Merge pull request #55 from sev-2/fix/security-issue

toopay · web-flow · commit 954c9f45c95e · 2024-07-24T22:08:45.000+07:00
fix(security) ddos potencial
diff --git a/controller.go b/controller.go
@@ -710,9 +710,32 @@ func StorageProxy(appCtx Context, bucketName string, routePath string) error {
 // Default Proxy Handler
 var proxyLogger = logger.HcLog().Named("raiden.controller.proxy")
 
-func ProxyHandler(
-	targetURL *url.URL,
-	basePath string,
+// reference path from https://github.com/supabase/auth/blob/master/openapi.yaml
+var allowedAuthPathMap = map[string]bool{
+	"token":          true,
+	"logout":         true,
+	"verify":         true,
+	"signup":         true,
+	"recover":        true,
+	"resend":         true,
+	"magiclink":      true,
+	"otp":            true,
+	"user":           true,
+	"reauthenticate": true,
+	"factors":        true,
+	"authorize":      true,
+	"callback":       true,
+	"sso":            true,
+	"saml":           true,
+	"invite":         true,
+	"generate_link":  true,
+	"admin":          true,
+	"settings":       true,
+	"health":         true,
+}
+
+func AuthProxy(
+	config *Config,
 	requestInterceptor func(req *fasthttp.Request),
 	responseInterceptor func(resp *fasthttp.Response) error,
 ) fasthttp.RequestHandler {
@@ -723,15 +746,24 @@ func ProxyHandler(
 
 		// Copy the original request to the new request object
 		ctx.Request.CopyTo(req)
-
-		paths := strings.Split(req.URI().String(), basePath)
+		paths := strings.Split(req.URI().String(), "/auth/v1")
 		if len(paths) < 2 {
 			ctx.Request.Header.SetContentType("application/json")
 			ctx.SetBodyString("{ \"message\" : \"invalid path\"}")
 			return
 		}
 
-		proxyUrl := fmt.Sprintf("%s%s%s", targetURL.String(), basePath, paths[1])
+		// validate sub path
+		forwardedPath := paths[1]
+		subPath := strings.Split(forwardedPath, "/")
+		if _, exist := allowedAuthPathMap[subPath[1]]; !exist {
+			ctx.Response.SetStatusCode(fasthttp.StatusNotFound)
+			errResponse := "{ \"messages\": \"resource not found\"}"
+			ctx.Response.SetBodyString(errResponse)
+			return
+		}
+
+		proxyUrl := fmt.Sprintf("%s/auth/v1%s", config.SupabasePublicUrl, forwardedPath)
 		req.SetRequestURI(proxyUrl)
 
 		resp := fasthttp.AcquireResponse()
diff --git a/controller_test.go b/controller_test.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"net/url"
 	"testing"
 
 	"github.com/sev-2/raiden"
@@ -302,14 +301,17 @@ func TestStorageController(t *testing.T) {
 	assert.NoError(t, storage.AfterHead(ctx))
 }
 
-// Test ProxyHandler
-func TestProxyHandler(t *testing.T) {
-	ctx := newMockCtx()
-	targetURL, _ := url.Parse("http://example.com")
+// Test AuthProxy
+func TestAuthProxy(t *testing.T) {
+	ctx := &mock.MockContext{
+		RequestCtx: &fasthttp.RequestCtx{},
+		ConfigFn: func() *raiden.Config {
+			return &raiden.Config{SupabasePublicUrl: "/"}
+		},
+	}
 
-	handler := raiden.ProxyHandler(
-		targetURL,
-		"/",
+	handler := raiden.AuthProxy(
+		ctx.Config(),
 		func(req *fasthttp.Request) {},
 		func(resp *fasthttp.Response) error { return nil },
 	)
@@ -319,6 +321,64 @@ func TestProxyHandler(t *testing.T) {
 	assert.Equal(t, fasthttp.StatusOK, ctx.Response.StatusCode())
 }
 
+// Test AuthProxy
+func TestAuthProxy_ActualCallWithoutMock(t *testing.T) {
+	ctx := &mock.MockContext{
+		RequestCtx: &fasthttp.RequestCtx{},
+		ConfigFn: func() *raiden.Config {
+			return &raiden.Config{SupabasePublicUrl: "/"}
+		},
+	}
+
+	handler := raiden.AuthProxy(
+		ctx.Config(),
+		func(req *fasthttp.Request) {},
+		func(resp *fasthttp.Response) error { return nil },
+	)
+
+	ctx.Request.SetRequestURI("/auth/v1/signup")
+	handler(ctx.RequestCtx)
+	assert.Equal(t, fasthttp.StatusInternalServerError, ctx.Response.StatusCode())
+}
+
+func TestAuthProxy_NotAllowedPath(t *testing.T) {
+	ctx := &mock.MockContext{
+		RequestCtx: &fasthttp.RequestCtx{},
+		ConfigFn: func() *raiden.Config {
+			return &raiden.Config{SupabasePublicUrl: "/"}
+		},
+	}
+
+	handler := raiden.AuthProxy(
+		ctx.Config(),
+		func(req *fasthttp.Request) {},
+		func(resp *fasthttp.Response) error { return nil },
+	)
+
+	ctx.Request.SetRequestURI("/auth/v1/anymore")
+	handler(ctx.RequestCtx)
+	assert.Equal(t, fasthttp.StatusNotFound, ctx.Response.StatusCode())
+}
+
+func TestAuthProxy_AllowedWithSpecificPath(t *testing.T) {
+	ctx := &mock.MockContext{
+		RequestCtx: &fasthttp.RequestCtx{},
+		ConfigFn: func() *raiden.Config {
+			return &raiden.Config{SupabasePublicUrl: "/"}
+		},
+	}
+
+	handler := raiden.AuthProxy(
+		ctx.Config(),
+		func(req *fasthttp.Request) {},
+		func(resp *fasthttp.Response) error { return nil },
+	)
+
+	ctx.Request.SetRequestURI("/auth/v1/saml/metadata")
+	handler(ctx.RequestCtx)
+	assert.Equal(t, fasthttp.StatusInternalServerError, ctx.Response.StatusCode())
+}
+
 // Test MarshallAndValidate
 func TestMarshallAndValidate(t *testing.T) {
 	ctx := newMockCtx()
diff --git a/pkg/mock/context.go b/pkg/mock/context.go
@@ -9,6 +9,7 @@ import (
 )
 
 type MockContext struct {
+	*fasthttp.RequestCtx
 	CtxFn               func() context.Context
 	SetCtxFn            func(ctx context.Context)
 	ConfigFn            func() *raiden.Config
diff --git a/router.go b/router.go
@@ -126,7 +126,7 @@ func (r *router) BuildHandler() {
 	// Proxy auth url
 	u, err := url.Parse(r.config.SupabasePublicUrl)
 	if err == nil {
-		r.engine.ANY("/auth/v1/{path:*}", ProxyHandler(u, "/auth/v1", nil, nil))
+		r.engine.ANY("/auth/v1/{path:*}", AuthProxy(r.config, nil, nil))
 
 		r.engine.GET("/realtime/v1/websocket", func(ctx *fasthttp.RequestCtx) {
 			WebSocketHandler(ctx, u)

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ import (`
`9`	`9`	`)`
`10`	`10`
`11`	`11`	`type MockContext struct {`
	`12`	`+ *fasthttp.RequestCtx`
`12`	`13`	`CtxFn func() context.Context`
`13`	`14`	`SetCtxFn func(ctx context.Context)`
`14`	`15`	`ConfigFn func() *raiden.Config`