Skip to content

Commit

Permalink
Prevent abuse of osctrl-tls public endpoints
Browse files Browse the repository at this point in the history
  • Loading branch information
@javuto
javuto committed Feb 7, 2025
1 parent c83d76e commit 9fe845b
Show file tree
Hide file tree
Showing 3 changed files with 97 additions and 0 deletions.
84 changes: 84 additions & 0 deletions tls/handlers/post.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,12 @@ func (h *HandlersTLS) EnrollHandler(w http.ResponseWriter, r *http.Request) {
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// To prevent abuse, check if the received UUID is valid
if !utils.CheckUUID(envVar) {
h.Inc(metricEnrollErr)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// Get environment
env, err := h.Envs.GetByUUID(envVar)
if err != nil {
Expand Down Expand Up @@ -121,6 +127,12 @@ func (h *HandlersTLS) ConfigHandler(w http.ResponseWriter, r *http.Request) {
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// To prevent abuse, check if the received UUID is valid
if !utils.CheckUUID(envVar) {
h.Inc(metricConfigErr)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// Get environment
env, err := h.Envs.GetByUUID(envVar)
if err != nil {
Expand Down Expand Up @@ -187,6 +199,12 @@ func (h *HandlersTLS) LogHandler(w http.ResponseWriter, r *http.Request) {
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// To prevent abuse, check if the received UUID is valid
if !utils.CheckUUID(envVar) {
h.Inc(metricLogErr)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// Get environment
env, err := h.Envs.GetByUUID(envVar)
if err != nil {
Expand Down Expand Up @@ -272,6 +290,12 @@ func (h *HandlersTLS) QueryReadHandler(w http.ResponseWriter, r *http.Request) {
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// To prevent abuse, check if the received UUID is valid
if !utils.CheckUUID(envVar) {
h.Inc(metricReadErr)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// Get environment
env, err := h.Envs.GetByUUID(envVar)
if err != nil {
Expand Down Expand Up @@ -352,6 +376,12 @@ func (h *HandlersTLS) QueryWriteHandler(w http.ResponseWriter, r *http.Request)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// To prevent abuse, check if the received UUID is valid
if !utils.CheckUUID(envVar) {
h.Inc(metricWriteErr)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// Get environment
env, err := h.Envs.GetByUUID(envVar)
if err != nil {
Expand Down Expand Up @@ -432,6 +462,12 @@ func (h *HandlersTLS) QuickEnrollHandler(w http.ResponseWriter, r *http.Request)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// To prevent abuse, check if the received UUID is valid
if !utils.CheckUUID(envVar) {
h.Inc(metricOnelinerErr)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// Get environment
env, err := h.Envs.GetByUUID(envVar)
if err != nil {
Expand Down Expand Up @@ -509,6 +545,12 @@ func (h *HandlersTLS) QuickRemoveHandler(w http.ResponseWriter, r *http.Request)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// To prevent abuse, check if the received UUID is valid
if !utils.CheckUUID(envVar) {
h.Inc(metricOnelinerErr)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// Get environment
env, err := h.Envs.GetByUUID(envVar)
if err != nil {
Expand Down Expand Up @@ -588,6 +630,12 @@ func (h *HandlersTLS) CarveInitHandler(w http.ResponseWriter, r *http.Request) {
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// To prevent abuse, check if the received UUID is valid
if !utils.CheckUUID(envVar) {
h.Inc(metricInitErr)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// Get environment
env, err := h.Envs.GetByUUID(envVar)
if err != nil {
Expand Down Expand Up @@ -660,6 +708,12 @@ func (h *HandlersTLS) CarveBlockHandler(w http.ResponseWriter, r *http.Request)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// To prevent abuse, check if the received UUID is valid
if !utils.CheckUUID(envVar) {
h.Inc(metricBlockErr)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// Get environment
env, err := h.Envs.GetByUUID(envVar)
if err != nil {
Expand Down Expand Up @@ -721,6 +775,12 @@ func (h *HandlersTLS) FlagsHandler(w http.ResponseWriter, r *http.Request) {
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// To prevent abuse, check if the received UUID is valid
if !utils.CheckUUID(envVar) {
h.Inc(metricFlagsErr)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// Get environment
env, err := h.Envs.GetByUUID(envVar)
if err != nil {
Expand Down Expand Up @@ -781,6 +841,12 @@ func (h *HandlersTLS) CertHandler(w http.ResponseWriter, r *http.Request) {
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// To prevent abuse, check if the received UUID is valid
if !utils.CheckUUID(envVar) {
h.Inc(metricCertErr)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// Get environment
env, err := h.Envs.GetByUUID(envVar)
if err != nil {
Expand Down Expand Up @@ -834,6 +900,12 @@ func (h *HandlersTLS) VerifyHandler(w http.ResponseWriter, r *http.Request) {
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// To prevent abuse, check if the received UUID is valid
if !utils.CheckUUID(envVar) {
h.Inc(metricVerifyErr)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// Get environment
env, err := h.Envs.GetByUUID(envVar)
if err != nil {
Expand Down Expand Up @@ -898,6 +970,12 @@ func (h *HandlersTLS) ScriptHandler(w http.ResponseWriter, r *http.Request) {
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// To prevent abuse, check if the received UUID is valid
if !utils.CheckUUID(envVar) {
h.Inc(metricScriptErr)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// Get environment
env, err := h.Envs.GetByUUID(envVar)
if err != nil {
Expand Down Expand Up @@ -988,6 +1066,12 @@ func (h *HandlersTLS) EnrollPackageHandler(w http.ResponseWriter, r *http.Reques
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// To prevent abuse, check if the received UUID is valid
if !utils.CheckUUID(envVar) {
h.Inc(metricPackageErr)
utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
return
}
// Get environment
env, err := h.Envs.GetByUUID(envVar)
if err != nil {
Expand Down
9 changes: 9 additions & 0 deletions utils/string-utils.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,15 @@ func GenUUID() string {
return uuid.New().String()
}

// CheckUUID - Helper to check if a string is a valid UUID
func CheckUUID(s string) bool {
_, err := uuid.Parse(s)
if err != nil {
return false
}
return true
}

// StringToInteger - Helper to convert a string into integer
func StringToInteger(s string) int64 {
v, err := strconv.ParseInt(s, 10, 64)
Expand Down
4 changes: 4 additions & 0 deletions utils/string-utils_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ func TestGenUUID(t *testing.T) {
assert.NotEmpty(t, GenUUID())
}

func TestCheckUUID(t *testing.T) {
assert.True(t, CheckUUID(GenUUID()))
}

func TestStringToInteger(t *testing.T) {
assert.Equal(t, int64(123), StringToInteger("123"))
}
Expand Down

0 comments on commit 9fe845b

Please sign in to comment.