feat(server): sanitize run options

official-stockfish · Mar 7, 2025 · de11571 · de11571
1 parent 23444da
commit de11571
Showing 1 changed file with 20 additions and 2 deletions.
diff --git a/server/fishtest/views.py b/server/fishtest/views.py
@@ -863,6 +863,24 @@ def validate_modify(request, run):
         raise home(request)
 
 
+def sanitize_options(options):
+    try:
+        options.encode("ascii")
+    except UnicodeEncodeError:
+        raise ValueError("Options must contain only ascii characters")
+
+    tokens = options.split()
+    # Matches only tokens formatted as "key=value"
+    # where both key and value are non-empty and contain neither spaces nor "=".
+    token_regex = re.compile(r"^[^\s=]+=[^\s=]+$", flags=re.ASCII)
+    for token in tokens:
+        if not token_regex.fullmatch(token):
+            raise ValueError(
+                "Each option must be a key=value pair with no extra spaces and exactly one '='"
+            )
+    return " ".join(tokens)
+
+
 def validate_form(request):
     data = {
         "base_tag": request.POST["base-branch"],
@@ -873,8 +891,8 @@ def validate_form(request):
         "book_depth": request.POST["book-depth"],
         "base_signature": request.POST["base-signature"],
         "new_signature": request.POST["test-signature"],
-        "base_options": request.POST["base-options"],
-        "new_options": request.POST["new-options"],
+        "base_options": sanitize_options(request.POST["base-options"]),
+        "new_options": sanitize_options(request.POST["new-options"]),
         "username": request.authenticated_userid,
         "tests_repo": request.POST["tests-repo"],
         "info": request.POST["run-info"],