Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manifold is vulnerable to extra long Thing names #199

Open
b1conrad opened this issue Nov 24, 2021 · 0 comments
Open

Manifold is vulnerable to extra long Thing names #199

b1conrad opened this issue Nov 24, 2021 · 0 comments
Labels
bug ui user experience

Comments

@b1conrad
Copy link
Member

b1conrad commented Nov 24, 2021
edited
Loading

While looking at the Manifold instance pico engine, I noticed a newly created Thing with a name that is 46 characters long.

Sure enough, there is no limit imposed in the UX (generated here; consumed here) nor when passed to the Manifold pico to create a new pico (here), nor in the ruleset that does so (here).

Code snippets shown here for convenience.

Front end:

        <ModalBody>
          <div className="form-group">
            <label> New Thing's name</label>
            <input type="text" className="form-control" id="name" placeholder="THING NAME" onChange={(element) => this.setState({ name: element.target.value})}/>
          </div>
        </ModalBody>
        <ModalFooter>
          <Button id="createButton" color="primary" onClick={this.handleAddClick}>Create Thing</Button>{' '}
          <Button id="createCancel" color="secondary" onClick={this.handleToggle}>Cancel</Button>
        </ModalFooter>

and its onChange handler:

  handleAddClick() {
    const newName = this.state.name;
    if(!newName || newName === ""){
      alert('Please enter a name.');
      return;
    }
    this.handleToggle();
    this.props.createThing(newName);

  }

which checks for a missing name, but nothing about its length.

Passing the event through to the Manifold pico:

export function createThing(name){
  return axios.post(`${sky_event(getManifoldECI())}/Create_Thing/manifold/create_thing?name=${name}`);
}

Back end, at the Manifold pico:

  rule createThing {
    select when manifold create_thing
    if event:attr("name") && wrangler:children().length() <= max_picos then
      send_directive("Attempting to create new Thing", { "thing":event:attr("name") })
    fired {
      raise wrangler event "new_child_request"
        attributes event:attrs.put({ "event_type": "manifold_create_thing" })
                                .put({ "rids": thingRids })
    }
  }

which again checks for a non-empty name (but would accept a blank one), but does no length sanity checking.

Note that we inherit this problem from Wrangler, which also accepts anything as a pico name.
@b1conrad b1conrad added bug ui user experience labels Nov 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug ui user experience
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@b1conrad