Skip to content

Commit

Permalink
Fail closed with malformed allowfrom data in register endpoint (#148)
Browse files Browse the repository at this point in the history
* Prepare readme for release

* Fail closed with malformed allowfrom data in register endpoint
  • Loading branch information
joohoi authored Feb 22, 2019
1 parent 395cb7a commit af5d256
Show file tree
Hide file tree
Showing 3 changed files with 58 additions and 4 deletions.
10 changes: 10 additions & 0 deletions acmetxt.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,16 @@ func (c *cidrslice) JSON() string {
return string(ret)
}

func (c *cidrslice) isValid() error {
for _, v := range *c {
_, _, err := net.ParseCIDR(sanitizeIPv6addr(v))
if err != nil {
return err
}
}
return nil
}

func (c *cidrslice) ValidEntries() []string {
valid := []string{}
for _, v := range *c {
Expand Down
15 changes: 14 additions & 1 deletion api.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,11 @@ type RegResponse struct {
func webRegisterPost(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
var regStatus int
var reg []byte
var err error
aTXT := ACMETxt{}
bdata, _ := ioutil.ReadAll(r.Body)
if bdata != nil && len(bdata) > 0 {
err := json.Unmarshal(bdata, &aTXT)
err = json.Unmarshal(bdata, &aTXT)
if err != nil {
regStatus = http.StatusBadRequest
reg = jsonError("malformed_json_payload")
Expand All @@ -35,6 +36,18 @@ func webRegisterPost(w http.ResponseWriter, r *http.Request, _ httprouter.Params
return
}
}

// Fail with malformed CIDR mask in allowfrom
err = aTXT.AllowFrom.isValid()
if err != nil {
regStatus = http.StatusBadRequest
reg = jsonError("invalid_allowfrom_cidr")
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(regStatus)
w.Write(reg)
return
}

// Create new user
nu, err := DB.Register(aTXT.AllowFrom)
if err != nil {
Expand Down
37 changes: 34 additions & 3 deletions api_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,8 +96,9 @@ func TestApiRegister(t *testing.T) {

allowfrom := map[string][]interface{}{
"allowfrom": []interface{}{"123.123.123.123/32",
"1010.10.10.10/24",
"invalid"},
"2001:db8:a0b:12f0::1/32",
"[::1]/64",
},
}

response := e.POST("/register").
Expand All @@ -112,7 +113,37 @@ func TestApiRegister(t *testing.T) {
ContainsKey("allowfrom").
NotContainsKey("error")

response.Value("allowfrom").Array().Elements("123.123.123.123/32")
response.Value("allowfrom").Array().Elements("123.123.123.123/32", "2001:db8:a0b:12f0::1/32", "::1/64")
}

func TestApiRegisterBadAllowFrom(t *testing.T) {
router := setupRouter(false, false)
server := httptest.NewServer(router)
defer server.Close()
e := getExpect(t, server)
invalidVals := []string{
"invalid",
"1.2.3.4/33",
"1.2/24",
"1.2.3.4",
"12345:db8:a0b:12f0::1/32",
"1234::123::123::1/32",
}

for _, v := range invalidVals {

allowfrom := map[string][]interface{}{
"allowfrom": []interface{}{v}}

response := e.POST("/register").
WithJSON(allowfrom).
Expect().
Status(http.StatusBadRequest).
JSON().Object().
ContainsKey("error")

response.Value("error").Equal("invalid_allowfrom_cidr")
}
}

func TestApiRegisterMalformedJSON(t *testing.T) {
Expand Down

0 comments on commit af5d256

Please sign in to comment.