDED = 18
     };
 }
 
@@ -363,6 +364,10 @@ QJsonObject BrowserAction::handleSetLogin(const QJsonObject& json, const QString
     if (uuid.isEmpty()) {
         browserService()->addEntry(id, login, password, url, submitUrl, realm, group, groupUuid);
     } else {
+        if (!Tools::isValidUuid(uuid)) {
+            return getErrorReply(action, ERROR_KEEPASS_NO_VALID_UUID_PROVIDED);
+        }
+
         result = browserService()->updateEntry(id, uuid, login, password, url, submitUrl);
     }
 
@@ -493,6 +498,9 @@ QJsonObject BrowserAction::handleGetTotp(const QJsonObject& json, const QString&
     }
 
     const QString uuid = decrypted.value("uuid").toString();
+    if (!Tools::isValidUuid(uuid)) {
+        return getErrorReply(action, ERROR_KEEPASS_NO_VALID_UUID_PROVIDED);
+    }
 
     // Get the current TOTP
     const auto totp = browserService()->getCurrentTotp(uuid);
@@ -524,8 +532,8 @@ QJsonObject BrowserAction::handleDeleteEntry(const QJsonObject& json, const QStr
     }
 
     const auto uuid = decrypted.value("uuid").toString();
-    if (uuid.isEmpty()) {
-        return getErrorReply(action, ERROR_KEEPASS_NO_UUID_PROVIDED);
+    if (!Tools::isValidUuid(uuid)) {
+        return getErrorReply(action, ERROR_KEEPASS_NO_VALID_UUID_PROVIDED);
     }
 
     const auto result = browserService()->deleteEntry(uuid);
@@ -600,8 +608,8 @@ QString BrowserAction::getErrorMessage(const int errorCode) const
         return QObject::tr("No groups found");
     case ERROR_KEEPASS_CANNOT_CREATE_NEW_GROUP:
         return QObject::tr("Cannot create new group");
-    case ERROR_KEEPASS_NO_UUID_PROVIDED:
-        return QObject::tr("No UUID provided");
+    case ERROR_KEEPASS_NO_VALID_UUID_PROVIDED:
+        return QObject::tr("No valid UUID provided");
     default:
         return QObject::tr("Unknown error");
     }

diff --git a/src/browser/BrowserAction.h b/src/browser/BrowserAction.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2020 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2021 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by

diff --git a/src/browser/BrowserService.cpp b/src/browser/BrowserService.cpp
@@ -1,7 +1,7 @@
 /*
  *  Copyright (C) 2013 Francois Ferrand
  *  Copyright (C) 2017 Sami Vänttinen <sami.vanttinen@protonmail.com>
- *  Copyright (C) 2020 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2021 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by

diff --git a/src/browser/BrowserService.h b/src/browser/BrowserService.h
@@ -1,7 +1,7 @@
 /*
  *  Copyright (C) 2013 Francois Ferrand
  *  Copyright (C) 2017 Sami Vänttinen <sami.vanttinen@protonmail.com>
- *  Copyright (C) 2020 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2021 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by

diff --git a/src/core/Tools.cpp b/src/core/Tools.cpp
@@ -1,7 +1,7 @@
 /*
  *  Copyright (C) 2012 Felix Geyer <debfx@fobos.de>
  *  Copyright (C) 2017 Lennart Glauer <mail@lennart-glauer.de>
- *  Copyright (C) 2017 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2021 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -317,6 +317,20 @@ namespace Tools
         return QUuid::fromRfc4122(QByteArray::fromHex(uuid.toLatin1()));
     }
 
+    bool isValidUuid(const QString& uuidStr)
+    {
+        if (uuidStr.isEmpty() || uuidStr.length() != 32 || !isHex(uuidStr.toLatin1())) {
+            return false;
+        }
+
+        const auto uuid = hexToUuid(uuidStr);
+        if (uuid.isNull() || uuid.version() == QUuid::VerUnknown) {
+            return false;
+        }
+
+        return true;
+    }
+
     QString envSubstitute(const QString& filepath, QProcessEnvironment environment)
     {
         QString subbed = filepath;

diff --git a/src/core/Tools.h b/src/core/Tools.h
@@ -1,6 +1,6 @@
 /*
  *  Copyright (C) 2012 Felix Geyer <debfx@fobos.de>
- *  Copyright (C) 2017 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2021 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -40,6 +40,7 @@ namespace Tools
     bool checkUrlValid(const QString& urlField);
     QString uuidToHex(const QUuid& uuid);
     QUuid hexToUuid(const QString& uuid);
+    bool isValidUuid(const QString& uuidStr);
     QRegularExpression convertToRegex(const QString& string,
                                       bool useWildcards = false,
                                       bool exactMatch = false,

diff --git a/tests/TestTools.cpp b/tests/TestTools.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2017 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2021 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -88,3 +88,20 @@ void TestTools::testEnvSubstitute()
     QCOMPARE(Tools::envSubstitute("start/$EMPTY$$EMPTY$HOME/end", environment), QString("start/$/home/user/end"));
 #endif
 }
+
+void TestTools::testValidUuid()
+{
+    auto validUuid = Tools::uuidToHex(QUuid::createUuid());
+    auto nonValidUuid = "1234567890abcdef1234567890abcdef";
+    auto emptyUuid = QString();
+    auto shortUuid = validUuid.left(10);
+    auto longUuid = validUuid + "baddata";
+    auto nonHexUuid = Tools::uuidToHex(QUuid::createUuid()).replace(0, 1, 'p');
+
+    QVERIFY(Tools::isValidUuid(validUuid));
+    QVERIFY(not Tools::isValidUuid(nonValidUuid));
+    QVERIFY(not Tools::isValidUuid(emptyUuid));
+    QVERIFY(not Tools::isValidUuid(shortUuid));
+    QVERIFY(not Tools::isValidUuid(longUuid));
+    QVERIFY(not Tools::isValidUuid(nonHexUuid));
+}
diff --git a/tests/TestTools.h b/tests/TestTools.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2017 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2021 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -28,6 +28,7 @@ private slots:
     void testIsHex();
     void testIsBase64();
     void testEnvSubstitute();
+    void testValidUuid();
 };
 
 #endif // KEEPASSX_TESTTOOLS_H