Handle ArgumentErrors from Plug.Crypto.non_executable_binary_to_term (#2269)

This was found in the NervesCloud Sentry.

If an invalid device identifier, this this case an Erlang term, is
encoded in the shared secret auth,
`Plug.Crypto.non_executable_binary_to_term/2` correctly catches it, but
an error is raised which we don't handle nicely.

This PR rescues `ArgumentError`s, logs a message, and rejects the auth
request.

Author: joshk

lib/nerves_hub_web/channels/device_socket.ex

@@ -114,6 +114,17 @@ defmodule NervesHubWeb.DeviceSocket do
 
         {:error, :invalid_auth}
     end
+  rescue
+    e in ArgumentError ->
+      headers = Map.new(x_headers)
+
+      :telemetry.execute([:nerves_hub, :devices, :invalid_auth], %{count: 1}, %{
+        auth: :shared_secrets,
+        reason: e,
+        product_key: Map.get(headers, "x-nh-key", "*empty*")
+      })
+
+      {:error, :invalid_auth}
   end
 
   def connect(_params, _socket, _connect_info) do

test/nerves_hub_web/channels/websocket_test.exs

@@ -481,6 +481,26 @@ defmodule NervesHubWeb.WebsocketTest do
         refute_online(device)
       end
     end
+
+    test "safely rejects if an ETF is passed in as a device identifier", %{user: user} do
+      org = Fixtures.org_fixture(user)
+      product = Fixtures.product_fixture(user, org)
+      assert {:ok, auth} = Products.create_shared_secret_auth(product)
+
+      identifier = &Ecto.UUID.generate/0
+
+      opts = [
+        mint_opts: [protocols: [:http1]],
+        uri: "ws://127.0.0.1:#{@web_port}/device-socket/websocket",
+        headers: Utils.nh1_key_secret_headers(auth, identifier)
+      ]
+
+      {:ok, socket} = SocketClient.start_link(opts)
+
+      SocketClient.wait_connect(socket)
+
+      refute SocketClient.connected?(socket)
+    end
   end
 
   describe "duplicate connections using the same device id" do