fix: code vulnerabilitiies

reeshika-h · reeshika-h · commit 4dce8d316713 · 2025-03-19T16:17:28.000+05:30
diff --git a/lib/src/base_query.dart b/lib/src/base_query.dart
@@ -156,8 +156,9 @@ class BaseQuery {
   }
 
   void where(String fieldUid, QueryOperation queryOperation) {
-    if (fieldUid.isNotEmpty) {
-      switch(queryOperation.operationType) {
+    if (fieldUid.isNotEmpty && _isValidFieldUid(fieldUid) 
+    && _isValidQueryValue(queryOperation.value)) {
+      switch (queryOperation.operationType) {
         case QueryOperationType.Equals:
           parameter[fieldUid] = queryOperation.value;
           break;
@@ -191,4 +192,17 @@ class BaseQuery {
       }
     }
   }
+
+  bool _isValidFieldUid(String fieldUid) {
+    final validFieldUidPattern = RegExp(r'^[a-zA-Z0-9-_.]+$');
+    return validFieldUidPattern.hasMatch(fieldUid);
+  }
+
+  bool _isValidQueryValue(dynamic value) {
+    if (value is String) {
+      final validValuePattern = RegExp(r'^[a-zA-Z0-9-_.]+$');
+      return validValuePattern.hasMatch(value);
+    }
+    return true;
+  }
 }
diff --git a/lib/src/entry_queryable.dart b/lib/src/entry_queryable.dart
@@ -1,4 +1,4 @@
-// ignore_for_file: lines_longer_than_80_chars
+// ignore_for_file: lines_longer_than_80_chars, unnecessary_lambdas
 
 import 'package:contentstack/constant.dart';
 import 'package:contentstack/src/enums/include.dart';
@@ -8,6 +8,11 @@ import 'package:contentstack/src/enums/include_type.dart';
 class EntryQueryable {
   Map<String, Object?> parameter = <String, Object?>{};
 
+  //sanitize
+  String sanitizeInput(String input) {
+  return input.replaceAll(RegExp(r'[^a-zA-Z0-9-_.]'), '');
+}
+
   ///
   /// This method adds key and value to an Entry.
   /// [key] The key as string which needs to be added to an Entry
@@ -43,10 +48,7 @@ class EntryQueryable {
   ///
   void except(List<String> fieldUid) {
     if (fieldUid.isNotEmpty) {
-      final List referenceArray = [];
-      for (final item in fieldUid) {
-        referenceArray.add(item);
-      }
+      final List<String> referenceArray = fieldUid.map((item) => sanitizeInput(item)).toList();
       parameter['except[BASE][]'] = referenceArray.toString();
     }
   }
@@ -171,15 +173,15 @@ class EntryQueryable {
           case IncludeType.None:
             if (referenceFieldUid.runtimeType == List) {
               for (var uid in referenceFieldUid) {
-                referenceArray.add(uid);
+                referenceArray.add(sanitizeInput(uid));
               }
             } else if (referenceFieldUid.runtimeType == String) {
-              referenceArray.add(referenceFieldUid);
+              referenceArray.add(sanitizeInput(referenceFieldUid));
             }
 
             if (includeReferenceField.fieldUidList.isNotEmpty) {
               for (final item in includeReferenceField.fieldUidList) {
-                referenceArray.add(item);
+                referenceArray.add(sanitizeInput(item));
               }
             }
             parameter['include[]'] = referenceArray.toString();
@@ -188,7 +190,7 @@ class EntryQueryable {
             final Map<String, dynamic> referenceOnlyParam = <String, dynamic>{};
             if (includeReferenceField.fieldUidList.isNotEmpty) {
               for (final item in includeReferenceField.fieldUidList) {
-                referenceArray.add(item);
+                referenceArray.add(sanitizeInput(item));
               }
             }
             referenceOnlyParam[referenceFieldUid] = referenceArray;
@@ -199,7 +201,7 @@ class EntryQueryable {
             final Map<String, dynamic> referenceOnlyParam = <String, dynamic>{};
             if (includeReferenceField.fieldUidList.isNotEmpty) {
               for (final item in includeReferenceField.fieldUidList) {
-                referenceArray.add(item);
+                referenceArray.add(sanitizeInput(item));
               }
             }
             referenceOnlyParam[referenceFieldUid] = referenceArray;
@@ -262,10 +264,7 @@ class EntryQueryable {
   ///
   void only(List<String> fieldUid) {
     if (fieldUid.isNotEmpty) {
-      final List referenceArray = [];
-      for (final item in fieldUid) {
-        referenceArray.add(item);
-      }
+      final List<String> referenceArray = fieldUid.map((item) => sanitizeInput(item)).toList();
       parameter['only[BASE][]'] = referenceArray.toString();
     }
   }
diff --git a/lib/src/query_params.dart b/lib/src/query_params.dart
@@ -5,7 +5,8 @@ class URLQueryParams {
   // Appends a parameter to the query with received key.
   void append(String key, dynamic value) {
     if (value != null && value.toString().isNotEmpty) {
-      _values[key] = Uri.encodeQueryComponent(value.toString());
+      final sanitizedValue = _sanitizeInput(value.toString());
+      _values[key] = Uri.encodeQueryComponent(sanitizedValue);
     }
   }
 
@@ -18,20 +19,22 @@ class URLQueryParams {
   // * param1=value1&param2=value2
   @override
   String toString() {
-    String response = '';
-    _values.forEach((key, value) {
-      response += '$key=$value&';
-    });
-    return response.substring(0, response.isEmpty ? 0 : response.length - 1);
+    return _values.entries
+        .map((entry) => '${Uri.encodeQueryComponent(entry.key)}=${entry.value}')
+        .join('&');
   }
 
-  String toUrl(String urls) {
-    String updatedUrl;
-    if (urls.isNotEmpty && urls.endsWith('/')) {
-      updatedUrl = urls.substring(0, urls.length - 1);
-    } else {
-      updatedUrl = urls;
-    }
-    return '$updatedUrl?${toString()}';
+  String toUrl(String url) {
+    if (url.isEmpty) throw ArgumentError('URL cannot be empty');
+
+    final Uri parsedUri = Uri.parse(url);
+    final String normalizedUrl = parsedUri.normalizePath().toString();
+
+    return Uri.parse('$normalizedUrl?${toString()}').toString();
+  }
+
+  String _sanitizeInput(String input) {
+    final pattern = RegExp(r'[<>\"\;(){}]');
+    return input.replaceAll(pattern, '');
   }
 }
diff --git a/lib/src/stack.dart b/lib/src/stack.dart
@@ -463,8 +463,6 @@ class Stack {
       'authorization': headers!['authorization']!,
       'api_key': headers!['api_key']!,
     };
-
-  print('Request URL: $_url');
     await http.get(Uri.parse(_url), headers: _headers).then((response) {
       final Map bodyJson = json.decode(utf8.decode(response.bodyBytes));
       print(bodyJson);

Original file line number	Diff line number	Diff line change
`@@ -156,8 +156,9 @@ class BaseQuery {`
`156`	`156`	`}`
`157`	`157`
`158`	`158`	`void where(String fieldUid, QueryOperation queryOperation) {`
`159`		`- if (fieldUid.isNotEmpty) {`
`160`		`- switch(queryOperation.operationType) {`
	`159`	`+ if (fieldUid.isNotEmpty && _isValidFieldUid(fieldUid)`
	`160`	`+ && _isValidQueryValue(queryOperation.value)) {`
	`161`	`+ switch (queryOperation.operationType) {`
`161`	`162`	`case QueryOperationType.Equals:`
`162`	`163`	`parameter[fieldUid] = queryOperation.value;`
`163`	`164`	`break;`
`@@ -191,4 +192,17 @@ class BaseQuery {`
`191`	`192`	`}`
`192`	`193`	`}`
`193`	`194`	`}`
	`195`	`+`
	`196`	`+ bool _isValidFieldUid(String fieldUid) {`
	`197`	`+ final validFieldUidPattern = RegExp(r'^[a-zA-Z0-9-_.]+$');`
	`198`	`+ return validFieldUidPattern.hasMatch(fieldUid);`
	`199`	`+ }`
	`200`	`+`
	`201`	`+ bool _isValidQueryValue(dynamic value) {`
	`202`	`+ if (value is String) {`
	`203`	`+ final validValuePattern = RegExp(r'^[a-zA-Z0-9-_.]+$');`
	`204`	`+ return validValuePattern.hasMatch(value);`
	`205`	`+ }`
	`206`	`+ return true;`
	`207`	`+ }`
`194`	`208`	`}`