push_notifs: Check app ID has a plausible shape at bouncer.

zerver/tests/test_push_notifications.py

@@ -525,6 +525,17 @@ class PushBouncerNotificationTest(BouncerTestCase):
         )
         self.assert_json_success(result)
 
+    def test_register_validate_ios_app_id(self) -> None:
+        endpoint = "/api/v1/remotes/push/register"
+        args = {"user_id": 11, "token": "1122", "token_kind": PushDeviceToken.APNS}
+
+        result = self.uuid_post(
+            self.server_uuid,
+            endpoint,
+            {**args, "ios_app_id": "'; tables --"},
+        )
+        self.assert_json_error(result, "Invalid app ID")
+
     def test_register_device_deduplication(self) -> None:
         hamlet = self.example_user("hamlet")
         token = "111222"

zilencer/views.py

@@ -48,7 +48,7 @@ from zerver.lib.validator import (
     check_string_fixed_length,
     check_union,
 )
-from zerver.views.push_notifications import validate_token
+from zerver.views.push_notifications import check_app_id, validate_token
 from zilencer.auth import InvalidZulipServerKeyError
 from zilencer.models import (
     RemoteInstallationCount,
@@ -162,7 +162,7 @@ def register_remote_push_device(
     user_uuid: Optional[str] = REQ(default=None),
     token: str = REQ(),
     token_kind: int = REQ(json_validator=check_int),
-    ios_app_id: Optional[str] = REQ(default=None),
+    ios_app_id: Optional[str] = REQ(str_validator=check_app_id, default=None),
 ) -> HttpResponse:
     validate_bouncer_token_request(token, token_kind)
     if token_kind == RemotePushDeviceToken.APNS and ios_app_id is None: