Allow dots and handle empty parts

Signed-off-by: Aleksandar Novakovic <aleksandar.novakovic@mainflux.com>

coap/api/transport.go

@@ -34,11 +34,15 @@ import (
 const protocol = "coap"
 
 var (
-	errBadRequest = errors.New("bad request")
-	errBadOption  = errors.New("bad option")
-	auth          mainflux.ThingsServiceClient
-	logger        log.Logger
-	pingPeriod    time.Duration
+	errBadRequest        = errors.New("bad request")
+	errBadOption         = errors.New("bad option")
+	errMalformedSubtopic = errors.New("malformed subtopic")
+)
+
+var (
+	auth       mainflux.ThingsServiceClient
+	logger     log.Logger
+	pingPeriod time.Duration
 )
 
 type handler func(conn *net.UDPConn, addr *net.UDPAddr, msg *gocoap.Message) *gocoap.Message
@@ -69,9 +73,9 @@ func MakeCOAPHandler(svc coap.Service, tc mainflux.ThingsServiceClient, l log.Lo
 	pingPeriod = pp
 	r := mux.NewRouter()
 	r.Handle("/channels/{id}/messages", gocoap.FuncHandler(receive(svc))).Methods(gocoap.POST)
-	r.Handle("/channels/{id}/messages/{subtopic:(/[^/.?]+)+}", gocoap.FuncHandler(receive(svc))).Methods(gocoap.POST)
+	r.Handle("/channels/{id}/messages/{subtopic:[^?]*}", gocoap.FuncHandler(receive(svc))).Methods(gocoap.POST)
 	r.Handle("/channels/{id}/messages", gocoap.FuncHandler(observe(svc, responses)))
-	r.Handle("/channels/{id}/messages/{subtopic:(/[^/.?]+)+}", gocoap.FuncHandler(observe(svc, responses)))
+	r.Handle("/channels/{id}/messages/{subtopic:[^?]*}", gocoap.FuncHandler(observe(svc, responses)))
 	r.NotFoundHandler = gocoap.FuncHandler(notFoundHandler)
 
 	return r
@@ -112,14 +116,30 @@ func authorize(msg *gocoap.Message, res *gocoap.Message, cid string) (string, er
 	return id.GetValue(), nil
 }
 
-func fmtSubtopic(subtopic string) string {
-	if subtopic != "" {
-		if strings.HasSuffix(subtopic, "/") {
-			subtopic = subtopic[:len(subtopic)-1]
+func fmtSubtopic(subtopic string) (string, error) {
+	if subtopic == "" {
+		return subtopic, nil
+	}
+
+	subtopic = strings.Replace(subtopic, "/", ".", -1)
+
+	elems := strings.Split(subtopic, "/")
+	filteredElems := []string{}
+	for _, elem := range elems {
+		if elem == "" {
+			continue
+		}
+
+		if len(elem) > 1 && (strings.Contains(elem, "*") || strings.Contains(elem, ">")) {
+			return "", errMalformedSubtopic
 		}
-		subtopic = strings.Replace(subtopic, "/", ".", -1)
+
+		filteredElems = append(filteredElems, elem)
 	}
-	return subtopic
+
+	subtopic = strings.Join(filteredElems, ".")
+
+	return subtopic, nil
 }
 
 func receive(svc coap.Service) handler {
@@ -151,7 +171,12 @@ func receive(svc coap.Service) handler {
 			res.Code = gocoap.NotFound
 			return res
 		}
-		subtopic := fmtSubtopic(mux.Var(msg, "subtopic"))
+
+		subtopic, err := fmtSubtopic(mux.Var(msg, "subtopic"))
+		if err != nil {
+			res.Code = gocoap.BadRequest
+			return res
+		}
 
 		publisher, err := authorize(msg, res, chanID)
 		if err != nil {
@@ -191,7 +216,12 @@ func observe(svc coap.Service, responses chan<- string) handler {
 			res.Code = gocoap.NotFound
 			return res
 		}
-		subtopic := fmtSubtopic(mux.Var(msg, "subtopic"))
+
+		subtopic, err := fmtSubtopic(mux.Var(msg, "subtopic"))
+		if err != nil {
+			res.Code = gocoap.BadRequest
+			return res
+		}
 
 		publisher, err := authorize(msg, res, chanID)
 		if err != nil {

http/api/transport.go

@@ -36,7 +36,7 @@ var (
 
 var (
 	auth              mainflux.ThingsServiceClient
-	channelPartRegExp = regexp.MustCompile(`^/channels/([\w\-]+)/messages((/[^/.?]+)*)?(\?.*)?$`)
+	channelPartRegExp = regexp.MustCompile(`^/channels/([\w\-]+)/messages(/[^?]*)?(\?.*)?$`)
 )
 
 // MakeHandler returns a HTTP handler for API endpoints.
@@ -77,8 +77,22 @@ func parseSubtopic(subtopic string) (string, error) {
 		return "", errMalformedSubtopic
 	}
 	subtopic = strings.Replace(subtopic, "/", ".", -1)
-	// channelParts[2] contains the subtopic parts starting with char /
-	subtopic = subtopic[1:]
+
+	elems := strings.Split(subtopic, "/")
+	filteredElems := []string{}
+	for _, elem := range elems {
+		if elem == "" {
+			continue
+		}
+
+		if len(elem) > 1 && (strings.Contains(elem, "*") || strings.Contains(elem, ">")) {
+			return "", errMalformedSubtopic
+		}
+
+		filteredElems = append(filteredElems, elem)
+	}
+
+	subtopic = strings.Join(filteredElems, ".")
 	return subtopic, nil
 }
 

mqtt/mqtt.js

@@ -130,6 +130,12 @@ aedes.authorizePublish = function (client, packet, publish) {
         if (elements[i] === '') {
             elements.pop(i);
         }
+
+        if (elements[i].length > 1 && (elements[i].includes('*') || elements[i].includes('>'))) {
+            logger.warn('invalid subtopic');
+            publish(4);
+            return;
+        }
     }
     var channelTopic = elements.length ? baseTopic + '.' + elements.join('.') : baseTopic,
 

ws/api/transport.go

@@ -45,7 +45,7 @@ var (
 	}
 	auth              mainflux.ThingsServiceClient
 	logger            log.Logger
-	channelPartRegExp = regexp.MustCompile(`^/channels/([\w\-]+)/messages((/[^/.?]+)*)?(\?.*)?$`)
+	channelPartRegExp = regexp.MustCompile(`^/channels/([\w\-]+)/messages(/[^?]*)?(\?.*)?$`)
 )
 
 // MakeHandler returns http handler with handshake endpoint.
@@ -122,9 +122,25 @@ func parseSubtopic(subtopic string) (string, error) {
 	if err != nil {
 		return "", errMalformedSubtopic
 	}
+
 	subtopic = strings.Replace(subtopic, "/", ".", -1)
-	// channelParts[2] contains the subtopic parts starting with char /
-	subtopic = subtopic[1:]
+
+	elems := strings.Split(subtopic, "/")
+	filteredElems := []string{}
+	for _, elem := range elems {
+		if elem == "" {
+			continue
+		}
+
+		if len(elem) > 1 && (strings.Contains(elem, "*") || strings.Contains(elem, ">")) {
+			return "", errMalformedSubtopic
+		}
+
+		filteredElems = append(filteredElems, elem)
+	}
+
+	subtopic = strings.Join(filteredElems, ".")
+
 	return subtopic, nil
 }