Fail closed with malformed allowfrom data in register endpoint (#148)

* Prepare readme for release * Fail closed with malformed allowfrom data in register endpoint
2024-12-22 17:03:43 +07:00 · 2019-02-22 16:53:11 +02:00 · 2019-02-22 16:53:11 +02:00 · af5d2561d2
commit af5d2561d2
parent 395cb7a62c
3 changed files with 58 additions and 4 deletions
--- a/acmetxt.go
+++ b/acmetxt.go
@ -30,6 +30,16 @@ func (c *cidrslice) JSON() string {
 	return string(ret)
 }
 func (c *cidrslice) isValid() error {
 	for _, v := range *c {
 		_, _, err := net.ParseCIDR(sanitizeIPv6addr(v))
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func (c *cidrslice) ValidEntries() []string {
 	valid := []string{}
 	for _, v := range *c {
--- a/api.go
+++ b/api.go
@ -22,10 +22,11 @@ type RegResponse struct {
 func webRegisterPost(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 	var regStatus int
 	var reg []byte
 	var err error
 	aTXT := ACMETxt{}
 	bdata, _ := ioutil.ReadAll(r.Body)
 	if bdata != nil && len(bdata) > 0 {
-		err := json.Unmarshal(bdata, &aTXT)
+		err = json.Unmarshal(bdata, &aTXT)
 		if err != nil {
 			regStatus = http.StatusBadRequest
 			reg = jsonError("malformed_json_payload")
@ -35,6 +36,18 @@ func webRegisterPost(w http.ResponseWriter, r *http.Request, _ httprouter.Params
 			return
 		}
 	}
 	// Fail with malformed CIDR mask in allowfrom
 	err = aTXT.AllowFrom.isValid()
 	if err != nil {
 		regStatus = http.StatusBadRequest
 		reg = jsonError("invalid_allowfrom_cidr")
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(regStatus)
 		w.Write(reg)
 		return
 	}
 	// Create new user
 	nu, err := DB.Register(aTXT.AllowFrom)
 	if err != nil {
--- a/api_test.go
+++ b/api_test.go
@ -96,8 +96,9 @@ func TestApiRegister(t *testing.T) {
 	allowfrom := map[string][]interface{}{
 		"allowfrom": []interface{}{"123.123.123.123/32",
-			"1010.10.10.10/24",
+			"2001:db8:a0b:12f0::1/32",
-			"invalid"},
+			"[::1]/64",
 		},
 	}
 	response := e.POST("/register").
@ -112,7 +113,37 @@ func TestApiRegister(t *testing.T) {
 		ContainsKey("allowfrom").
 		NotContainsKey("error")
-	response.Value("allowfrom").Array().Elements("123.123.123.123/32")
+	response.Value("allowfrom").Array().Elements("123.123.123.123/32", "2001:db8:a0b:12f0::1/32", "::1/64")
 }
 func TestApiRegisterBadAllowFrom(t *testing.T) {
 	router := setupRouter(false, false)
 	server := httptest.NewServer(router)
 	defer server.Close()
 	e := getExpect(t, server)
 	invalidVals := []string{
 		"invalid",
 		"1.2.3.4/33",
 		"1.2/24",
 		"1.2.3.4",
 		"12345:db8:a0b:12f0::1/32",
 		"1234::123::123::1/32",
 	}
 	for _, v := range invalidVals {
 		allowfrom := map[string][]interface{}{
 			"allowfrom": []interface{}{v}}
 		response := e.POST("/register").
 			WithJSON(allowfrom).
 			Expect().
 			Status(http.StatusBadRequest).
 			JSON().Object().
 			ContainsKey("error")
 		response.Value("error").Equal("invalid_allowfrom_cidr")
 	}
 }
 func TestApiRegisterMalformedJSON(t *testing.T) {