[Asterisk-code-review] StatsD: Add user input validation to the application (asterisk[master])

Fri Oct 16 14:12:51 CDT 2015

Tyler Cambron has uploaded a new change for review.

  https://gerrit.asterisk.org/1445

Change subject: StatsD: Add user input validation to the application
......................................................................

StatsD: Add user input validation to the application

Added code to accept user input and validate it before
allowing it to be sent to the StatsD server.

ASTERISK-25419
Reported By: Ashley Sanders

Change-Id: I55c7ce44326a68ad6c5c1514b9575ac50f25bbc3
---
M apps/app_statsd.c
1 file changed, 107 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/45/1445/2

diff --git a/apps/app_statsd.c b/apps/app_statsd.c
index cf05419..81871d0 100644
--- a/apps/app_statsd.c
+++ b/apps/app_statsd.c
@@ -28,6 +28,9 @@
 
 #include "asterisk/module.h"
 #include "asterisk/logger.h"
+#include "asterisk/app.h"
+#include "asterisk/pbx.h"
+#include "asterisk/strings.h"
 
 /*** DOCUMENTATION
 	<application name="Statsd" language="en_US">
@@ -46,20 +49,120 @@
 			</parameter>
 		</syntax>
 		<description>
-			<para>This dialplan application sends statistics to the StatsD server
-			specified inside of <literal>statsd.conf</literal>.</para>
+			<para>This dialplan application sends statistics to the StatsD
+			server specified inside of <literal>statsd.conf</literal>.</para>
+			<variablelist>
+				<variable name="STATSDSTATUS">
+					<para>This indicates the status of the execution of the
+					Stasis application.</para>
+					<value name="PASSED">
+						All parameters passed to the StatsD application have
+						been verified.
+					</value>
+					<value name="INVALIDPARAMS">
+						A failure occurred from examining the parameters passed
+						to the StatsD application. This could result from an
+						empty metric_type, statistic_name or value field, or
+						from an invalid metric_type, statistic_name, or value
+						argument.
+					</value>
+				</variable>
+			</variablelist>
 		</description>
 	</application>
  ***/
 
 static const char app[] = "Statsd";
 
+/*Prototype for the validate_metric method.*/
+static int validate_metric(char* metric);
+
+/*Prototype for the validate_name method.*/
+static int validate_name(char* name);
+
+/*Prototype for the validate_value method.*/
+static int validate_value(char* value);
+
 static int statsd_exec(struct ast_channel *chan, const char *data)
 {
-	ast_log(LOG_NOTICE, "StatsD application callback is working!\n");
+	AST_DECLARE_APP_ARGS(args,
+			AST_APP_ARG(metric_type);
+			AST_APP_ARG(statistic_name);
+			AST_APP_ARG(value);
+	);
+
+	char *stats = ast_strdupa(data);
+	AST_STANDARD_APP_ARGS(args, stats);
+
+	/*Channel variable to check for emitting the proper user event.*/
+	pbx_builtin_setvar_helper(chan, "STATSDSTATUS", "");
+
+	/*If any of the validations fail, set the channel variable to FAILED.*/
+	if (validate_metric(args.metric_type) || validate_name(args.statistic_name)
+		|| validate_value(args.value)) {
+		pbx_builtin_setvar_helper(chan, "STATSDSTATUS", "INVALIDPARAMS");
+
+		return 1;
+	}
+
+	pbx_builtin_setvar_helper(chan, "STATSDSTATUS", "PASSED");
+
 	return 0;
 }
 
+/*Check to ensure the metric type is a valid metric type.*/
+static int validate_metric(char* metric)
+{
+	const char *valid_metrics[] = {"gauge","set","timer","counter"};
+
+	/*Check if metric field is blank*/
+	if (ast_strlen_zero(metric)) {
+		return 1;
+	} else {
+		int index;
+
+		for (index = 0; index < 4; index++)
+		{
+			/*If none of the valid metrics matched the given metric and the 
+			  entire list has been scanned, return a failure.*/
+			if((strcmp(valid_metrics[index], metric) == 0)) {
+				break;
+			} else if (index == 3) {
+				return 1;
+			}
+		}
+	}
+
+	return 0;
+}
+
+/*Check to ensure the statistic name is valid.*/
+static int validate_name(char* name) {
+	/*Check for an empty statistic name and the pipe (|) character, which is
+	  the only invalid character.*/
+	if ((ast_strlen_zero(name)) || (strstr(name, "|") != NULL)) {
+		return 1;
+	}
+
+	return 0;
+}
+
+/*Check to ensure the value is valid.*/
+static int validate_value(char* value) {
+	/*Check to ensure the value field is not empty and is a digit.*/
+	if (ast_strlen_zero(value)) {
+		return 1;
+	} else {
+		const char *num = value;
+		while (*num) {
+			if (isdigit(*num++) == 0) {
+				return 1;
+			}
+		}
+	}
+
+	return 0;
+}
 
 static int unload_module(void)
 {
@@ -71,4 +174,4 @@
 	return ast_register_application_xml(app, statsd_exec);
 }
 
-AST_MODULE_INFO_STANDARD_EXTENDED(ASTERISK_GPL_KEY, "Statsd Dialplan Application");
\ No newline at end of file
+AST_MODULE_INFO_STANDARD_EXTENDED(ASTERISK_GPL_KEY, "Statsd Dialplan Application");

-- 
To view, visit https://gerrit.asterisk.org/1445
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I55c7ce44326a68ad6c5c1514b9575ac50f25bbc3
Gerrit-PatchSet: 2
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Tyler Cambron <tcambron at digium.com>

