-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security audit fixes #23
Changes from all commits
8c107d5
c1af37e
7644dbe
fc1a97e
9782a37
5e7586f
dc6bced
b8da995
1bf975c
52ae13a
197ce1a
691c3ef
868a982
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,8 @@ import os | |
import sys | ||
import urllib.request | ||
|
||
PROVIDERS=("calyx", "riseup") | ||
|
||
APIS = { | ||
"calyx": "https://api.vpn.calyx.dev/", | ||
"riseup": "https://api.float.hexacab.org/" | ||
|
@@ -31,8 +33,10 @@ key cert.pem | |
def check_args(): | ||
if len(sys.argv) != 2: | ||
print("Usage: bootstrap-provider <provider>") | ||
os.exit(1) | ||
|
||
sys.exit(1) | ||
if sys.argv[1] not in PROVIDERS: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
print("Invalid provider") | ||
sys.exit(1) | ||
|
||
def getPath(provider): | ||
return os.path.join(os.getcwd(), "data", provider) | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -113,6 +113,9 @@ func bytesUnpadPKCS7(b []byte, blockSize int) ([]byte, error) { | |
|
||
// bytesPadPKCS7 returns the PKCS#7 padding of a byte array. | ||
func bytesPadPKCS7(b []byte, blockSize int) ([]byte, error) { | ||
if blockSize == 0 { | ||
return nil, fmt.Errorf("%w: %s", errBadInput, "blocksize cannot be zero") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. While we are at it, I think we should also protect against negative blockSize values. The assumption in the report is that the attacker may be able to control the
via
|
||
} | ||
// If lth mod blockSize == 0, then the input gets appended a whole block size | ||
// See https://datatracker.ietf.org/doc/html/rfc5652#section-6.3 | ||
if blockSize > math.MaxUint8 { | ||
|
@@ -142,3 +145,13 @@ func bufWriteUint32(buf *bytes.Buffer, val uint32) { | |
binary.BigEndian.PutUint32(numBuf[:], val) | ||
buf.Write(numBuf[:]) | ||
} | ||
|
||
// bufWriteUint24 is a convenience function that appends to the given buffer | ||
// 3 bytes containing the big-endian representation of the given uint32 value. | ||
// Caller is responsible to ensure the passed value does not overflow the | ||
// maximal capacity of 3 bytes. | ||
func bufWriteUint24(buf *bytes.Buffer, val uint32) { | ||
b := &bytes.Buffer{} | ||
bufWriteUint32(b, val) | ||
buf.Write(b.Bytes()[1:]) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking you could perhaps just call
server.ListendAndServe
with addr ={ip}:0
so as to make the OS pick the next available port for you.I then saw, though, that the sock5 library you are using doesn't return the
net.listener
(https://github.com/armon/go-socks5/blob/master/socks5.go#L100) so if you actually need to know the picked port you have no way of extracting it :(I guess we can leave this as-is for the time being, but it might be worth opening an issue as future work to open PR on https://github.com/armon/go-socks5 to return the listener (or set it as an attribute to the server struct).