mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-06 12:19:50 +00:00
fix(security): normalize request parameters and update dependencies
Signed-off-by: Marc Schäfer <git@marcschaeferger.de>
This commit is contained in:
@@ -19,6 +19,7 @@ import { eq, and } from "drizzle-orm";
|
||||
import createHttpError from "http-errors";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import logger from "@server/logger";
|
||||
import { getFirstString } from "@server/lib/requestParams";
|
||||
|
||||
export async function verifyCertificateAccess(
|
||||
req: Request,
|
||||
@@ -27,11 +28,43 @@ export async function verifyCertificateAccess(
|
||||
) {
|
||||
try {
|
||||
// Assume user/org access is already verified
|
||||
const orgId = req.params.orgId;
|
||||
const certId =
|
||||
req.params.certId || req.body?.certId || req.query?.certId;
|
||||
let domainId =
|
||||
req.params.domainId || req.body?.domainId || req.query?.domainId;
|
||||
const orgId = getFirstString(req.params.orgId);
|
||||
|
||||
const certIdFromParams = getFirstString(req.params?.certId);
|
||||
const certIdFromBody = getFirstString(req.body?.certId);
|
||||
|
||||
if (
|
||||
certIdFromParams &&
|
||||
certIdFromBody &&
|
||||
certIdFromParams !== certIdFromBody
|
||||
) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.BAD_REQUEST,
|
||||
"Certificate ID provided in both URL and body with different values"
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
const certId = certIdFromParams || certIdFromBody;
|
||||
|
||||
const domainIdFromParams = getFirstString(req.params?.domainId);
|
||||
const domainIdFromBody = getFirstString(req.body?.domainId);
|
||||
|
||||
if (
|
||||
domainIdFromParams &&
|
||||
domainIdFromBody &&
|
||||
domainIdFromParams !== domainIdFromBody
|
||||
) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.BAD_REQUEST,
|
||||
"Domain ID provided in both URL and body with different values"
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
let domainId = domainIdFromParams || domainIdFromBody;
|
||||
|
||||
if (!orgId) {
|
||||
return next(
|
||||
@@ -65,7 +98,7 @@ export async function verifyCertificateAccess(
|
||||
);
|
||||
}
|
||||
|
||||
domainId = cert.domainId;
|
||||
domainId = cert.domainId ?? undefined;
|
||||
if (!domainId) {
|
||||
return next(
|
||||
createHttpError(
|
||||
|
||||
@@ -17,6 +17,7 @@ import { and, eq } from "drizzle-orm";
|
||||
import createHttpError from "http-errors";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
|
||||
import { getFirstString } from "@server/lib/requestParams";
|
||||
|
||||
export async function verifyIdpAccess(
|
||||
req: Request,
|
||||
@@ -25,8 +26,12 @@ export async function verifyIdpAccess(
|
||||
) {
|
||||
try {
|
||||
const userId = req.user!.userId;
|
||||
const idpId = req.params.idpId || req.body.idpId || req.query.idpId;
|
||||
const orgId = req.params.orgId;
|
||||
const idpIdRaw =
|
||||
getFirstString(req.params.idpId) ||
|
||||
getFirstString(req.body?.idpId) ||
|
||||
getFirstString(req.query?.idpId);
|
||||
const idpId = Number.parseInt(idpIdRaw ?? "", 10);
|
||||
const orgId = getFirstString(req.params.orgId);
|
||||
|
||||
if (!userId) {
|
||||
return next(
|
||||
@@ -40,7 +45,7 @@ export async function verifyIdpAccess(
|
||||
);
|
||||
}
|
||||
|
||||
if (!idpId) {
|
||||
if (Number.isNaN(idpId)) {
|
||||
return next(
|
||||
createHttpError(HttpCode.BAD_REQUEST, "Invalid key ID")
|
||||
);
|
||||
|
||||
@@ -18,6 +18,7 @@ import { and, eq } from "drizzle-orm";
|
||||
import createHttpError from "http-errors";
|
||||
import HttpCode from "@server/types/HttpCode";
|
||||
import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
|
||||
import { getFirstString } from "@server/lib/requestParams";
|
||||
|
||||
export async function verifyRemoteExitNodeAccess(
|
||||
req: Request,
|
||||
@@ -25,11 +26,11 @@ export async function verifyRemoteExitNodeAccess(
|
||||
next: NextFunction
|
||||
) {
|
||||
const userId = req.user!.userId; // Assuming you have user information in the request
|
||||
const orgId = req.params.orgId;
|
||||
const orgId = getFirstString(req.params.orgId);
|
||||
const remoteExitNodeId =
|
||||
req.params.remoteExitNodeId ||
|
||||
req.body.remoteExitNodeId ||
|
||||
req.query.remoteExitNodeId;
|
||||
getFirstString(req.params.remoteExitNodeId) ||
|
||||
getFirstString(req.body?.remoteExitNodeId) ||
|
||||
getFirstString(req.query?.remoteExitNodeId);
|
||||
|
||||
if (!userId) {
|
||||
return next(
|
||||
@@ -37,6 +38,15 @@ export async function verifyRemoteExitNodeAccess(
|
||||
);
|
||||
}
|
||||
|
||||
if (!orgId || !remoteExitNodeId) {
|
||||
return next(
|
||||
createHttpError(
|
||||
HttpCode.BAD_REQUEST,
|
||||
"Invalid organization or remote exit node ID"
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
try {
|
||||
const [remoteExitNode] = await db
|
||||
.select()
|
||||
|
||||
Reference in New Issue
Block a user