Fail closed with malformed allowfrom data in register endpoint (#148)

* Prepare readme for release * Fail closed with malformed allowfrom data in register endpoint
2024-12-22 17:33:44 +07:00 · 2019-02-22 16:53:11 +02:00 · 2019-02-22 16:53:11 +02:00 · af5d2561d2
commit af5d2561d2
parent 395cb7a62c
3 changed files with 58 additions and 4 deletions
--- a/acmetxt.go
+++ b/acmetxt.go
@ -30,6 +30,16 @@ func (c *cidrslice) JSON() string {
 	return string(ret)
 }

+func (c *cidrslice) isValid() error {
+	for _, v := range *c {
+		_, _, err := net.ParseCIDR(sanitizeIPv6addr(v))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func (c *cidrslice) ValidEntries() []string {
 	valid := []string{}
 	for _, v := range *c {
--- a/api.go
+++ b/api.go
@ -22,10 +22,11 @@ type RegResponse struct {
 func webRegisterPost(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 	var regStatus int
 	var reg []byte
+	var err error
 	aTXT := ACMETxt{}
 	bdata, _ := ioutil.ReadAll(r.Body)
 	if bdata != nil && len(bdata) > 0 {
-		err := json.Unmarshal(bdata, &aTXT)
+		err = json.Unmarshal(bdata, &aTXT)
 		if err != nil {
 			regStatus = http.StatusBadRequest
 			reg = jsonError("malformed_json_payload")
@ -35,6 +36,18 @@ func webRegisterPost(w http.ResponseWriter, r *http.Request, _ httprouter.Params
 			return
 		}
 	}
+
+	// Fail with malformed CIDR mask in allowfrom
+	err = aTXT.AllowFrom.isValid()
+	if err != nil {
+		regStatus = http.StatusBadRequest
+		reg = jsonError("invalid_allowfrom_cidr")
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(regStatus)
+		w.Write(reg)
+		return
+	}
+
 	// Create new user
 	nu, err := DB.Register(aTXT.AllowFrom)
 	if err != nil {
--- a/api_test.go
+++ b/api_test.go
@ -96,8 +96,9 @@ func TestApiRegister(t *testing.T) {

 	allowfrom := map[string][]interface{}{
 		"allowfrom": []interface{}{"123.123.123.123/32",
-			"1010.10.10.10/24",
-			"invalid"},
+			"2001:db8:a0b:12f0::1/32",
+			"[::1]/64",
+		},
 	}

 	response := e.POST("/register").
@ -112,7 +113,37 @@ func TestApiRegister(t *testing.T) {
 		ContainsKey("allowfrom").
 		NotContainsKey("error")

-	response.Value("allowfrom").Array().Elements("123.123.123.123/32")
+	response.Value("allowfrom").Array().Elements("123.123.123.123/32", "2001:db8:a0b:12f0::1/32", "::1/64")
+}
+
+func TestApiRegisterBadAllowFrom(t *testing.T) {
+	router := setupRouter(false, false)
+	server := httptest.NewServer(router)
+	defer server.Close()
+	e := getExpect(t, server)
+	invalidVals := []string{
+		"invalid",
+		"1.2.3.4/33",
+		"1.2/24",
+		"1.2.3.4",
+		"12345:db8:a0b:12f0::1/32",
+		"1234::123::123::1/32",
+	}
+
+	for _, v := range invalidVals {
+
+		allowfrom := map[string][]interface{}{
+			"allowfrom": []interface{}{v}}
+
+		response := e.POST("/register").
+			WithJSON(allowfrom).
+			Expect().
+			Status(http.StatusBadRequest).
+			JSON().Object().
+			ContainsKey("error")
+
+		response.Value("error").Equal("invalid_allowfrom_cidr")
+	}
 }

 func TestApiRegisterMalformedJSON(t *testing.T) {