Skip to content
This repository has been archived by the owner on Dec 22, 2022. It is now read-only.

Commit

Permalink
privacy: Potential JSON injection (prebid#1304)
Browse files Browse the repository at this point in the history
  • Loading branch information
djcsdy authored May 28, 2020
1 parent 1aec0db commit 864bc55
Show file tree
Hide file tree
Showing 4 changed files with 94 additions and 12 deletions.
19 changes: 14 additions & 5 deletions privacy/ccpa/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ import (
"errors"
"fmt"

"github.com/buger/jsonparser"
"github.com/mxmCherry/openrtb"
"github.com/prebid/prebid-server/openrtb_ext"
)
Expand Down Expand Up @@ -41,12 +40,22 @@ func (p Policy) Write(req *openrtb.BidRequest) error {
}

if req.Regs.Ext == nil {
req.Regs.Ext = json.RawMessage(`{"us_privacy":"` + p.Value + `"}`)
return nil
ext, err := json.Marshal(openrtb_ext.ExtRegs{USPrivacy: p.Value})
if err == nil {
req.Regs.Ext = ext
}
return err
}

var err error
req.Regs.Ext, err = jsonparser.Set(req.Regs.Ext, []byte(`"`+p.Value+`"`), "us_privacy")
var extMap map[string]interface{}
err := json.Unmarshal(req.Regs.Ext, &extMap)
if err == nil {
extMap["us_privacy"] = p.Value
ext, err := json.Marshal(extMap)
if err == nil {
req.Regs.Ext = ext
}
}
return err
}

Expand Down
37 changes: 37 additions & 0 deletions privacy/ccpa/policy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,17 @@ func TestRead(t *testing.T) {
},
expectedError: true,
},
{
description: "Injection Attack",
request: &openrtb.BidRequest{
Regs: &openrtb.Regs{
Ext: json.RawMessage(`{"us_privacy":"1YYY\"},\"oops\":\"malicious\",\"p\":{\"p\":\""}`),
},
},
expectedPolicy: Policy{
Value: "1YYY\"},\"oops\":\"malicious\",\"p\":{\"p\":\"",
},
},
}

for _, test := range testCases {
Expand Down Expand Up @@ -138,6 +149,32 @@ func TestWrite(t *testing.T) {
Ext: json.RawMessage(`malformed`)}},
expectedError: true,
},
{
description: "Injection Attack With Nil Request Regs Object",
policy: Policy{Value: "1YYY\"},\"oops\":\"malicious\",\"p\":{\"p\":\""},
request: &openrtb.BidRequest{},
expected: &openrtb.BidRequest{Regs: &openrtb.Regs{
Ext: json.RawMessage(`{"us_privacy":"1YYY\"},\"oops\":\"malicious\",\"p\":{\"p\":\""}`),
}},
},
{
description: "Injection Attack With Nil Request Regs Ext Object",
policy: Policy{Value: "1YYY\"},\"oops\":\"malicious\",\"p\":{\"p\":\""},
request: &openrtb.BidRequest{Regs: &openrtb.Regs{}},
expected: &openrtb.BidRequest{Regs: &openrtb.Regs{
Ext: json.RawMessage(`{"us_privacy":"1YYY\"},\"oops\":\"malicious\",\"p\":{\"p\":\""}`),
}},
},
{
description: "Injection Attack With Existing Request Regs Ext Object",
policy: Policy{Value: "1YYY\"},\"oops\":\"malicious\",\"p\":{\"p\":\""},
request: &openrtb.BidRequest{Regs: &openrtb.Regs{
Ext: json.RawMessage(`{"existing":"any"}`),
}},
expected: &openrtb.BidRequest{Regs: &openrtb.Regs{
Ext: json.RawMessage(`{"existing":"any","us_privacy":"1YYY\"},\"oops\":\"malicious\",\"p\":{\"p\":\""}`),
}},
},
}

for _, test := range testCases {
Expand Down
20 changes: 15 additions & 5 deletions privacy/gdpr/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ package gdpr

import (
"encoding/json"
"github.com/prebid/prebid-server/openrtb_ext"

"github.com/buger/jsonparser"
"github.com/mxmCherry/openrtb"
"github.com/prebid/go-gdpr/vendorconsent"
)
Expand All @@ -25,12 +25,22 @@ func (p Policy) Write(req *openrtb.BidRequest) error {
}

if req.User.Ext == nil {
req.User.Ext = json.RawMessage(`{"consent":"` + p.Consent + `"}`)
return nil
ext, err := json.Marshal(openrtb_ext.ExtUser{Consent: p.Consent})
if err == nil {
req.User.Ext = ext
}
return err
}

var err error
req.User.Ext, err = jsonparser.Set(req.User.Ext, []byte(`"`+p.Consent+`"`), "consent")
var extMap map[string]interface{}
err := json.Unmarshal(req.User.Ext, &extMap)
if err == nil {
extMap["consent"] = p.Consent
ext, err := json.Marshal(extMap)
if err == nil {
req.User.Ext = ext
}
}
return err
}

Expand Down
30 changes: 28 additions & 2 deletions privacy/gdpr/policy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,15 +42,15 @@ func TestWrite(t *testing.T) {
request: &openrtb.BidRequest{User: &openrtb.User{
Ext: json.RawMessage(`{"existing":"any"}`)}},
expected: &openrtb.BidRequest{User: &openrtb.User{
Ext: json.RawMessage(`{"existing":"any","consent":"anyConsent"}`)}},
Ext: json.RawMessage(`{"consent":"anyConsent","existing":"any"}`)}},
},
{
description: "Enabled With Existing Request User Ext Object - Overwrites",
policy: Policy{Consent: "anyConsent"},
request: &openrtb.BidRequest{User: &openrtb.User{
Ext: json.RawMessage(`{"existing":"any","consent":"toBeOverwritten"}`)}},
expected: &openrtb.BidRequest{User: &openrtb.User{
Ext: json.RawMessage(`{"existing":"any","consent":"anyConsent"}`)}},
Ext: json.RawMessage(`{"consent":"anyConsent","existing":"any"}`)}},
},
{
description: "Enabled With Existing Malformed Request User Ext Object",
Expand All @@ -59,6 +59,32 @@ func TestWrite(t *testing.T) {
Ext: json.RawMessage(`malformed`)}},
expectedError: true,
},
{
description: "Injection Attack With Nil Request User Object",
policy: Policy{Consent: "BONV8oqONXwgmADACHENAO7pqzAAppY\"},\"oops\":\"malicious\",\"p\":{\"p\":\""},
request: &openrtb.BidRequest{},
expected: &openrtb.BidRequest{User: &openrtb.User{
Ext: json.RawMessage(`{"consent":"BONV8oqONXwgmADACHENAO7pqzAAppY\"},\"oops\":\"malicious\",\"p\":{\"p\":\""}`),
}},
},
{
description: "Injection Attack With Nil Request User Ext Object",
policy: Policy{Consent: "BONV8oqONXwgmADACHENAO7pqzAAppY\"},\"oops\":\"malicious\",\"p\":{\"p\":\""},
request: &openrtb.BidRequest{User: &openrtb.User{}},
expected: &openrtb.BidRequest{User: &openrtb.User{
Ext: json.RawMessage(`{"consent":"BONV8oqONXwgmADACHENAO7pqzAAppY\"},\"oops\":\"malicious\",\"p\":{\"p\":\""}`),
}},
},
{
description: "Injection Attack With Existing Request User Ext Object",
policy: Policy{Consent: "BONV8oqONXwgmADACHENAO7pqzAAppY\"},\"oops\":\"malicious\",\"p\":{\"p\":\""},
request: &openrtb.BidRequest{User: &openrtb.User{
Ext: json.RawMessage(`{"existing":"any"}`),
}},
expected: &openrtb.BidRequest{User: &openrtb.User{
Ext: json.RawMessage(`{"consent":"BONV8oqONXwgmADACHENAO7pqzAAppY\"},\"oops\":\"malicious\",\"p\":{\"p\":\"","existing":"any"}`),
}},
},
}

for _, test := range testCases {
Expand Down

0 comments on commit 864bc55

Please sign in to comment.