Merge pull request #78 from commjoen/fix-vulns

commjoen · web-flow · commit 79994aa4e06e · 2022-10-03T05:58:47.000+02:00
Check teamname before proxy &amp; make hmackey configurable per deployment
diff --git a/helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/deployment.yaml b/helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/deployment.yaml
@@ -60,6 +60,8 @@ spec:
               value: {{ .Values.wrongsecrets.tag}}
             - name: WRONGSECRETS_DESKTOP_TAG
               value: 1.5.7RC1
+            - name: REACT_APP_CREATE_TEAM_HMAC_KEY
+              value: hardcodedkey
             - name: SECRETS_MANAGER_SECRET_ID_1
               value: {{ .Values.balancer.env.SECRETS_MANAGER_SECRET_ID_1 }}
             - name: SECRETS_MANAGER_SECRET_ID_2
diff --git a/wrongsecrets-balancer/src/app.js b/wrongsecrets-balancer/src/app.js
@@ -66,6 +66,7 @@ app.get('/balancer/dynamics', (req, res) => {
     heroku_wrongsecret_ctf_url: process.env['REACT_APP_HEROKU_WRONGSECRETS_URL'],
     ctfd_url: process.env['REACT_APP_CTFD_URL'],
     s3_bucket_url: process.env['REACT_APP_S3_BUCKET_URL'],
+    hmac_key: process.env['REACT_APP_CREATE_TEAM_HMAC_KEY'],
     enable_password: usePassword,
   });
 });
diff --git a/wrongsecrets-balancer/src/proxy/proxy.js b/wrongsecrets-balancer/src/proxy/proxy.js
@@ -105,7 +105,11 @@ async function updateLastConnectTimestamp(req, res, next) {
  */
 function proxyTrafficToJuiceShop(req, res) {
   const teamname = req.teamname;
-  //TODO: FIX THE PORT!
+  const regex = new RegExp('^[a-z0-9]([-a-z0-9])+[a-z0-9]$', 'i');
+  if (!regex.test(teamname)) {
+    logger.info(`Got malformed teamname: ${teamname}s`);
+    return res.redirect('/balancer/');
+  }
   const currentReferrerForDesktop = '/?desktop';
   logger.debug(
     `Proxying request ${req.method.toLocaleUpperCase()} ${
@@ -126,7 +130,6 @@ function proxyTrafficToJuiceShop(req, res) {
     req.path === '/files/socket.io/' ||
     req.path === '/files/socket.io/socket.io.js.map'
   ) {
-    // logger.info('we have a desktop entry for team ' + teamname);
     target = {
       target: `http://${teamname}-virtualdesktop.${teamname}.svc:8080`,
       ws: true,
@@ -139,7 +142,6 @@ function proxyTrafficToJuiceShop(req, res) {
   }
   logger.info(`we got ${teamname} requesting ${target.target}`);
 
-  //TODO: FIX THAT THIS WILL WORK IN THE FUTURE!
   if (req.path === '/guaclite') {
     let server = res.socket.server;
     logger.info('putting ws through for /quaclite');
@@ -158,6 +160,11 @@ function proxyTrafficToJuiceShop(req, res) {
     });
     server.on('connect', function (req, socket, head) {
       const connectTeamname = extractTeamName(req);
+      const regex = new RegExp('^[a-z0-9]([-a-z0-9])+[a-z0-9]$', 'i');
+      if (!regex.test(connectTeamname)) {
+        logger.info(`Got malformed teamname: ${teamname}s`);
+        return res.redirect('/balancer/');
+      }
       logger.info(`proxying upgrade request for: ${req.url} with team ${connectTeamname}`);
       proxy.ws(req, socket, head, {
         target: `ws://${connectTeamname}-virtualdesktop.${connectTeamname}.svc:8080`,
diff --git a/wrongsecrets-balancer/src/teams/teams.js b/wrongsecrets-balancer/src/teams/teams.js
@@ -7,10 +7,10 @@ const Joi = require('@hapi/joi');
 const expressJoiValidation = require('express-joi-validation');
 const promClient = require('prom-client');
 const accessPassword = process.env.REACT_APP_ACCESS_PASSWORD;
+const hmac_key = process.env.REACT_APP_CREATE_TEAM_HMAC_KEY || 'hardcodedkey';
 
 const validator = expressJoiValidation.createValidator();
 const k8sEnv = process.env.K8S_ENV || 'k8s';
-
 const router = express.Router();
 
 const {
@@ -96,7 +96,7 @@ async function validateHMAC(req, res, next) {
     const { team } = req.params;
     const { hmacvalue } = req.body;
     const validationValue = crypto
-      .createHmac('sha256', 'hardcodedkey')
+      .createHmac('sha256', hmac_key)
       .update(`${team}`, 'utf-8')
       .digest('hex');
     if (validationValue === hmacvalue) {
diff --git a/wrongsecrets-balancer/ui/src/pages/JoinPage.js b/wrongsecrets-balancer/ui/src/pages/JoinPage.js
@@ -58,7 +58,7 @@ export const JoinPage = injectIntl(({ intl }) => {
       }
       if (dynamics.enable_password) {
         const hmacvalue = cryptoJS
-          .HmacSHA256(`${teamname}`, 'hardcodedkey')
+          .HmacSHA256(`${teamname}`, dynamics.hmac_key)
           .toString(cryptoJS.enc.Hex);
         const { data } = await axios.post(`/balancer/teams/${teamname}/join`, {
           passcode,
@@ -68,7 +68,7 @@ export const JoinPage = injectIntl(({ intl }) => {
         navigate(`/teams/${teamname}/joined/`, { state: { passcode: data.passcode } });
       } else {
         const hmacvalue = cryptoJS
-          .HmacSHA256(`${teamname}`, 'hardcodedkey')
+          .HmacSHA256(`${teamname}`, dynamics.hmac_key)
           .toString(cryptoJS.enc.Hex);
         const { data } = await axios.post(`/balancer/teams/${teamname}/join`, {
           passcode,
@@ -99,6 +99,7 @@ export const JoinPage = injectIntl(({ intl }) => {
     heroku_wrongsecret_ctf_url: process.env['REACT_APP_HEROKU_WRONGSECRETS_URL'],
     ctfd_url: process.env['REACT_APP_CTFD_URL'],
     s3_bucket_url: process.env['REACT_APP_S3_BUCKET_URL'],
+    hmac_key: process.env['REACT_APP_CREATE_TEAM_HMAC_KEY'],
     enable_password: false,
   };
 
