mirror of
https://github.com/joohoi/acme-dns.git
synced 2024-12-22 22:43:53 +07:00
Fail closed with malformed allowfrom data in register endpoint (#148)
* Prepare readme for release * Fail closed with malformed allowfrom data in register endpoint
This commit is contained in:
parent
395cb7a62c
commit
af5d2561d2
10
acmetxt.go
10
acmetxt.go
@ -30,6 +30,16 @@ func (c *cidrslice) JSON() string {
|
|||||||
return string(ret)
|
return string(ret)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *cidrslice) isValid() error {
|
||||||
|
for _, v := range *c {
|
||||||
|
_, _, err := net.ParseCIDR(sanitizeIPv6addr(v))
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
func (c *cidrslice) ValidEntries() []string {
|
func (c *cidrslice) ValidEntries() []string {
|
||||||
valid := []string{}
|
valid := []string{}
|
||||||
for _, v := range *c {
|
for _, v := range *c {
|
||||||
|
15
api.go
15
api.go
@ -22,10 +22,11 @@ type RegResponse struct {
|
|||||||
func webRegisterPost(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
|
func webRegisterPost(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
|
||||||
var regStatus int
|
var regStatus int
|
||||||
var reg []byte
|
var reg []byte
|
||||||
|
var err error
|
||||||
aTXT := ACMETxt{}
|
aTXT := ACMETxt{}
|
||||||
bdata, _ := ioutil.ReadAll(r.Body)
|
bdata, _ := ioutil.ReadAll(r.Body)
|
||||||
if bdata != nil && len(bdata) > 0 {
|
if bdata != nil && len(bdata) > 0 {
|
||||||
err := json.Unmarshal(bdata, &aTXT)
|
err = json.Unmarshal(bdata, &aTXT)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
regStatus = http.StatusBadRequest
|
regStatus = http.StatusBadRequest
|
||||||
reg = jsonError("malformed_json_payload")
|
reg = jsonError("malformed_json_payload")
|
||||||
@ -35,6 +36,18 @@ func webRegisterPost(w http.ResponseWriter, r *http.Request, _ httprouter.Params
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Fail with malformed CIDR mask in allowfrom
|
||||||
|
err = aTXT.AllowFrom.isValid()
|
||||||
|
if err != nil {
|
||||||
|
regStatus = http.StatusBadRequest
|
||||||
|
reg = jsonError("invalid_allowfrom_cidr")
|
||||||
|
w.Header().Set("Content-Type", "application/json")
|
||||||
|
w.WriteHeader(regStatus)
|
||||||
|
w.Write(reg)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
// Create new user
|
// Create new user
|
||||||
nu, err := DB.Register(aTXT.AllowFrom)
|
nu, err := DB.Register(aTXT.AllowFrom)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
37
api_test.go
37
api_test.go
@ -96,8 +96,9 @@ func TestApiRegister(t *testing.T) {
|
|||||||
|
|
||||||
allowfrom := map[string][]interface{}{
|
allowfrom := map[string][]interface{}{
|
||||||
"allowfrom": []interface{}{"123.123.123.123/32",
|
"allowfrom": []interface{}{"123.123.123.123/32",
|
||||||
"1010.10.10.10/24",
|
"2001:db8:a0b:12f0::1/32",
|
||||||
"invalid"},
|
"[::1]/64",
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
response := e.POST("/register").
|
response := e.POST("/register").
|
||||||
@ -112,7 +113,37 @@ func TestApiRegister(t *testing.T) {
|
|||||||
ContainsKey("allowfrom").
|
ContainsKey("allowfrom").
|
||||||
NotContainsKey("error")
|
NotContainsKey("error")
|
||||||
|
|
||||||
response.Value("allowfrom").Array().Elements("123.123.123.123/32")
|
response.Value("allowfrom").Array().Elements("123.123.123.123/32", "2001:db8:a0b:12f0::1/32", "::1/64")
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestApiRegisterBadAllowFrom(t *testing.T) {
|
||||||
|
router := setupRouter(false, false)
|
||||||
|
server := httptest.NewServer(router)
|
||||||
|
defer server.Close()
|
||||||
|
e := getExpect(t, server)
|
||||||
|
invalidVals := []string{
|
||||||
|
"invalid",
|
||||||
|
"1.2.3.4/33",
|
||||||
|
"1.2/24",
|
||||||
|
"1.2.3.4",
|
||||||
|
"12345:db8:a0b:12f0::1/32",
|
||||||
|
"1234::123::123::1/32",
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, v := range invalidVals {
|
||||||
|
|
||||||
|
allowfrom := map[string][]interface{}{
|
||||||
|
"allowfrom": []interface{}{v}}
|
||||||
|
|
||||||
|
response := e.POST("/register").
|
||||||
|
WithJSON(allowfrom).
|
||||||
|
Expect().
|
||||||
|
Status(http.StatusBadRequest).
|
||||||
|
JSON().Object().
|
||||||
|
ContainsKey("error")
|
||||||
|
|
||||||
|
response.Value("error").Equal("invalid_allowfrom_cidr")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestApiRegisterMalformedJSON(t *testing.T) {
|
func TestApiRegisterMalformedJSON(t *testing.T) {
|
||||||
|
Loading…
Reference in New Issue
Block a user