Fix CVE-2024-46256 and CVE-2024-46257

jc21 · jc21 · commit c39d5433bcd1 · 2024-10-11T11:31:57.000+10:00
- Schema validate against bad domain characters
- Integration test for CVE POC examples
- Cypress rewrite of plugins for file upload
diff --git a/backend/schema/common.json b/backend/schema/common.json
@@ -76,7 +76,7 @@
 			"uniqueItems": true,
 			"items": {
 				"type": "string",
-				"pattern": "^(?:\\*\\.)?(?:[^.*]+\\.?)+[^.]$"
+				"pattern": "^[^&| @!#%^();:/\\\\}{=+?<>,~`'\"]+$"
 			}
 		},
 		"enabled": {
diff --git a/backend/schema/components/error.json b/backend/schema/components/error.json
@@ -0,0 +1,9 @@
+{
+	"type": "object",
+	"description": "Error",
+	"properties": {
+		"error": {
+			"$ref": "./error-object.json"
+		}
+	}
+}
diff --git a/backend/schema/paths/nginx/certificates/post.json b/backend/schema/paths/nginx/certificates/post.json
@@ -72,6 +72,26 @@
 					}
 				}
 			}
+		},
+		"400": {
+			"description": "400 response",
+			"content": {
+				"application/json": {
+					"examples": {
+						"default": {
+							"value": {
+								"error": {
+									"code": 400,
+									"message": "Domains are invalid"
+								}
+							}
+						}
+					},
+					"schema": {
+						"$ref": "../../../components/error.json"
+					}
+				}
+			}
 		}
 	}
 }
diff --git a/backend/schema/paths/nginx/certificates/validate/post.json b/backend/schema/paths/nginx/certificates/validate/post.json
@@ -50,6 +50,42 @@
 								"certificate_key": true
 							}
 						}
+					},
+					"schema": {
+						"type": "object",
+						"additionalProperties": false,
+						"required": ["certificate", "certificate_key"],
+						"properties": {
+							"certificate": {
+								"type": "object",
+								"additionalProperties": false,
+								"required": ["cn", "issuer", "dates"],
+								"properties": {
+									"cn": {
+										"type": "string"
+									},
+									"issuer": {
+										"type": "string"
+									},
+									"dates": {
+										"type": "object",
+										"additionalProperties": false,
+										"required": ["from", "to"],
+										"properties": {
+											"from": {
+												"type": "integer"
+											},
+											"to": {
+												"type": "integer"
+											}
+										}
+									}
+								}
+							},
+							"certificate_key": {
+								"type": "boolean"
+							}
+						}
 					}
 				}
 			}
@@ -67,6 +103,9 @@
 								}
 							}
 						}
+					},
+					"schema": {
+						"$ref": "../../../../components/error.json"
 					}
 				}
 			}
diff --git a/backend/schema/paths/nginx/dead-hosts/hostID/disable/post.json b/backend/schema/paths/nginx/dead-hosts/hostID/disable/post.json
@@ -50,7 +50,7 @@
 						}
 					},
 					"schema": {
-						"$ref": "../../../../../components/error-object.json"
+						"$ref": "../../../../../components/error.json"
 					}
 				}
 			}
diff --git a/backend/schema/paths/nginx/dead-hosts/hostID/enable/post.json b/backend/schema/paths/nginx/dead-hosts/hostID/enable/post.json
@@ -50,7 +50,7 @@
 						}
 					},
 					"schema": {
-						"$ref": "../../../../../components/error-object.json"
+						"$ref": "../../../../../components/error.json"
 					}
 				}
 			}
diff --git a/backend/schema/paths/nginx/proxy-hosts/hostID/disable/post.json b/backend/schema/paths/nginx/proxy-hosts/hostID/disable/post.json
@@ -50,7 +50,7 @@
 						}
 					},
 					"schema": {
-						"$ref": "../../../../../components/error-object.json"
+						"$ref": "../../../../../components/error.json"
 					}
 				}
 			}
diff --git a/backend/schema/paths/nginx/proxy-hosts/hostID/enable/post.json b/backend/schema/paths/nginx/proxy-hosts/hostID/enable/post.json
@@ -50,7 +50,7 @@
 						}
 					},
 					"schema": {
-						"$ref": "../../../../../components/error-object.json"
+						"$ref": "../../../../../components/error.json"
 					}
 				}
 			}
diff --git a/backend/schema/paths/nginx/redirection-hosts/hostID/disable/post.json b/backend/schema/paths/nginx/redirection-hosts/hostID/disable/post.json
@@ -50,7 +50,7 @@
 						}
 					},
 					"schema": {
-						"$ref": "../../../../../components/error-object.json"
+						"$ref": "../../../../../components/error.json"
 					}
 				}
 			}
diff --git a/backend/schema/paths/nginx/redirection-hosts/hostID/enable/post.json b/backend/schema/paths/nginx/redirection-hosts/hostID/enable/post.json
@@ -50,7 +50,7 @@
 						}
 					},
 					"schema": {
-						"$ref": "../../../../../components/error-object.json"
+						"$ref": "../../../../../components/error.json"
 					}
 				}
 			}
diff --git a/backend/schema/paths/nginx/streams/streamID/disable/post.json b/backend/schema/paths/nginx/streams/streamID/disable/post.json
@@ -50,7 +50,7 @@
 						}
 					},
 					"schema": {
-						"$ref": "../../../../../components/error-object.json"
+						"$ref": "../../../../../components/error.json"
 					}
 				}
 			}
diff --git a/backend/schema/paths/nginx/streams/streamID/enable/post.json b/backend/schema/paths/nginx/streams/streamID/enable/post.json
@@ -50,7 +50,7 @@
 						}
 					},
 					"schema": {
-						"$ref": "../../../../../components/error-object.json"
+						"$ref": "../../../../../components/error.json"
 					}
 				}
 			}
diff --git a/test/cypress/e2e/api/Certificates.cy.js b/test/cypress/e2e/api/Certificates.cy.js
@@ -0,0 +1,50 @@
+/// <reference types="Cypress" />
+
+describe('Certificates endpoints', () => {
+	let token;
+
+	before(() => {
+		cy.getToken().then((tok) => {
+			token = tok;
+		});
+	});
+
+	it('Validate custom certificate', function() {
+		cy.task('backendApiPostFiles', {
+			token: token,
+			path:  '/api/nginx/certificates/validate',
+			files:  {
+				certificate: 'test.example.com.pem',
+				certificate_key: 'test.example.com-key.pem',
+			},
+		}).then((data) => {
+			cy.validateSwaggerSchema('post', 200, '/nginx/certificates/validate', data);
+			expect(data).to.have.property('certificate');
+			expect(data).to.have.property('certificate_key');
+		});
+	});
+
+	it('Request Certificate - CVE-2024-46256/CVE-2024-46257', function() {
+		cy.task('backendApiPost', {
+			token: token,
+			path:  '/api/nginx/certificates',
+			data:  {
+				domain_names: ['test.com"||echo hello-world||\\\\n test.com"'],
+				meta:         {
+					dns_challenge:     false,
+					letsencrypt_agree: true,
+					letsencrypt_email: 'admin@example.com',
+				},
+				provider: 'letsencrypt',
+			},
+			returnOnError: true,
+		}).then((data) => {
+			cy.validateSwaggerSchema('post', 400, '/nginx/certificates', data);
+			expect(data).to.have.property('error');
+			expect(data.error).to.have.property('message');
+			expect(data.error).to.have.property('code');
+			expect(data.error.code).to.equal(400);
+			expect(data.error.message).to.contain('data/domain_names/0 must match pattern');
+		});
+	});
+});
diff --git a/test/cypress/fixtures/test.example.com-key.pem b/test/cypress/fixtures/test.example.com-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1n9j9C5Bes1nd
+qACDckERauxXVNKCnUlUM1buGBx1xc+j2e2Ar23wUJJuWBY18VfT8yqfqVDktO2w
+rbmvZvLuPmXePOKbIKS+XXh+2NG9L5bDG9rwGFCRXnbQj+GWCdMfzx14+CR1IHge
+Yz6Cv/Si2/LJPCh/CoBfM4hUQJON3lxAWrWBpdbZnKYMrxuPBRfW9OuzTbCVXToQ
+oxRAHiOR9081Xn1WeoKr7kVBIa5UphlvWXa12w1YmUwJu7YndnJGIavLWeNCVc7Z
+Eo+nS8Wr/4QWicatIWZXpVaEOPhRoeplQDxNWg5b/Q26rYoVd7PrCmRs7sVcH79X
+zGONeH1PAgMBAAECggEAANb3Wtwl07pCjRrMvc7WbC0xYIn82yu8/g2qtjkYUJcU
+ia5lQbYN7RGCS85Oc/tkq48xQEG5JQWNH8b918jDEMTrFab0aUEyYcru1q9L8PL6
+YHaNgZSrMrDcHcS8h0QOXNRJT5jeGkiHJaTR0irvB526tqF3knbK9yW22KTfycUe
+a0Z9voKn5xRk1DCbHi/nk2EpT7xnjeQeLFaTIRXbS68omkr4YGhwWm5OizoyEGZu
+W0Zum5BkQyMr6kor3wdxOTG97ske2rcyvvHi+ErnwL0xBv0qY0Dhe8DpuXpDezqw
+o72yY8h31Fu84i7sAj24YuE5Df8DozItFXQpkgbQ6QKBgQDPrufhvIFm2S/MzBdW
+H8JxY7CJlJPyxOvc1NIl9RczQGAQR90kx52cgIcuIGEG6/wJ/xnGfMmW40F0DnQ+
+N+oLgB9SFxeLkRb7s9Z/8N3uIN8JJFYcerEOiRQeN2BXEEWJ7bUThNtsVrAcKoUh
+ELsDmnHW/3V+GKwhd0vpk842+wKBgQDf4PGLG9PTE5tlAoyHFodJRd2RhTJQkwsU
+MDNjLJ+KecLv+Nl+QiJhoflG1ccqtSFlBSCG067CDQ5LV0xm3mLJ7pfJoMgjcq31
+qjEmX4Ls91GuVOPtbwst3yFKjsHaSoKB5fBvWRcKFpBUezM7Qcw2JP3+dQT+bQIq
+cMTkRWDSvQKBgQDOdCQFDjxg/lR7NQOZ1PaZe61aBz5P3pxNqa7ClvMaOsuEQ7w9
+vMYcdtRq8TsjA2JImbSI0TIg8gb2FQxPcYwTJKl+FICOeIwtaSg5hTtJZpnxX5LO
+utTaC0DZjNkTk5RdOdWA8tihyUdGqKoxJY2TVmwGe2rUEDjFB++J4inkEwKBgB6V
+g0nmtkxanFrzOzFlMXwgEEHF+Xaqb9QFNa/xs6XeNnREAapO7JV75Cr6H2hFMFe1
+mJjyqCgYUoCWX3iaHtLJRnEkBtNY4kzyQB6m46LtsnnnXO/dwKA2oDyoPfFNRoDq
+YatEd3JIXNU9s2T/+x7WdOBjKhh72dTkbPFmTPDdAoGAU6rlPBevqOFdObYxdPq8
+EQWu44xqky3Mf5sBpOwtu6rqCYuziLiN7K4sjN5GD5mb1cEU+oS92ZiNcUQ7MFXk
+8yTYZ7U0VcXyAcpYreWwE8thmb0BohJBr+Mp3wLTx32x0HKdO6vpUa0d35LUTUmM
+RrKmPK/msHKK/sVHiL+NFqo=
+-----END PRIVATE KEY-----
diff --git a/test/cypress/fixtures/test.example.com.pem b/test/cypress/fixtures/test.example.com.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEYDCCAsigAwIBAgIRAPoSC0hvitb26ODMlsH6YbowDQYJKoZIhvcNAQELBQAw
+gZExHjAcBgNVBAoTFW1rY2VydCBkZXZlbG9wbWVudCBDQTEzMDEGA1UECwwqamN1
+cm5vd0BKYW1pZXMtTGFwdG9wLmxvY2FsIChKYW1pZSBDdXJub3cpMTowOAYDVQQD
+DDFta2NlcnQgamN1cm5vd0BKYW1pZXMtTGFwdG9wLmxvY2FsIChKYW1pZSBDdXJu
+b3cpMB4XDTI0MTAwOTA3MjIxN1oXDTI3MDEwOTA3MjIxN1owXjEnMCUGA1UEChMe
+bWtjZXJ0IGRldmVsb3BtZW50IGNlcnRpZmljYXRlMTMwMQYDVQQLDCpqY3Vybm93
+QEphbWllcy1MYXB0b3AubG9jYWwgKEphbWllIEN1cm5vdykwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC1n9j9C5Bes1ndqACDckERauxXVNKCnUlUM1bu
+GBx1xc+j2e2Ar23wUJJuWBY18VfT8yqfqVDktO2wrbmvZvLuPmXePOKbIKS+XXh+
+2NG9L5bDG9rwGFCRXnbQj+GWCdMfzx14+CR1IHgeYz6Cv/Si2/LJPCh/CoBfM4hU
+QJON3lxAWrWBpdbZnKYMrxuPBRfW9OuzTbCVXToQoxRAHiOR9081Xn1WeoKr7kVB
+Ia5UphlvWXa12w1YmUwJu7YndnJGIavLWeNCVc7ZEo+nS8Wr/4QWicatIWZXpVaE
+OPhRoeplQDxNWg5b/Q26rYoVd7PrCmRs7sVcH79XzGONeH1PAgMBAAGjZTBjMA4G
+A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAfBgNVHSMEGDAWgBSB
+/vfmBUd4W7CvyEMl7YpMVQs8vTAbBgNVHREEFDASghB0ZXN0LmV4YW1wbGUuY29t
+MA0GCSqGSIb3DQEBCwUAA4IBgQASwON/jPAHzcARSenY0ZGY1m5OVTYoQ/JWH0oy
+l8SyFCQFEXt7UHDD/eTtLT0vMyc190nP57P8lTnZGf7hSinZz1B1d6V4cmzxpk0s
+VXZT+irL6bJVJoMBHRpllKAhGULIo33baTrWFKA0oBuWx4AevSWKcLW5j87kEawn
+ATCuMQ1I3ifR1mSlB7X8fb+vF+571q0NGuB3a42j6rdtXJ6SmH4+9B4qO0sfHDNt
+IImpLCH/tycDpcYrGSCn1QrekFG1bSEh+Bb9i8rqMDSDsYrTFPZTuOQ3EtjGni9u
+m+rEP3OyJg+md8c+0LVP7/UU4QWWnw3/Wolo5kSCxE8vNTFqi4GhVbdLnUtcIdTV
+XxuR6cKyW87Snj1a0nG76ZLclt/akxDhtzqeV60BO0p8pmiev8frp+E94wFNYCmp
+1cr3CnMEGRaficLSDFC6EBENzlZW2BQT6OMIV+g0NBgSyQe39s2zcdEl5+SzDVuw
+hp8bJUp/QN7pnOVCDbjTQ+HVMXw=
+-----END CERTIFICATE-----
diff --git a/test/cypress/plugins/backendApi/client.js b/test/cypress/plugins/backendApi/client.js
diff --git a/test/cypress/plugins/backendApi/task.js b/test/cypress/plugins/backendApi/task.js
diff --git a/test/package.json b/test/package.json
diff --git a/test/yarn.lock b/test/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@`
`76`	`76`	`"uniqueItems": true,`
`77`	`77`	`"items": {`
`78`	`78`	`"type": "string",`
`79`		`- "pattern": "^(?:\\\\.)?(?:[^.]+\\.?)+[^.]$"`
	`79`	+ "pattern": "^[^&\| @!#%^();:/\\\\}{=+?<>,~`'\"]+$"
`80`	`80`	`}`
`81`	`81`	`},`
`82`	`82`	`"enabled": {`
Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,26 @@`
`72`	`72`	`}`
`73`	`73`	`}`
`74`	`74`	`}`
	`75`	`+ },`
	`76`	`+ "400": {`
	`77`	`+ "description": "400 response",`
	`78`	`+ "content": {`
	`79`	`+ "application/json": {`
	`80`	`+ "examples": {`
	`81`	`+ "default": {`
	`82`	`+ "value": {`
	`83`	`+ "error": {`
	`84`	`+ "code": 400,`
	`85`	`+ "message": "Domains are invalid"`
	`86`	`+ }`
	`87`	`+ }`
	`88`	`+ }`
	`89`	`+ },`
	`90`	`+ "schema": {`
	`91`	`+ "$ref": "../../../components/error.json"`
	`92`	`+ }`
	`93`	`+ }`
	`94`	`+ }`
`75`	`95`	`}`
`76`	`96`	`}`
`77`	`97`	`}`
Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,42 @@`
`50`	`50`	`"certificate_key": true`
`51`	`51`	`}`
`52`	`52`	`}`
	`53`	`+ },`
	`54`	`+ "schema": {`
	`55`	`+ "type": "object",`
	`56`	`+ "additionalProperties": false,`
	`57`	`+ "required": ["certificate", "certificate_key"],`
	`58`	`+ "properties": {`
	`59`	`+ "certificate": {`
	`60`	`+ "type": "object",`
	`61`	`+ "additionalProperties": false,`
	`62`	`+ "required": ["cn", "issuer", "dates"],`
	`63`	`+ "properties": {`
	`64`	`+ "cn": {`
	`65`	`+ "type": "string"`
	`66`	`+ },`
	`67`	`+ "issuer": {`
	`68`	`+ "type": "string"`
	`69`	`+ },`
	`70`	`+ "dates": {`
	`71`	`+ "type": "object",`
	`72`	`+ "additionalProperties": false,`
	`73`	`+ "required": ["from", "to"],`
	`74`	`+ "properties": {`
	`75`	`+ "from": {`
	`76`	`+ "type": "integer"`
	`77`	`+ },`
	`78`	`+ "to": {`
	`79`	`+ "type": "integer"`
	`80`	`+ }`
	`81`	`+ }`
	`82`	`+ }`
	`83`	`+ }`
	`84`	`+ },`
	`85`	`+ "certificate_key": {`
	`86`	`+ "type": "boolean"`
	`87`	`+ }`
	`88`	`+ }`
`53`	`89`	`}`
`54`	`90`	`}`
`55`	`91`	`}`
`@@ -67,6 +103,9 @@`
`67`	`103`	`}`
`68`	`104`	`}`
`69`	`105`	`}`
	`106`	`+ },`
	`107`	`+ "schema": {`
	`108`	`+ "$ref": "../../../../components/error.json"`
`70`	`109`	`}`
`71`	`110`	`}`
`72`	`111`	`}`
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@`
`50`	`50`	`}`
`51`	`51`	`},`
`52`	`52`	`"schema": {`
`53`		`- "$ref": "../../../../../components/error-object.json"`
	`53`	`+ "$ref": "../../../../../components/error.json"`
`54`	`54`	`}`
`55`	`55`	`}`
`56`	`56`	`}`