[http] strictly check arguments in ProduceExe

Remove all special characters, check quotes, escape quotes inside
If expecting numeric value - just alphanumeric, comma, +, -, allowed

Author: linev

net/httpsniff/inc/TRootSnifferFull.h

@@ -16,6 +16,7 @@
 #include <string>
 
 class TMemFile;
+class TMethodArg;
 
 class TRootSnifferFull : public TRootSniffer {
 protected:
@@ -30,6 +31,8 @@ class TRootSnifferFull : public TRootSniffer {
 
    void CreateMemFile();
 
+   static TString SanitizeArgument(Bool_t isstr, const char *value, Bool_t onlyquotes = kFALSE);
+
    Bool_t CanDrawClass(TClass *cl) override { return IsDrawableClass(cl); }
 
    Bool_t HasStreamerInfo() const override { return kTRUE; }

net/httpsniff/src/TRootSnifferFull.cxx

@@ -511,6 +511,42 @@ Bool_t TRootSnifferFull::ProduceXml(const std::string &path, const std::string &
    return !res.empty();
 }
 
+////////////////////////////////////////////////////////////////////////////////
+/// Verify argument value
+/// Remove special symbols, escape quotes
+/// If not string - only digits, literals, "+", "-", "." are allowed
+
+TString TRootSnifferFull::SanitizeArgument(Bool_t isstr, const char *value, Bool_t onlyquotes)
+{
+   Int_t beg = 0, end = strlen(value);
+   if (end > 0 && isstr && value[beg] == '\"')
+      beg++;
+   if (end > 0 && isstr && value[end-1] == '\"')
+      end--;
+   TString sanitized;
+   if (isstr)
+      sanitized.Append("\""); // string start with quotes
+   for(Int_t n = beg; n < end; ++n) {
+      Char_t c = value[n];
+      if (!isstr && !onlyquotes) {
+         // for numeric types make very strict check
+         if (std::isalnum(c) || std::strchr(".:+-", c))
+            sanitized.Append(c);
+      } else if ((c == '\"') || (c == '\\')) {
+         // escape quotes inside string
+         sanitized.Append('\\');
+         sanitized.Append(c);
+      } else if (!std::iscntrl(c)) {
+         // exclude special chars
+         sanitized.Append(c);
+      }
+   }
+   if (isstr)
+      sanitized.Append('\"'); // string end with quotes
+   return sanitized;
+}
+
+
 ////////////////////////////////////////////////////////////////////////////////
 /// Execute command for specified object
 ///
@@ -636,6 +672,10 @@ Bool_t TRootSnifferFull::ProduceExe(const std::string &path, const std::string &
          val = sval.Data();
       }
 
+      // only value provided from outside should be sanitized
+      // default argument value or internal pointer will not
+      Bool_t sanitize = kFALSE;
+
       if ((val != nullptr) && (strcmp(val, "_this_") == 0)) {
          // special case - object itself is used as argument
          sval.Form("(%s*)0x%zx", obj_cl->GetName(), (size_t)obj_ptr);
@@ -690,7 +730,11 @@ Bool_t TRootSnifferFull::ProduceExe(const std::string &path, const std::string &
          } else if (strcmp(val, "_post_length_") == 0) {
             sval.Form("%ld", (long)fCurrentArg->GetPostDataLength());
             val = sval.Data();
+         } else {
+            sanitize = kTRUE;
          }
+      } else {
+         sanitize = val != nullptr;
       }
 
       if (!val)
@@ -706,15 +750,11 @@ Bool_t TRootSnifferFull::ProduceExe(const std::string &path, const std::string &
       if (call_args.Length() > 0)
          call_args += ", ";
 
-      if ((strcmp(arg->GetFullTypeName(), "const char*") == 0) || (strcmp(arg->GetFullTypeName(), "Option_t*") == 0)) {
-         int len = strlen(val);
-         if ((strlen(val) < 2) || (*val != '\"') || (val[len - 1] != '\"'))
-            call_args.Append(TString::Format("\"%s\"", val));
-         else
-            call_args.Append(val);
-      } else {
-         call_args.Append(val);
-      }
+      Bool_t isstr = (strcmp(arg->GetFullTypeName(), "const char*") == 0) ||
+                     (strcmp(arg->GetFullTypeName(), "Option_t*") == 0) ||
+                     (strcmp(arg->GetFullTypeName(), "string") == 0);
+
+      call_args.Append(SanitizeArgument(isstr, val, !sanitize));
    }
 
    TMethodCall *call = nullptr;