[+] Validate IPs of appservers CactuseSecurity#3024

SolidProgramming · SolidProgramming · commit d464f131087e · 2025-04-03T15:19:39.000+02:00
diff --git a/roles/database/files/sql/idempotent/fworch-texts.sql b/roles/database/files/sql/idempotent/fworch-texts.sql
@@ -3108,6 +3108,10 @@ INSERT INTO txt VALUES ('E5415', 'German',  'Passwort muss mindestens ein Sonder
 INSERT INTO txt VALUES ('E5415', 'English', 'Password must contain at least one special character (!?(){}=~$%&amp;#*-+.,_)');
 INSERT INTO txt VALUES ('E5421', 'German',  'Schl&uuml;ssel nicht gefunden oder Wert nicht konvertierbar: Wert wird gesetzt auf: ');
 INSERT INTO txt VALUES ('E5421', 'English', 'Key not found or could not convert value to int: taking value: ');
+INSERT INTO txt VALUES ('E5422', 'German',  'Eintrag enth&auml;lt nicht alle erforderlichen Spalten');
+INSERT INTO txt VALUES ('E5422', 'English', 'Entry does not contain all required columns');
+INSERT INTO txt VALUES ('E5423', 'German',  'IP-Adresse/IP-Bereich ist fehlerhaft');
+INSERT INTO txt VALUES ('E5423', 'English', 'IP Address/IP Range malformed');
 
 INSERT INTO txt VALUES ('E6001', 'German', 	'Der Re-Login war nicht erfolgreich. Haben Sie ein falsches Passwort eingegeben? Schauen Sie f&uuml;r Details bitte in die Logs.');
 INSERT INTO txt VALUES ('E6001', 'English', 'Re-login failed. Did you enter a wrong password? See log for details.');
diff --git a/roles/lib/files/FWO.Basics/IpOperations.cs b/roles/lib/files/FWO.Basics/IpOperations.cs
@@ -1,6 +1,7 @@
 using System.Net.Sockets;
 using System.Net;
 using NetTools;
+using System;
 
 namespace FWO.Basics
 {
@@ -39,6 +40,115 @@ public static (string, string) SplitIpToRange(string ipString)
             return (ipStart, ipEnd);
         }
 
+        public static bool TryParseIPStringToRange(this string ipString, out (string Start, string End) ipRange, bool strictv4Parse = false)
+        {
+            ipRange = default;
+
+            try
+            {
+                (string ipStart, string ipEnd) = SplitIpToRange(ipString);
+
+                bool ipStartOK = IPAddress.TryParse(ipStart, out IPAddress? ipAdressStart);
+                bool ipEndOK = IPAddress.TryParse(ipEnd, out IPAddress? ipAdressEnd);
+
+                if(ipAdressStart is null || ipAdressEnd is null)
+                {
+                    return false;
+                }
+
+                if(strictv4Parse && ipAdressStart?.AddressFamily == AddressFamily.InterNetwork && ipAdressEnd?.AddressFamily == AddressFamily.InterNetwork)
+                {
+                    if(!IsValidIPv4(ipStart) || !IsValidIPv4(ipEnd))
+                    {
+                        return false;
+                    }
+                }
+
+                if(!ipStartOK || !ipEndOK)
+                {
+                    return false;
+                }
+
+                if(!IPAddress.TryParse(ipStart, out _) || !IPAddress.TryParse(ipEnd, out _))
+                {
+                    return false;
+                }
+
+                ipRange.Start = ipStart;
+                ipRange.End = ipEnd;
+
+                return true;
+            }
+            catch(Exception) 
+            {
+                return false;
+            }
+        }
+
+        public static bool TryParseIPString<T>(this string ipString, out T? ipResult, bool strictv4Parse = false) 
+        {
+            ipResult = default;
+            
+            try
+            {
+                (string ipStart, string ipEnd) = SplitIpToRange(ipString);
+
+                bool ipStartOK = IPAddress.TryParse(ipStart, out IPAddress? ipAdressStart);
+                bool ipEndOK = IPAddress.TryParse(ipEnd, out IPAddress? ipAdressEnd);
+
+                if(ipAdressStart is null || ipAdressEnd is null)
+                {
+                    return false;
+                }
+
+                if(strictv4Parse && ipAdressStart?.AddressFamily == AddressFamily.InterNetwork && ipAdressEnd?.AddressFamily == AddressFamily.InterNetwork)
+                {
+                    if(!IsValidIPv4(ipStart) || !IsValidIPv4(ipEnd))
+                    {
+                        return false;
+                    }
+                }
+
+                if(!ipStartOK || !ipEndOK)
+                {
+                    return false;
+                }
+
+                if(typeof(T) == typeof((string, string)))
+                {
+                    ipResult = (T)Convert.ChangeType((ipAdressStart.ToString(), ipAdressEnd.ToString()), typeof(T));
+                    return true;
+                }
+                else if(typeof(T) == typeof(IPAddressRange) && IPAddressRange.TryParse(ipString, out IPAddressRange ipRange))
+                {
+                    ipResult = (T)Convert.ChangeType(ipRange, typeof(T));
+                    return true;
+                }else if(typeof(T) == typeof((IPAddress, IPAddress)))
+                {
+                    Tuple<IPAddress, IPAddress>? ipTuple = new(ipAdressStart, ipAdressEnd);
+                    ipResult = (T)Convert.ChangeType(ipTuple, typeof(T));
+                    return true;
+                }
+
+                return false;
+            }
+            catch(Exception)
+            {
+                return false;
+            }
+        }
+
+        private static bool IsValidIPv4(string ipAddress)
+        {
+            byte[] addBytes = [.. ipAddress.Split('.').Where(_ => byte.Parse(_) <= 255 && byte.Parse(_) >= 0).Select(byte.Parse)];
+            if(addBytes.Length != 4) return false;
+            foreach(var b in addBytes)
+            {
+                if(b < 0 || b > 255) return false;
+            }
+            return true;
+        }
+
         public static string GetObjectType(string ip1, string ip2)
         {
             ip1 = ip1.StripOffUnnecessaryNetmask();
diff --git a/roles/ui/files/FWO.UI/Data/CSVAppServerImportModel.cs b/roles/ui/files/FWO.UI/Data/CSVAppServerImportModel.cs
@@ -1,4 +1,4 @@
-﻿using FWO.Basics;
+using FWO.Basics;
 using FWO.Data.Modelling;
 
 namespace FWO.Ui.Data
@@ -16,6 +16,11 @@ public CSVAppServerImportModel (string ipString)
             (AppIPRangeStart, AppIPRangeEnd) = IpOperations.SplitIpToRange(ipString);
         }
 
+        public CSVAppServerImportModel()
+        {
+                
+        }
+
         public ModellingAppServer ToModellingAppServer()
         {
             return new ModellingAppServer()
diff --git a/roles/ui/files/FWO.UI/Services/FileUploadService.cs b/roles/ui/files/FWO.UI/Services/FileUploadService.cs
@@ -74,7 +74,7 @@ public async Task ReadFileToBytes(InputFileChangeEventArgs args)
 
                 if(!TryGetEntries(line, ';', out string[] entries) && !TryGetEntries(line, ',', out entries))
                 {
-                    error.Message = "Entry doesn't contain all required columns"; 
+                    error.Message = UserConfig.GetText("E5422"); 
                     errors.Add(error);
 
                     continue;
@@ -83,8 +83,20 @@ public async Task ReadFileToBytes(InputFileChangeEventArgs args)
                 if (IsHeader(entries))
                     continue;
 
-                CSVAppServerImportModel importAppServer = new(entries[3])
+                string ipString = entries[3];
+
+                if(!ipString.TryParseIPString<(string, string)>(out (string Start, string End) ipRange, strictv4Parse: true))
+                {
+                    error.Message = UserConfig.GetText("E5423");
+                    errors.Add(error);
+
+                    continue;
+                }
+
+                CSVAppServerImportModel importAppServer = new()
                 {
+                    AppIPRangeStart = ipRange.Start,
+                    AppIPRangeEnd = ipRange.End,
                     AppID = entries[1],
                     AppServerTyp = entries[2]
                 };
