Validate input of expiration time for setup-keys (netbirdio#1053)

So far we accepted any value for setup keys, including negative values Now we are checking if it is less than 1 day or greater than 365 days
pulsastrix · Aug 4, 2023 · 49ea612 · 49ea612
1 parent e8353bf
commit 49ea612
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/management/server/http/api/openapi.yml b/management/server/http/api/openapi.yml
@@ -369,7 +369,9 @@ components:
         expires_in:
           description: Expiration time in seconds
           type: integer
-          example: 43200
+          minimum: 86400
+          maximum: 31536000
+          example: 86400
         revoked:
           description: Setup key revocation status
           type: boolean

diff --git a/management/server/http/setupkeys_handler.go b/management/server/http/setupkeys_handler.go
@@ -60,6 +60,13 @@ func (h *SetupKeysHandler) CreateSetupKey(w http.ResponseWriter, r *http.Request
 
 	expiresIn := time.Duration(req.ExpiresIn) * time.Second
 
+	day := time.Hour * 24
+	year := day * 365
+	if expiresIn < day || expiresIn > year {
+		util.WriteError(status.Errorf(status.InvalidArgument, "expiresIn should be between 1 day and 365 days"), w)
+		return
+	}
+
 	if req.AutoGroups == nil {
 		req.AutoGroups = []string{}
 	}

diff --git a/management/server/http/setupkeys_handler_test.go b/management/server/http/setupkeys_handler_test.go
@@ -143,7 +143,7 @@ func TestSetupKeysHandlers(t *testing.T) {
 			requestType: http.MethodPost,
 			requestPath: "/api/setup-keys",
 			requestBody: bytes.NewBuffer(
-				[]byte(fmt.Sprintf("{\"name\":\"%s\",\"type\":\"%s\"}", newSetupKey.Name, newSetupKey.Type))),
+				[]byte(fmt.Sprintf("{\"name\":\"%s\",\"type\":\"%s\",\"expires_in\":86400}", newSetupKey.Name, newSetupKey.Type))),
 			expectedStatus:   http.StatusOK,
 			expectedBody:     true,
 			expectedSetupKey: toResponseBody(newSetupKey),