From 5402f8c7421cacacb025b89eee22cb54643a5771 Mon Sep 17 00:00:00 2001
From: Jacob Boddey <boddey@google.com>
Date: Thu, 7 Sep 2023 09:35:36 +0100
Subject: [PATCH] Add extra validation

---
 framework/python/src/api/api.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/framework/python/src/api/api.py b/framework/python/src/api/api.py
index 044a72178..463f1874a 100644
--- a/framework/python/src/api/api.py
+++ b/framework/python/src/api/api.py
@@ -214,9 +214,26 @@ async def save_device(self, request: Request, response: Response):
       return self._generate_msg(False, "Invalid JSON received")
 
   def _validate_device_json(self, json_obj):
+
+    # Check all required properties are present
     if not (DEVICE_MAC_ADDR_KEY in json_obj and
             DEVICE_MANUFACTURER_KEY in json_obj and
             DEVICE_MODEL_KEY in json_obj
     ):
       return False
+
+    # Check length of strings
+    if len(json_obj.get(DEVICE_MANUFACTURER_KEY)) > 64 or len(
+      json_obj.get(DEVICE_MODEL_KEY)) > 64:
+      return False
+
+    disallowed_chars = ["/", "\\", "\'", "\"", ";"]
+    for char in json_obj.get(DEVICE_MANUFACTURER_KEY):
+      if char in disallowed_chars:
+        return False
+
+    for char in json_obj.get(DEVICE_MODEL_KEY):
+      if char in disallowed_chars:
+        return False
+
     return True