fix(api): validate cookie session data

pujitm · pujitm · commit 491f680607ce · 2025-01-13T11:50:24.000-05:00
diff --git a/api/dev/sessions/sess_mock-user-session b/api/dev/sessions/sess_mock-user-session
@@ -0,0 +1 @@
+unraid_login|i:1736523078;unraid_user|s:4:"root";locale|s:0:"";buildDate|s:8:"20241202";
diff --git a/api/src/unraid-api/auth/cookie.service.spec.ts b/api/src/unraid-api/auth/cookie.service.spec.ts
@@ -1,7 +1,11 @@
-import { Test, type TestingModule } from '@nestjs/testing';
+import type { TestingModule } from '@nestjs/testing';
+import { Test } from '@nestjs/testing';
+import { writeFile } from 'node:fs/promises';
+
+import { emptyDir } from 'fs-extra';
+import { afterAll, beforeAll, describe, it } from 'vitest';
+
 import { CookieService, SESSION_COOKIE_CONFIG } from './cookie.service';
-import { describe, it, beforeAll, afterAll } from 'vitest';
-import { emptyDir, ensureFile } from 'fs-extra';
 
 describe.concurrent('CookieService', () => {
     let service: CookieService;
@@ -10,7 +14,11 @@ describe.concurrent('CookieService', () => {
     // helper to create a session file
     function makeSession(sessionId: string, cookieService: CookieService = service) {
         const path = cookieService.getSessionFilePath(sessionId);
-        return ensureFile(path);
+        return writeFile(
+            path,
+            `unraid_login|i:1736523078;unraid_user|s:4:"root";locale|s:0:"";buildDate|s:8:"20241202";`,
+            'ascii'
+        );
     }
 
     beforeAll(async () => {
diff --git a/api/src/unraid-api/auth/cookie.service.ts b/api/src/unraid-api/auth/cookie.service.ts
@@ -1,4 +1,5 @@
-import { Inject, Injectable } from '@nestjs/common';
+import { Inject, Injectable, Logger } from '@nestjs/common';
+import { readFile } from 'fs/promises';
 import { join } from 'path';
 
 import { fileExists } from '@app/core/utils/files/file-exists';
@@ -18,6 +19,7 @@ type SessionCookieConfig = {
 
 @Injectable()
 export class CookieService {
+    private readonly logger = new Logger(CookieService.name);
     constructor(
         @Inject(SESSION_COOKIE_CONFIG) readonly opts: SessionCookieConfig = CookieService.defaultOpts()
     ) {}
@@ -60,10 +62,17 @@ export class CookieService {
      */
     private async isValidAuthCookie(cookieName: string, cookieValue: string): Promise<boolean> {
         const { namePrefix } = this.opts;
-        if (!cookieName.startsWith(namePrefix)) {
+        const sessionFile = this.getSessionFilePath(cookieValue);
+        if (!cookieName.startsWith(namePrefix) || !(await fileExists(sessionFile))) {
+            return false;
+        }
+        try {
+            const sessionData = await readFile(sessionFile, 'ascii');
+            return sessionData.includes('unraid_login') && sessionData.includes('unraid_user');
+        } catch (e) {
+            this.logger.error(e, 'Error reading session file');
             return false;
         }
-        return fileExists(this.getSessionFilePath(cookieValue));
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+unraid_login\|i:1736523078;unraid_user\|s:4:"root";locale\|s:0:"";buildDate\|s:8:"20241202";`