mirror of https://github.com/tailscale/tailscale/
ipn/{ipnlocal,localapi}: use strs.CutPrefix, add more domain validation
The GitHub CodeQL scanner flagged the localapi's cert domain usage as a problem because user input in the URL made it to disk stat checks. The domain is validated against the ipnstate.Status later, and only authenticated root/configured users can hit this, but add some paranoia anyway. Change-Id: I373ef23832f1d8b3a27208bc811b6588ae5a1ddd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>pull/5660/head
parent
f0347e841f
commit
4a82b317b7
@ -0,0 +1,30 @@
|
|||||||
|
// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
//go:build !ios && !android && !js
|
||||||
|
// +build !ios,!android,!js
|
||||||
|
|
||||||
|
package localapi
|
||||||
|
|
||||||
|
import "testing"
|
||||||
|
|
||||||
|
func TestValidLookingCertDomain(t *testing.T) {
|
||||||
|
tests := []struct {
|
||||||
|
in string
|
||||||
|
want bool
|
||||||
|
}{
|
||||||
|
{"foo.com", true},
|
||||||
|
{"foo..com", false},
|
||||||
|
{"foo/com.com", false},
|
||||||
|
{"NUL", false},
|
||||||
|
{"", false},
|
||||||
|
{"foo\\bar.com", false},
|
||||||
|
{"foo\x00bar.com", false},
|
||||||
|
}
|
||||||
|
for _, tt := range tests {
|
||||||
|
if got := validLookingCertDomain(tt.in); got != tt.want {
|
||||||
|
t.Errorf("validLookingCertDomain(%q) = %v, want %v", tt.in, got, tt.want)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue