From ad8b6163ac49117864a1984ab49826acf3603847 Mon Sep 17 00:00:00 2001
From: stephb9959 <stephane.bourque@gmail.com>
Date: Mon, 15 Aug 2022 13:41:15 -0700
Subject: [PATCH] https://telecominfraproject.atlassian.net/browse/WIFI-10551

Signed-off-by: stephb9959 <stephane.bourque@gmail.com>
---
 src/RESTAPI/RESTAPI_blacklist.cpp             |  6 +++---
 src/RESTAPI/RESTAPI_commands.cpp              |  8 ++++++--
 src/RESTAPI/RESTAPI_default_configuration.cpp |  5 +++--
 src/RESTAPI/RESTAPI_device_commandHandler.cpp | 12 ++++++++++++
 src/RESTAPI/RESTAPI_device_handler.cpp        |  8 ++++----
 src/RESTAPI/RESTAPI_devices_handler.cpp       |  6 +++++-
 6 files changed, 33 insertions(+), 12 deletions(-)

diff --git a/src/RESTAPI/RESTAPI_blacklist.cpp b/src/RESTAPI/RESTAPI_blacklist.cpp
index a3dc6e41..19aa5590 100644
--- a/src/RESTAPI/RESTAPI_blacklist.cpp
+++ b/src/RESTAPI/RESTAPI_blacklist.cpp
@@ -18,7 +18,7 @@ namespace OpenWifi {
 	void RESTAPI_blacklist::DoDelete() {
 		auto SerialNumber = GetBinding(RESTAPI::Protocol::SERIALNUMBER, "");
 
-		if(SerialNumber.empty()) {
+		if(!Utils::ValidSerialNumber(SerialNumber)) {
 			return BadRequest(RESTAPI::Errors::MissingSerialNumber);
 		}
 
@@ -36,7 +36,7 @@ namespace OpenWifi {
 	void RESTAPI_blacklist::DoGet() {
 		auto SerialNumber = GetBinding(RESTAPI::Protocol::SERIALNUMBER, "");
 
-		if(SerialNumber.empty()) {
+		if(!Utils::ValidSerialNumber(SerialNumber)) {
 			return BadRequest(RESTAPI::Errors::MissingSerialNumber);
 		}
 
@@ -83,7 +83,7 @@ namespace OpenWifi {
 
 	void RESTAPI_blacklist::DoPut() {
 		auto SerialNumber = Poco::toLower(GetBinding(RESTAPI::Protocol::SERIALNUMBER, ""));
-		if(SerialNumber.empty()) {
+		if(!Utils::ValidSerialNumber(SerialNumber)) {
 			return BadRequest(RESTAPI::Errors::MissingSerialNumber);
 		}
 
diff --git a/src/RESTAPI/RESTAPI_commands.cpp b/src/RESTAPI/RESTAPI_commands.cpp
index 5bfc9f0d..fec107cb 100644
--- a/src/RESTAPI/RESTAPI_commands.cpp
+++ b/src/RESTAPI/RESTAPI_commands.cpp
@@ -13,6 +13,10 @@
 namespace OpenWifi {
 	void RESTAPI_commands::DoGet() {
 		auto SerialNumber = GetParameter(RESTAPI::Protocol::SERIALNUMBER, "");
+		if(!Utils::ValidSerialNumber(SerialNumber)) {
+			return BadRequest(RESTAPI::Errors::MissingSerialNumber);
+		}
+
 		std::vector<GWObjects::CommandDetails> Commands;
 		if (QB_.Newest) {
 			StorageService()->GetNewestCommands(SerialNumber, QB_.Limit, Commands);
@@ -33,10 +37,10 @@ namespace OpenWifi {
 
 	void RESTAPI_commands::DoDelete() {
 		auto SerialNumber = GetParameter(RESTAPI::Protocol::SERIALNUMBER, "");
-
-		if(SerialNumber.empty()) {
+		if(!Utils::ValidSerialNumber(SerialNumber)) {
 			return BadRequest(RESTAPI::Errors::MissingSerialNumber);
 		}
+
 		if (StorageService()->DeleteCommands(SerialNumber, QB_.StartDate, QB_.EndDate)) {
 			return OK();
 		}
diff --git a/src/RESTAPI/RESTAPI_default_configuration.cpp b/src/RESTAPI/RESTAPI_default_configuration.cpp
index 01c6be64..ba39b6b2 100644
--- a/src/RESTAPI/RESTAPI_default_configuration.cpp
+++ b/src/RESTAPI/RESTAPI_default_configuration.cpp
@@ -14,10 +14,11 @@
 #include "StorageService.h"
 #include "framework/ow_constants.h"
 #include "framework/ConfigurationValidator.h"
+#include "framework/orm.h"
 
 namespace OpenWifi {
 	void RESTAPI_default_configuration::DoGet() {
-		std::string Name = GetBinding(RESTAPI::Protocol::NAME, "");
+		std::string Name = ORM::Escape(GetBinding(RESTAPI::Protocol::NAME, ""));
 		GWObjects::DefaultConfiguration DefConfig;
 		if (StorageService()->GetDefaultConfiguration(Name, DefConfig)) {
 			Poco::JSON::Object Obj;
@@ -28,7 +29,7 @@ namespace OpenWifi {
 	}
 
 	void RESTAPI_default_configuration::DoDelete() {
-		std::string Name = GetBinding(RESTAPI::Protocol::NAME, "");
+		std::string Name = ORM::Escape(GetBinding(RESTAPI::Protocol::NAME, ""));
 		if(Name.empty()) {
 			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
 		}
diff --git a/src/RESTAPI/RESTAPI_device_commandHandler.cpp b/src/RESTAPI/RESTAPI_device_commandHandler.cpp
index a6d34391..73a9c69a 100644
--- a/src/RESTAPI/RESTAPI_device_commandHandler.cpp
+++ b/src/RESTAPI/RESTAPI_device_commandHandler.cpp
@@ -33,6 +33,10 @@ namespace OpenWifi {
 			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
 		}
 
+		if(!Utils::ValidSerialNumber(SerialNumber_)) {
+			return BadRequest(RESTAPI::Errors::MissingSerialNumber);
+		}
+
 		GWObjects::Device	TheDevice;
 		if(!StorageService()->GetDevice(SerialNumber_,TheDevice)) {
 			return NotFound();
@@ -64,6 +68,10 @@ namespace OpenWifi {
 			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
 		}
 
+		if(!Utils::ValidSerialNumber(SerialNumber_)) {
+			return BadRequest(RESTAPI::Errors::MissingSerialNumber);
+		}
+
 		Poco::Thread::current()->setName(fmt::format("{}: {}",SerialNumber_,Command_));
 
 		GWObjects::Device	TheDevice;
@@ -89,6 +97,10 @@ namespace OpenWifi {
 			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
 		}
 
+		if(!Utils::ValidSerialNumber(SerialNumber_)) {
+			return BadRequest(RESTAPI::Errors::MissingSerialNumber);
+		}
+
 		Poco::Thread::current()->setName(fmt::format("{}: {}",SerialNumber_,Command_));
 
 		GWObjects::Device	TheDevice;
diff --git a/src/RESTAPI/RESTAPI_device_handler.cpp b/src/RESTAPI/RESTAPI_device_handler.cpp
index 65b19271..7b82d066 100644
--- a/src/RESTAPI/RESTAPI_device_handler.cpp
+++ b/src/RESTAPI/RESTAPI_device_handler.cpp
@@ -20,7 +20,7 @@ namespace OpenWifi {
 	void RESTAPI_device_handler::DoGet() {
 		std::string SerialNumber = GetBinding(RESTAPI::Protocol::SERIALNUMBER, "");
 
-		if(SerialNumber.empty()) {
+		if(!Utils::ValidSerialNumber(SerialNumber)) {
 			return BadRequest(RESTAPI::Errors::MissingSerialNumber);
 		}
 
@@ -42,7 +42,7 @@ namespace OpenWifi {
 	void RESTAPI_device_handler::DoDelete() {
 		std::string SerialNumber = GetBinding(RESTAPI::Protocol::SERIALNUMBER, "");
 
-		if(SerialNumber.empty()) {
+		if(!Utils::ValidSerialNumber(SerialNumber)) {
 			return BadRequest(RESTAPI::Errors::MissingSerialNumber);
 		}
 
@@ -86,7 +86,7 @@ namespace OpenWifi {
 	void RESTAPI_device_handler::DoPost() {
 
 		std::string SerialNumber = GetBinding(RESTAPI::Protocol::SERIALNUMBER, "");
-		if(SerialNumber.empty()) {
+		if(!Utils::ValidSerialNumber(SerialNumber)) {
 			return BadRequest(RESTAPI::Errors::MissingSerialNumber);
 		}
 
@@ -149,7 +149,7 @@ namespace OpenWifi {
 	void RESTAPI_device_handler::DoPut() {
 		std::string SerialNumber = GetBinding(RESTAPI::Protocol::SERIALNUMBER, "");
 
-		if(SerialNumber.empty()) {
+		if(!Utils::ValidSerialNumber(SerialNumber)) {
 			return BadRequest(RESTAPI::Errors::MissingSerialNumber);
 		}
 
diff --git a/src/RESTAPI/RESTAPI_devices_handler.cpp b/src/RESTAPI/RESTAPI_devices_handler.cpp
index de5080d7..f16ee83a 100644
--- a/src/RESTAPI/RESTAPI_devices_handler.cpp
+++ b/src/RESTAPI/RESTAPI_devices_handler.cpp
@@ -15,11 +15,13 @@
 #include "framework/MicroService.h"
 #include "RESTAPI/RESTAPI_device_helper.h"
 #include "Poco/StringTokenizer.h"
+#include "framework/orm.h"
 
 namespace OpenWifi {
 
 
-	bool PrepareOrderBy(const std::string &OrderByList, std::string &OrderByString) {
+	bool PrepareOrderBy(const std::string &OrderByListRaw, std::string &OrderByString) {
+		auto OrderByList = ORM::Escape(OrderByListRaw);
 		auto items = Poco::StringTokenizer(OrderByList,",");
 		std::string ItemList;
 
@@ -80,6 +82,8 @@ namespace OpenWifi {
 			Poco::JSON::Array Objects;
 			for (auto &i : SelectedRecords()) {
 				auto SerialNumber = i;
+				if(!Utils::ValidSerialNumber(i))
+					continue;
 				GWObjects::Device D;
 				if (StorageService()->GetDevice(SerialNumber, D)) {
 					if(completeInfo) {