fix adopt auth bypass, add rate limiting

2026-05-08 16:47:46 +02:00 · 2025-12-25 19:19:28 +01:00
parent 6959aff335
commit 558b4ddf1c
6 changed files with 200 additions and 28 deletions
--- a/api/adopt.go
+++ b/api/adopt.go
@@ -54,13 +54,14 @@ func (s *Server) handleAdopt(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	hostSession, err := model.LoadSession(ctx, s.store, share.Host(), s.cfg.MaxCachedPts)
-	if err != nil {
-		fmt.Fprintln(w, "Session expired!")
+	// verify caller owns the share being adopted
+	// after this check, session IS the host session
+	if sid != share.Host() {
+		fmt.Fprintln(w, "Not authorized!")
 		return
 	}

-	if hostSession.Encrypted() {
+	if session.Encrypted() {
 		fmt.Fprintln(w, "End-to-end encrypted shares cannot be adopted!")
 		return
 	}
@@ -78,13 +79,11 @@ func (s *Server) handleAdopt(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	hostSession.AddTarget(target.ID())
-	if err := hostSession.Save(ctx); err != nil {
+	session.AddTarget(target.ID())
+	if err := session.Save(ctx); err != nil {
 		http.Error(w, "internal error", http.StatusInternalServerError)
 		return
 	}

-	_ = session
-
 	fmt.Fprintln(w, "OK")
 }
--- a/api/api_test.go
+++ b/api/api_test.go
@@ -15,15 +15,18 @@ import (
 func testServer() (*Server, *store.Memory) {
 	mem := store.NewMemory()
 	cfg := &config.Config{
-		PublicURL:    "https://example.com/",
-		MaxDuration:  86400,
-		MinInterval:  1,
-		MaxCachedPts: 3,
-		MaxShownPts:  100,
-		LinkStyle:    0,
-		AllowLinkReq: true,
-		PasswordHash: "$2a$10$LerNFYkUU3ZZrNHhamISZeDK8afdExOwDKbyTaUECDOLa1rV4iN.O", // "test"
-		AuthMethod:   config.AuthPassword,
+		PublicURL:      "https://example.com/",
+		MaxDuration:    86400,
+		MinInterval:    1,
+		MaxCachedPts:   3,
+		MaxShownPts:    100,
+		LinkStyle:      0,
+		AllowLinkReq:   true,
+		PasswordHash:   "$2a$10$LerNFYkUU3ZZrNHhamISZeDK8afdExOwDKbyTaUECDOLa1rV4iN.O", // "test"
+		AuthMethod:     config.AuthPassword,
+		RateLimitAuth:  10000,
+		RateLimitAdopt: 10000,
+		TrustProxy:     true,
 	}
 	return NewServer(cfg, mem), mem
 }
@@ -587,6 +590,7 @@ func TestAdopt(t *testing.T) {
 		"ado": {"1"},
 	})
 	soloLines := strings.Split(strings.TrimSpace(w.Body.String()), "\n")
+	soloSid := soloLines[1]
 	soloShareID := soloLines[3]

 	t.Run("missing fields", func(t *testing.T) {
@@ -622,7 +626,7 @@ func TestAdopt(t *testing.T) {

 	t.Run("successful adopt", func(t *testing.T) {
 		w := postForm(srv, "/api/adopt.php", url.Values{
-			"sid": {ownerSid},
+			"sid": {soloSid},
 			"nic": {"adopted-user"},
 			"aid": {soloShareID},
 			"pin": {groupPin},
@@ -632,6 +636,30 @@ func TestAdopt(t *testing.T) {
 		}
 	})

+	t.Run("unauthorized adopt", func(t *testing.T) {
+		// create another adoptable share
+		w = postForm(srv, "/api/create.php", url.Values{
+			"dur": {"3600"},
+			"int": {"5"},
+			"pwd": {"test"},
+			"mod": {"0"},
+			"ado": {"1"},
+		})
+		lines := strings.Split(strings.TrimSpace(w.Body.String()), "\n")
+		anotherShareID := lines[3]
+
+		// try to adopt with wrong session
+		w = postForm(srv, "/api/adopt.php", url.Values{
+			"sid": {ownerSid},
+			"nic": {"attacker"},
+			"aid": {anotherShareID},
+			"pin": {groupPin},
+		})
+		if !strings.Contains(w.Body.String(), "Not authorized!") {
+			t.Errorf("expected not authorized, got: %s", w.Body.String())
+		}
+	})
+
 	t.Run("non-adoptable share", func(t *testing.T) {
 		// create non-adoptable share
 		w = postForm(srv, "/api/create.php", url.Values{
@@ -642,10 +670,11 @@ func TestAdopt(t *testing.T) {
 			"ado": {"0"},
 		})
 		lines := strings.Split(strings.TrimSpace(w.Body.String()), "\n")
+		nonAdoptableSid := lines[1]
 		nonAdoptableID := lines[3]

 		w = postForm(srv, "/api/adopt.php", url.Values{
-			"sid": {ownerSid},
+			"sid": {nonAdoptableSid},
 			"nic": {"adopter"},
 			"aid": {nonAdoptableID},
 			"pin": {groupPin},
--- a/api/server.go
+++ b/api/server.go
@@ -3,22 +3,26 @@ package api
 import (
 	"io/fs"
 	"net/http"
+	"time"

 	"github.com/parkan/go-hauk/auth"
 	"github.com/parkan/go-hauk/config"
 	"github.com/parkan/go-hauk/frontend"
 	"github.com/parkan/go-hauk/linkgen"
+	"github.com/parkan/go-hauk/ratelimit"
 	"github.com/parkan/go-hauk/store"
 )

 const backendVersion = "1.6.2-go"

 type Server struct {
-	mux     *http.ServeMux
-	cfg     *config.Config
-	store   store.Store
-	auth    auth.Authenticator
-	linkgen *linkgen.Generator
+	mux         *http.ServeMux
+	cfg         *config.Config
+	store       store.Store
+	auth        auth.Authenticator
+	linkgen     *linkgen.Generator
+	rlAuth      *ratelimit.Limiter
+	rlAdopt     *ratelimit.Limiter
 }

 func NewServer(cfg *config.Config, s store.Store) *Server {
@@ -27,6 +31,8 @@ func NewServer(cfg *config.Config, s store.Store) *Server {
 		cfg:     cfg,
 		store:   s,
 		linkgen: linkgen.New(s, cfg.LinkStyle),
+		rlAuth:  ratelimit.New(cfg.RateLimitAuth, time.Minute, cfg.TrustProxy),
+		rlAdopt: ratelimit.New(cfg.RateLimitAdopt, time.Minute, cfg.TrustProxy),
 	}

 	switch cfg.AuthMethod {
@@ -41,11 +47,11 @@ func NewServer(cfg *config.Config, s store.Store) *Server {
 		srv.auth = auth.NewPasswordAuth(cfg.PasswordHash)
 	}

-	srv.mux.HandleFunc("POST /api/create.php", srv.handleCreate)
+	srv.mux.HandleFunc("POST /api/create.php", srv.rlAuth.WrapFunc(srv.handleCreate))
 	srv.mux.HandleFunc("POST /api/post.php", srv.handlePost)
 	srv.mux.HandleFunc("GET /api/fetch.php", srv.handleFetch)
 	srv.mux.HandleFunc("POST /api/stop.php", srv.handleStop)
-	srv.mux.HandleFunc("POST /api/adopt.php", srv.handleAdopt)
+	srv.mux.HandleFunc("POST /api/adopt.php", srv.rlAdopt.WrapFunc(srv.handleAdopt))
 	srv.mux.HandleFunc("POST /api/new-link.php", srv.handleNewLink)
 	srv.mux.HandleFunc("GET /dynamic.js.php", srv.handleDynamic)