Make allowed endpoints a list of patterns

pull/751/head
binwiederhier 2023-06-12 21:01:43 -04:00
parent 4e44b034bd
commit a8def0aed2
1 changed files with 24 additions and 14 deletions

View File

@ -5,34 +5,44 @@ import (
"fmt" "fmt"
"net/http" "net/http"
"regexp" "regexp"
"strings"
"github.com/SherClockHolmes/webpush-go" "github.com/SherClockHolmes/webpush-go"
"heckel.io/ntfy/log" "heckel.io/ntfy/log"
"heckel.io/ntfy/user" "heckel.io/ntfy/user"
) )
// test: https://regexr.com/7eqvl
// example urls:
//
// https://android.googleapis.com/XYZ
// https://fcm.googleapis.com/XYZ
// https://updates.push.services.mozilla.com/XYZ
// https://updates-autopush.stage.mozaws.net/XYZ
// https://updates-autopush.dev.mozaws.net/XYZ
// https://AAA.notify.windows.com/XYZ
// https://AAA.push.apple.com/XYZ
const ( const (
webPushEndpointAllowRegexStr = `^https:\/\/(android\.googleapis\.com|fcm\.googleapis\.com|updates\.push\.services\.mozilla\.com|updates-autopush\.stage\.mozaws\.net|updates-autopush\.dev\.mozaws\.net|.*\.notify\.windows\.com|.*\.push\.apple\.com)\/.*$`
webPushTopicSubscribeLimit = 50 webPushTopicSubscribeLimit = 50
) )
var webPushEndpointAllowRegex = regexp.MustCompile(webPushEndpointAllowRegexStr) var (
webPushAllowedEndpointsPatterns = []string{
"https://*.google.com/",
"https://*.googleapis.com/",
"https://*.mozilla.com/",
"https://*.mozaws.net/",
"https://*.windows.com/",
"https://*.microsoft.com/",
"https://*.apple.com/",
}
webPushAllowedEndpointsRegex *regexp.Regexp
)
func init() {
for i, pattern := range webPushAllowedEndpointsPatterns {
webPushAllowedEndpointsPatterns[i] = strings.ReplaceAll(strings.ReplaceAll(pattern, ".", "\\."), "*", ".+")
}
allPatterns := fmt.Sprintf("^(%s)", strings.Join(webPushAllowedEndpointsPatterns, "|"))
fmt.Println(allPatterns)
webPushAllowedEndpointsRegex = regexp.MustCompile(allPatterns)
}
func (s *Server) handleWebPushUpdate(w http.ResponseWriter, r *http.Request, v *visitor) error { func (s *Server) handleWebPushUpdate(w http.ResponseWriter, r *http.Request, v *visitor) error {
req, err := readJSONWithLimit[apiWebPushUpdateSubscriptionRequest](r.Body, jsonBodyBytesLimit, false) req, err := readJSONWithLimit[apiWebPushUpdateSubscriptionRequest](r.Body, jsonBodyBytesLimit, false)
if err != nil || req.Endpoint == "" || req.P256dh == "" || req.Auth == "" { if err != nil || req.Endpoint == "" || req.P256dh == "" || req.Auth == "" {
return errHTTPBadRequestWebPushSubscriptionInvalid return errHTTPBadRequestWebPushSubscriptionInvalid
} else if !webPushEndpointAllowRegex.MatchString(req.Endpoint) { } else if !webPushAllowedEndpointsRegex.MatchString(req.Endpoint) {
return errHTTPBadRequestWebPushEndpointUnknown return errHTTPBadRequestWebPushEndpointUnknown
} else if len(req.Topics) > webPushTopicSubscribeLimit { } else if len(req.Topics) > webPushTopicSubscribeLimit {
return errHTTPBadRequestWebPushTopicCountTooHigh return errHTTPBadRequestWebPushTopicCountTooHigh