Validate the incoming nodekey with regex before attempting to parse
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
parent
d06ba7b522
commit
2bb34751d1
2 changed files with 19 additions and 0 deletions
16
api.go
16
api.go
|
@ -95,6 +95,22 @@ func (h *Headscale) RegisterWebAPI(
|
||||||
vars := mux.Vars(req)
|
vars := mux.Vars(req)
|
||||||
nodeKeyStr, ok := vars["nkey"]
|
nodeKeyStr, ok := vars["nkey"]
|
||||||
|
|
||||||
|
if !NodePublicKeyRegex.Match([]byte(nodeKeyStr)) {
|
||||||
|
log.Warn().Str("node_key", nodeKeyStr).Msg("Invalid node key passed to registration url")
|
||||||
|
|
||||||
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
||||||
|
writer.WriteHeader(http.StatusUnauthorized)
|
||||||
|
_, err := writer.Write([]byte("Unauthorized"))
|
||||||
|
if err != nil {
|
||||||
|
log.Error().
|
||||||
|
Caller().
|
||||||
|
Err(err).
|
||||||
|
Msg("Failed to write response")
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
// We need to make sure we dont open for XSS style injections, if the parameter that
|
// We need to make sure we dont open for XSS style injections, if the parameter that
|
||||||
// is passed as a key is not parsable/validated as a NodePublic key, then fail to render
|
// is passed as a key is not parsable/validated as a NodePublic key, then fail to render
|
||||||
// the template and log an error.
|
// the template and log an error.
|
||||||
|
|
3
utils.go
3
utils.go
|
@ -17,6 +17,7 @@ import (
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"reflect"
|
"reflect"
|
||||||
|
"regexp"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
@ -64,6 +65,8 @@ const (
|
||||||
ZstdCompression = "zstd"
|
ZstdCompression = "zstd"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
var NodePublicKeyRegex = regexp.MustCompile("nodekey:[a-fA-F0-9]+")
|
||||||
|
|
||||||
func MachinePublicKeyStripPrefix(machineKey key.MachinePublic) string {
|
func MachinePublicKeyStripPrefix(machineKey key.MachinePublic) string {
|
||||||
return strings.TrimPrefix(machineKey.String(), machinePublicHexPrefix)
|
return strings.TrimPrefix(machineKey.String(), machinePublicHexPrefix)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue