From 744be07a573a5d060f90f99226b3b171f384844a Mon Sep 17 00:00:00 2001
From: Eric Zhao <sczyh16@gmail.com>
Date: Tue, 23 Mar 2021 10:46:01 +0800
Subject: [PATCH] dashboard: Improve param validation in
 MachineRegistryController

Signed-off-by: Eric Zhao <sczyh16@gmail.com>
---
 .../controller/MachineRegistryController.java | 27 ++++++++++++-------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/sentinel-dashboard/src/main/java/com/alibaba/csp/sentinel/dashboard/controller/MachineRegistryController.java b/sentinel-dashboard/src/main/java/com/alibaba/csp/sentinel/dashboard/controller/MachineRegistryController.java
index 9a9a7f76..d11815d2 100755
--- a/sentinel-dashboard/src/main/java/com/alibaba/csp/sentinel/dashboard/controller/MachineRegistryController.java
+++ b/sentinel-dashboard/src/main/java/com/alibaba/csp/sentinel/dashboard/controller/MachineRegistryController.java
@@ -18,9 +18,9 @@ package com.alibaba.csp.sentinel.dashboard.controller;
 import com.alibaba.csp.sentinel.dashboard.discovery.AppManagement;
 import com.alibaba.csp.sentinel.util.StringUtil;
 
-import com.alibaba.csp.sentinel.dashboard.discovery.MachineDiscovery;
 import com.alibaba.csp.sentinel.dashboard.discovery.MachineInfo;
 import com.alibaba.csp.sentinel.dashboard.domain.Result;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -41,21 +41,28 @@ public class MachineRegistryController {
 
     @ResponseBody
     @RequestMapping("/machine")
-    public Result<?> receiveHeartBeat(String app, @RequestParam(value = "app_type", required = false, defaultValue = "0") Integer appType, Long version, String v, String hostname, String ip, Integer port) {
-        if (app == null) {
-            app = MachineDiscovery.UNKNOWN_APP_NAME;
+    public Result<?> receiveHeartBeat(String app,
+                                      @RequestParam(value = "app_type", required = false, defaultValue = "0")
+                                          Integer appType, Long version, String v, String hostname, String ip,
+                                      Integer port) {
+        if (StringUtil.isBlank(app) || app.length() > 256) {
+            return Result.ofFail(-1, "invalid appName");
+        }
+        if (StringUtil.isBlank(ip) || ip.length() > 128) {
+            return Result.ofFail(-1, "invalid ip: " + ip);
         }
-        if (ip == null) {
-            return Result.ofFail(-1, "ip can't be null");
+        if (port == null || port < -1) {
+            return Result.ofFail(-1, "invalid port");
         }
-        if (port == null) {
-            return Result.ofFail(-1, "port can't be null");
+        if (hostname != null && hostname.length() > 256) {
+            return Result.ofFail(-1, "hostname too long");
         }
         if (port == -1) {
-            logger.info("Receive heartbeat from " + ip + " but port not set yet");
+            logger.warn("Receive heartbeat from " + ip + " but port not set yet");
             return Result.ofFail(-1, "your port not set yet");
         }
-        String sentinelVersion = StringUtil.isEmpty(v) ? "unknown" : v;
+        String sentinelVersion = StringUtil.isBlank(v) ? "unknown" : v;
+
         version = version == null ? System.currentTimeMillis() : version;
         try {
             MachineInfo machineInfo = new MachineInfo();