fix: harden input validation, authentication, and P2P broadcast verification

ZelBack/src/services/fluxCommunicationUtils.js

@@ -94,6 +94,7 @@ const VerifyResult = Object.freeze({
   MALFORMED: 'malformed',
   NODE_NOT_FOUND: 'nodeNotFound',
   BAD_SIGNATURE: 'badSignature',
+  PUBKEY_MISMATCH: 'pubkeyMismatch',
 });
 
 async function verifyFluxBroadcast(broadcast) {
@@ -188,13 +189,19 @@ async function verifyFluxBroadcast(broadcast) {
   }
 
   // if we get a map, we have hit the default case and searched for pubkeys
-  const found = target instanceof Map
-    ? true
-    : Boolean(await networkStateService.getFluxnodeBySocketAddress(target));
-
-  if (!found) {
-    log.warn(error);
-    return VerifyResult.NODE_NOT_FOUND;
+  if (target instanceof Map) {
+    // default case: already verified pubkey exists in network
+  } else {
+    const node = await networkStateService.getFluxnodeBySocketAddress(target);
+    if (!node) {
+      log.warn(error);
+      return VerifyResult.NODE_NOT_FOUND;
+    }
+    // verify the sender's pubKey matches the node at the target IP
+    if (node.pubkey !== pubKey) {
+      log.warn(`Sender pubkey ${pubKey} does not match node at ${target}`);
+      return VerifyResult.PUBKEY_MISMATCH;
+    }
   }
 
   const messageToVerify = version + message + timestamp;

ZelBack/src/services/fluxNetworkHelper.js

@@ -314,6 +314,11 @@ async function isFluxAvailable(ip, port = config.server.apiport) {
     if (!config.server.allowedPorts.includes(+port)) {
       throw new Error('Invalid Port');
     }
+    const socketAddress = +port === config.server.apiport ? ip : `${ip}:${port}`;
+    const isConfirmedNode = await fluxCommunicationUtils.socketAddressInFluxList(socketAddress);
+    if (!isConfirmedNode) {
+      return false;
+    }
     const fluxResponse = await serviceHelper.axiosGet(`http://${ip}:${port}/flux/version`, axiosConfig);
     if (fluxResponse.data.status !== 'success') return false;
 

ZelBack/src/services/syncthingService.js

@@ -2015,6 +2015,11 @@ async function debugFile(req, res) {
  * @returns {object} Message
  */
 async function getEvents(req, res) {
+  const authorized = res ? await verificationHelper.verifyPrivilege('adminandfluxteam', req) : true;
+  if (authorized !== true) {
+    const response = messageHelper.errUnauthorizedMessage();
+    return res ? res.json(response) : response;
+  }
   try {
     let { events } = req.params;
     events = events || req.query.events;
@@ -2050,6 +2055,11 @@ async function getEvents(req, res) {
  * @returns {object} Message
  */
 async function getEventsDisk(req, res) {
+  const authorized = res ? await verificationHelper.verifyPrivilege('adminandfluxteam', req) : true;
+  if (authorized !== true) {
+    const response = messageHelper.errUnauthorizedMessage();
+    return res ? res.json(response) : response;
+  }
   try {
     let { since } = req.params;
     since = since || req.query.since;
@@ -2114,7 +2124,8 @@ async function getSvcRandomString(req, res) {
   let apiPath = '/rest/svc/random/string';
   try {
     if (length) {
-      if (+length < 0 || +length > 10000) {
+      const parsedLength = Number(length);
+      if (!Number.isFinite(parsedLength) || parsedLength < 0 || parsedLength > 10000) {
         const authorized = res ? await verificationHelper.verifyPrivilege('adminandfluxteam', req) : true;
         if (authorized !== true) {
           const response = messageHelper.errUnauthorizedMessage();