TrueCloudLab/lego
15
0
Fork 4
Code Issues 1 Pull requests 2 Projects Releases Packages Wiki Activity

frostfs: Reject tokens with slash character

Browse source 
Current reverse proxy configs assume that token is a valid filename
with no nesting levels. It's better to reject unsupported tokens early

Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>
This commit is contained in:
Vitaliy Potyarkin 2024-10-16 17:16:35 +03:00
parent 61ce76f648
commit 597d147c7d
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
providers/http/frostfs/frostfs.go
View file

@ -8,6 +8,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"strconv" "strconv"
"strings"
"time" "time"
"github.com/go-acme/lego/v4/challenge" "github.com/go-acme/lego/v4/challenge"
@ -46,7 +47,9 @@ func NewHTTPProvider(endpoint, cid, walletPath, walletAccount, walletPassword st
} }
func (w *HTTPProvider) Present(domain, token, keyAuth string) error { func (w *HTTPProvider) Present(domain, token, keyAuth string) error {
var err error if strings.Contains(token, "/") {
return fmt.Errorf("token with slash character is not supported: %s", token)
}
if w.oid != "" { if w.oid != "" {
return fmt.Errorf("%T is not safe to re-enter: object was saved and not yet cleaned up: %s", w, w.oid) return fmt.Errorf("%T is not safe to re-enter: object was saved and not yet cleaned up: %s", w, w.oid)
} }
@ -54,6 +57,7 @@ func (w *HTTPProvider) Present(domain, token, keyAuth string) error {
ctx, cancel := context.WithCancel(context.Background()) ctx, cancel := context.WithCancel(context.Background())
defer cancel() defer cancel()
var err error
expires, err := w.frostfs.Epoch(ctx, time.Now().Add(tokenLifetime)) expires, err := w.frostfs.Epoch(ctx, time.Now().Add(tokenLifetime))
if err != nil { if err != nil {
return fmt.Errorf("failed to calculate token expiration: %w", err) return fmt.Errorf("failed to calculate token expiration: %w", err)