diff --git a/services/distributeddataservice/service/kvdb/kvdb_service_stub.cpp b/services/distributeddataservice/service/kvdb/kvdb_service_stub.cpp index 37de89063cb67c628b7921dd146a531a5b2df219..66e30cc6fd0a96f7479a14c43717b7d720b60cd5 100644 --- a/services/distributeddataservice/service/kvdb/kvdb_service_stub.cpp +++ b/services/distributeddataservice/service/kvdb/kvdb_service_stub.cpp @@ -72,7 +72,7 @@ int KVDBServiceStub::OnRemoteRequest(uint32_t code, MessageParcel &data, Message if (status != ERR_NONE) { return status; } - if (CheckPermission(code, storeInfo)) { + if (IsValidParam(storeInfo.bundleName, storeInfo.storeId) && CheckPermission(code, storeInfo)) { return (this->*HANDLERS[code])({ storeInfo.bundleName }, { storeInfo.storeId }, data, reply); } ZLOGE("PERMISSION_DENIED uid:%{public}d appId:%{public}s storeId:%{public}s", storeInfo.uid, @@ -579,4 +579,25 @@ int32_t KVDBServiceStub::OnRemoveDeviceData(const AppId &appId, const StoreId &s } return ERR_NONE; } + +bool KVDBServiceStub::IsValidParam(const std::string &bundleName, const std::string &storeName) +{ + if (IsValidName(bundleName)) { + ZLOGE("bundleName is Invalid, bundleName is %{public}s", bundleName.c_str()); + return false; + } + if (IsValidName(storeName)) { + ZLOGE("storeName is Invalid, storeName is %{public}s", storeName.c_str()); + return false; + } + return true; +} + +bool KVDBServiceStub::IsValidName(const std::string &path) +{ + if ((path.find("/") != std::string::npos) || (path.find("\\") != std::string::npos) || (path == "..")) { + return false; + } + return true; +} } // namespace OHOS::DistributedKv diff --git a/services/distributeddataservice/service/kvdb/kvdb_service_stub.h b/services/distributeddataservice/service/kvdb/kvdb_service_stub.h index f26cb7c8325dfb1d5348c1f426379d8c340e7708..2bf905627753adb5985cb95b53f53913a900f006 100644 --- a/services/distributeddataservice/service/kvdb/kvdb_service_stub.h +++ b/services/distributeddataservice/service/kvdb/kvdb_service_stub.h @@ -62,6 +62,8 @@ private: bool CheckPermission(uint32_t code, const StoreInfo &storeInfo); std::pair GetStoreInfo(uint32_t code, MessageParcel &data); + bool IsValidParam(const std::string &bundleName, const std::string &storeName); + bool IsValidName(const std::string &path); }; } // namespace OHOS::DistributedKv #endif // OHOS_DISTRIBUTED_DATA_SERVICE_KVDB_SERVICE_STUB_H diff --git a/services/distributeddataservice/service/test/kvdb_service_stub_unittest.cpp b/services/distributeddataservice/service/test/kvdb_service_stub_unittest.cpp index c9bf0cef913f7108fa949eb0c15459fb500cdacc..a14d51db2b5c4e767d7564e5a0aa0d9f540a950d 100644 --- a/services/distributeddataservice/service/test/kvdb_service_stub_unittest.cpp +++ b/services/distributeddataservice/service/test/kvdb_service_stub_unittest.cpp @@ -350,5 +350,33 @@ HWTEST_F(KVDBServiceStubTest, OnRemoveDeviceData, TestSize.Level1) auto status = kvdbServiceStub->OnRemoveDeviceData(appId, storeId, data, reply); EXPECT_EQ(status, IPC_STUB_INVALID_DATA_ERR); } + +/** + * @tc.name: IsValidParam001 + * @tc.desc: Test IsValidParam + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(KVDBServiceStubTest, IsValidParam001, TestSize.Level1) +{ + std::string bundleName = "com.test.test"; + std::string storeName = "test_store"; + auto status = kvdbServiceStub->IsValidParam(bundleName, storeName); + EXPECT_EQ(status, true); +} + +/** + * @tc.name: IsValidParam002 + * @tc.desc: Test IsValidParam + * @tc.type: FUNC + * @tc.require: + */ +HWTEST_F(KVDBServiceStubTest, IsValidParam002, TestSize.Level1) +{ + std::string bundleName = "\\com.test.test"; + std::string storeName = "/test_store"; + auto status = kvdbServiceStub->IsValidParam(bundleName, storeName); + EXPECT_EQ(status, false); +} } // namespace DistributedDataTest } // namespace OHOS::Test \ No newline at end of file