Merge pull request #592 from jmpsec/check-uuid-len-tls

javuto · web-flow · commit e1c6dc8acbe2 · 2025-02-07T16:46:50.000+01:00
Prevent abuse of `osctrl-tls` public endpoints
diff --git a/tls/handlers/post.go b/tls/handlers/post.go
@@ -30,6 +30,12 @@ func (h *HandlersTLS) EnrollHandler(w http.ResponseWriter, r *http.Request) {
 		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
 		return
 	}
+	// To prevent abuse, check if the received UUID is valid
+	if !utils.CheckUUID(envVar) {
+		h.Inc(metricEnrollErr)
+		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
+		return
+	}
 	// Get environment
 	env, err := h.Envs.GetByUUID(envVar)
 	if err != nil {
@@ -121,6 +127,12 @@ func (h *HandlersTLS) ConfigHandler(w http.ResponseWriter, r *http.Request) {
 		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
 		return
 	}
+	// To prevent abuse, check if the received UUID is valid
+	if !utils.CheckUUID(envVar) {
+		h.Inc(metricConfigErr)
+		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
+		return
+	}
 	// Get environment
 	env, err := h.Envs.GetByUUID(envVar)
 	if err != nil {
@@ -187,6 +199,12 @@ func (h *HandlersTLS) LogHandler(w http.ResponseWriter, r *http.Request) {
 		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
 		return
 	}
+	// To prevent abuse, check if the received UUID is valid
+	if !utils.CheckUUID(envVar) {
+		h.Inc(metricLogErr)
+		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
+		return
+	}
 	// Get environment
 	env, err := h.Envs.GetByUUID(envVar)
 	if err != nil {
@@ -272,6 +290,12 @@ func (h *HandlersTLS) QueryReadHandler(w http.ResponseWriter, r *http.Request) {
 		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
 		return
 	}
+	// To prevent abuse, check if the received UUID is valid
+	if !utils.CheckUUID(envVar) {
+		h.Inc(metricReadErr)
+		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
+		return
+	}
 	// Get environment
 	env, err := h.Envs.GetByUUID(envVar)
 	if err != nil {
@@ -352,6 +376,12 @@ func (h *HandlersTLS) QueryWriteHandler(w http.ResponseWriter, r *http.Request)
 		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
 		return
 	}
+	// To prevent abuse, check if the received UUID is valid
+	if !utils.CheckUUID(envVar) {
+		h.Inc(metricWriteErr)
+		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
+		return
+	}
 	// Get environment
 	env, err := h.Envs.GetByUUID(envVar)
 	if err != nil {
@@ -432,6 +462,12 @@ func (h *HandlersTLS) QuickEnrollHandler(w http.ResponseWriter, r *http.Request)
 		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
 		return
 	}
+	// To prevent abuse, check if the received UUID is valid
+	if !utils.CheckUUID(envVar) {
+		h.Inc(metricOnelinerErr)
+		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
+		return
+	}
 	// Get environment
 	env, err := h.Envs.GetByUUID(envVar)
 	if err != nil {
@@ -509,6 +545,12 @@ func (h *HandlersTLS) QuickRemoveHandler(w http.ResponseWriter, r *http.Request)
 		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
 		return
 	}
+	// To prevent abuse, check if the received UUID is valid
+	if !utils.CheckUUID(envVar) {
+		h.Inc(metricOnelinerErr)
+		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
+		return
+	}
 	// Get environment
 	env, err := h.Envs.GetByUUID(envVar)
 	if err != nil {
@@ -588,6 +630,12 @@ func (h *HandlersTLS) CarveInitHandler(w http.ResponseWriter, r *http.Request) {
 		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
 		return
 	}
+	// To prevent abuse, check if the received UUID is valid
+	if !utils.CheckUUID(envVar) {
+		h.Inc(metricInitErr)
+		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
+		return
+	}
 	// Get environment
 	env, err := h.Envs.GetByUUID(envVar)
 	if err != nil {
@@ -660,6 +708,12 @@ func (h *HandlersTLS) CarveBlockHandler(w http.ResponseWriter, r *http.Request)
 		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
 		return
 	}
+	// To prevent abuse, check if the received UUID is valid
+	if !utils.CheckUUID(envVar) {
+		h.Inc(metricBlockErr)
+		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
+		return
+	}
 	// Get environment
 	env, err := h.Envs.GetByUUID(envVar)
 	if err != nil {
@@ -721,6 +775,12 @@ func (h *HandlersTLS) FlagsHandler(w http.ResponseWriter, r *http.Request) {
 		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
 		return
 	}
+	// To prevent abuse, check if the received UUID is valid
+	if !utils.CheckUUID(envVar) {
+		h.Inc(metricFlagsErr)
+		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
+		return
+	}
 	// Get environment
 	env, err := h.Envs.GetByUUID(envVar)
 	if err != nil {
@@ -781,6 +841,12 @@ func (h *HandlersTLS) CertHandler(w http.ResponseWriter, r *http.Request) {
 		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
 		return
 	}
+	// To prevent abuse, check if the received UUID is valid
+	if !utils.CheckUUID(envVar) {
+		h.Inc(metricCertErr)
+		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
+		return
+	}
 	// Get environment
 	env, err := h.Envs.GetByUUID(envVar)
 	if err != nil {
@@ -834,6 +900,12 @@ func (h *HandlersTLS) VerifyHandler(w http.ResponseWriter, r *http.Request) {
 		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
 		return
 	}
+	// To prevent abuse, check if the received UUID is valid
+	if !utils.CheckUUID(envVar) {
+		h.Inc(metricVerifyErr)
+		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
+		return
+	}
 	// Get environment
 	env, err := h.Envs.GetByUUID(envVar)
 	if err != nil {
@@ -898,6 +970,12 @@ func (h *HandlersTLS) ScriptHandler(w http.ResponseWriter, r *http.Request) {
 		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
 		return
 	}
+	// To prevent abuse, check if the received UUID is valid
+	if !utils.CheckUUID(envVar) {
+		h.Inc(metricScriptErr)
+		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
+		return
+	}
 	// Get environment
 	env, err := h.Envs.GetByUUID(envVar)
 	if err != nil {
@@ -988,6 +1066,12 @@ func (h *HandlersTLS) EnrollPackageHandler(w http.ResponseWriter, r *http.Reques
 		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
 		return
 	}
+	// To prevent abuse, check if the received UUID is valid
+	if !utils.CheckUUID(envVar) {
+		h.Inc(metricPackageErr)
+		utils.HTTPResponse(w, "", http.StatusBadRequest, []byte(""))
+		return
+	}
 	// Get environment
 	env, err := h.Envs.GetByUUID(envVar)
 	if err != nil {
diff --git a/utils/string-utils.go b/utils/string-utils.go
@@ -36,6 +36,15 @@ func GenUUID() string {
 	return uuid.New().String()
 }
 
+// CheckUUID - Helper to check if a string is a valid UUID
+func CheckUUID(s string) bool {
+	_, err := uuid.Parse(s)
+	if err != nil {
+		return false
+	}
+	return true
+}
+
 // StringToInteger - Helper to convert a string into integer
 func StringToInteger(s string) int64 {
 	v, err := strconv.ParseInt(s, 10, 64)
diff --git a/utils/string-utils_test.go b/utils/string-utils_test.go
@@ -21,6 +21,10 @@ func TestGenUUID(t *testing.T) {
 	assert.NotEmpty(t, GenUUID())
 }
 
+func TestCheckUUID(t *testing.T) {
+	assert.True(t, CheckUUID(GenUUID()))
+}
+
 func TestStringToInteger(t *testing.T) {
 	assert.Equal(t, int64(123), StringToInteger("123"))
 }

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,10 @@ func TestGenUUID(t *testing.T) {`
`21`	`21`	`assert.NotEmpty(t, GenUUID())`
`22`	`22`	`}`
`23`	`23`
	`24`	`+func TestCheckUUID(t *testing.T) {`
	`25`	`+ assert.True(t, CheckUUID(GenUUID()))`
	`26`	`+}`
	`27`	`+`
`24`	`28`	`func TestStringToInteger(t *testing.T) {`
`25`	`29`	`assert.Equal(t, int64(123), StringToInteger("123"))`
`26`	`30`	`}`