From eb1357fe03bb47cdd479cf533022e11dd6bd22e0 Mon Sep 17 00:00:00 2001
From: Dylan Hardison <dylan@mozilla.com>
Date: Tue, 22 Dec 2015 12:11:21 -0500
Subject: Bug 1230932 - Providing a condition as an ID to the webservice
 results in a taint error r=dkl,a=dkl

---
 Bugzilla/API/1_0/Constants.pm                   |  2 ++
 Bugzilla/API/1_0/Util.pm                        | 23 +----------------------
 Bugzilla/WebService/Bug.pm                      |  4 ++++
 Bugzilla/WebService/Constants.pm                |  2 ++
 Bugzilla/WebService/Util.pm                     | 10 +++++++++-
 template/en/default/global/code-error.html.tmpl |  7 +++++++
 6 files changed, 25 insertions(+), 23 deletions(-)

diff --git a/Bugzilla/API/1_0/Constants.pm b/Bugzilla/API/1_0/Constants.pm
index 44e20124a..f90b31177 100644
--- a/Bugzilla/API/1_0/Constants.pm
+++ b/Bugzilla/API/1_0/Constants.pm
@@ -68,6 +68,8 @@ use constant WS_ERROR_CODE => {
     number_too_large            => 54,
     number_too_small            => 55,
     illegal_date                => 56,
+    param_integer_required      => 57, 
+    param_integer_array_required => 58,
     # Bug errors usually occupy the 100-200 range.
     improper_bug_id_field_value => 100,
     bug_id_does_not_exist       => 101,
diff --git a/Bugzilla/API/1_0/Util.pm b/Bugzilla/API/1_0/Util.pm
index d22935f6e..3fcf28cdf 100644
--- a/Bugzilla/API/1_0/Util.pm
+++ b/Bugzilla/API/1_0/Util.pm
@@ -22,6 +22,7 @@ use MIME::Base64 qw(decode_base64 encode_base64);
 use Storable qw(dclone);
 use Test::Taint ();
 use URI::Escape qw(uri_unescape);
+use Bugzilla::WebService::Util qw(validate);
 
 use parent qw(Exporter);
 
@@ -241,28 +242,6 @@ sub api_include_exclude {
     return $params;
 }
 
-sub validate  {
-    my ($self, $params, @keys) = @_;
-
-    # If $params is defined but not a reference, then we weren't
-    # sent any parameters at all, and we're getting @keys where
-    # $params should be.
-    return ($self, undef) if (defined $params and !ref $params);
-
-    # If @keys is not empty then we convert any named
-    # parameters that have scalar values to arrayrefs
-    # that match.
-    foreach my $key (@keys) {
-        if (exists $params->{$key}) {
-            $params->{$key} = ref $params->{$key}
-                              ? $params->{$key}
-                              : [ $params->{$key} ];
-        }
-    }
-
-    return ($self, $params);
-}
-
 sub translate {
     my ($params, $mapped) = @_;
     my %changes;
diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm
index 84f209347..75a0aab0e 100644
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -1200,6 +1200,10 @@ sub update_comment_tags {
                           { function => 'Bug.update_comment_tags',
                             param    => 'comment_id' });
 
+    ThrowCodeError("param_integer_required", { function => 'Bug.update_comment_tags',
+                                               param => 'comment_id' })
+      unless $comment_id =~ /^[0-9]+$/;
+
     my $comment = Bugzilla::Comment->new($comment_id)
         || return [];
     $comment->bug->check_is_visible();
diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index 42aa600ee..8c9bcb37f 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -69,6 +69,8 @@ use constant WS_ERROR_CODE => {
     number_too_large            => 54,
     number_too_small            => 55,
     illegal_date                => 56,
+    param_integer_required      => 57,
+    param_integer_array_required => 58,
     # Bug errors usually occupy the 100-200 range.
     improper_bug_id_field_value => 100,
     bug_id_does_not_exist       => 101,
diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm
index cbbc47921..503246c16 100644
--- a/Bugzilla/WebService/Util.pm
+++ b/Bugzilla/WebService/Util.pm
@@ -18,6 +18,7 @@ use Bugzilla::WebService::Constants;
 
 use Storable qw(dclone);
 use URI::Escape qw(uri_unescape);
+use List::MoreUtils qw(all any);
 
 use parent qw(Exporter);
 
@@ -221,7 +222,8 @@ sub validate  {
     # sent any parameters at all, and we're getting @keys where
     # $params should be.
     return ($self, undef) if (defined $params and !ref $params);
-    
+
+    my @id_params = qw( ids comment_ids );
     # If @keys is not empty then we convert any named 
     # parameters that have scalar values to arrayrefs
     # that match.
@@ -230,6 +232,12 @@ sub validate  {
             $params->{$key} = ref $params->{$key} 
                               ? $params->{$key} 
                               : [ $params->{$key} ];
+
+            if (any { $key eq $_ } @id_params) {
+                my $ids = $params->{$key};
+                ThrowCodeError('param_integer_array_required', { param => $key })
+                  unless ref($ids) eq 'ARRAY' && all { /^[0-9]+$/ } @$ids;
+            }
         }
     }
 
diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index a242c7471..f268833b0 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -294,6 +294,13 @@
     a <code>[% param FILTER html %]</code> argument, and that
     argument was not set.
 
+  [% ELSIF error == "param_integer_required" %]
+    The function <code>[% function FILTER html %]</code> requires
+    that <code>[% param FILTER html %]</code> be an integer.
+
+  [% ELSIF error == "param_integer_array_required" %]
+    The <code>[% param FILTER html %]</code> parameter must be an array of integers.
+
   [% ELSIF error == "params_required" %]
     [% title = "Missing Parameter" %]
     The function <code>[% function FILTER html %]</code> requires
-- 
cgit v1.2.3-24-g4f1b