reworded some comments. removed some newlines.

reformatted some more lambdas
added validations for shell enum
2020-11-28 02:12:02 +00:00 · 2020-11-28 02:01:20 +00:00 · 2020-11-28 01:58:23 +00:00 · 2020-11-28 01:46:10 +00:00 · 2020-11-28 01:41:17 +00:00
2 changed files with 109 additions and 29 deletions
--- a/app.py
+++ b/app.py
@ -1,5 +1,9 @@
 import glob
 import json
+
+import re
+import sshpubkeys
+
 from flask import Flask, redirect, url_for, render_template, request

 # lyadmin
@ -25,6 +29,11 @@ ACCOUNT_DIR = "req/";
 FULL_PATH = str(WORKING_DIR) + str(ACCOUNT_DIR)
 CONF_PATH = str(WORKING_DIR) + "lyadmin.conf.json"

+# validation stuff
+MAX_PUB_KEY_LEN = 5000
+EMAIL_REGEX = "^[a-z0-9]+[\._]?[a-z0-9]+[@]\w+[.]\w{2,10}$"
+KEY_REGEX = "^[ -~]+$"
+
 # Account requests are given ID numbers
 # the first request will have the below
 # id number
@ -34,6 +43,14 @@ INIT_REQ_ID = "00000"
 with open(CONF_PATH) as c: conf_json_str = c.read()
 conf_obj = json.loads(conf_json_str)

+# A list of all the shell enums
+conf_obj["shell_tup_list"] = list(map(
+                lambda k : (
+                    k, conf_obj["shell"][k]
+                ),
+                list(conf_obj["shell"].keys())
+))
+
 # The main home page
@app.route("/")
 def home():
@ -48,22 +65,23 @@ def home():
    
    return render_template("index.html", u_list=u_list, page_name="home")

-
-# The page with rules
+# Generates the page with rule. No logic needed.
 def rules():
    return render_template("rules.html")

 # Generate HTML for a form widget
 def widg_fun(widg):
    if(widg.w_type == "input"):
-        # Return HTML for a single line input
-        return "input id=id_%s name=%s type=text></input"%(widg.w_name, widg.w_name)
+        return "input id=id_%s name=%s type=text></input"%(
+            widg.w_name, widg.w_name
+        )
    elif(widg.w_type == "textarea"):
-        # Return HTML for a big text input box
-        return "textarea cols=40 id=id_%s name=%s rows=10 required=\"\""%(widg.w_name, widg.w_name)
+        return "textarea cols=40 id=id_%s name=%s rows=10 required=\"\""%(
+            widg.w_name, widg.w_name
+        )
    elif(widg.w_type == "check"):
-        # Return HTML for a check box
-        return "input id=id_%s name=%s type=checkbox required=\"\""%(widg.w_name, widg.w_name)
+        return "input id=id_%s name=%s type=checkbox required=\"\""%(
+            widg.w_name, widg.w_name)
    return widg.w_type;

 # Generate HTML for request form
@ -78,32 +96,57 @@ def req():

    # Configuration for our request form
    rt = {
-        "username": Widg("username", "input", None),
-        "email for account lockout / registration confirmation (optional)": Widg("email", "input", None),
-        "SSH public key": Widg("pub_key", "textarea", None),
-        "shell of choice": Widg("shell", "choice", map(lambda k : (k, conf_obj["shell"][k]), list(conf_obj["shell"].keys()))),
-        "have you read the rules?": Widg("rule_read", "check", None)
+        "username": Widg(
+            "username",
+            "input",
+            None
+        ),
+        "email for account lockout / registration confirmation (optional)": Widg(
+            "email",
+            "input",
+            None
+        ),
+        "SSH public key": Widg(
+            "pub_key",
+            "textarea",
+            None
+        ),
+        "shell of choice": Widg(
+            "shell",
+            "choice",
+            conf_obj["shell_tup_list"]
+        ),
+        "have you read the rules?": Widg(
+            "rule_read", "check", None
+        )
        };
-    return render_template("req.html", req_tab = rt, widg_fun = widg_fun, page_name="req")
+    return render_template(
+        "req.html",
+        req_tab = rt,
+        widg_fun = widg_fun,
+        page_name="req"
+    )

-# Process input from the /req page
+def handle_invalid_data(req):
+    # print(str(e))
+    return render_template("signup.html", is_email_user = False)
+
+# Process input from user creation POST request
 def signup():
    app.route('/req/signup')

    # Get all the params from the POST
    # request
-    username = request.form["username"]
-    email = request.form["email"]
-    pub_key = request.form["pub_key"]
-    shell = request.form["shell"]
-    rule_read = request.form["rule_read"]
+    username = request.form["username"].strip()
+    email = request.form["email"].strip()
+    pub_key = request.form["pub_key"].strip()
+    shell = request.form["shell"].strip()
+    rule_read = request.form["rule_read"].strip()

    is_email_user = False;

    # If a user didnt read the rules
    # send them back
-    # Browser validations should
-    # prevent this....
    if(rule_read != "on"):
        return redirect(url_for('req'))

@ -113,18 +156,54 @@ def signup():
    else:
        email = "NO_EMAIL"

+    # Validate shell
+    if(not shell in conf_obj["shell"]):
+        print("failed shell validation")
+        return handle_invalid_data(req)
+
+    # Validate email
+    if( is_email_user and not re.search(EMAIL_REGEX, email)):
+        print("failed email validation")
+        return handle_invalid_data(req)
+        
+    # Validate the SSH pub key
+    # Most software only handles up to 4096 bit keys
+    if(len(pub_key) > MAX_PUB_KEY_LEN):
+        print("key failed len check")
+        return handle_invalid_data(req)
+
+    # Only printable ascii characters in
+    # a valid key
+    # if(not re.search("^[ -~]+$", pub_key)):
+    if(not re.search(KEY_REGEX, pub_key)):
+        print("key failed regex")
+        return handle_invalid_data(req)
+
+    # Check the key against a library
+    key = sshpubkeys.SSHKey(
+        pub_key,
+        strict_mode=False,
+        skip_option_parsing=True
+    )
+    try:
+        key.parse()
+    except Exception as e:
+        print("key failed lib validation")
+        return handle_invalid_data(request)
+
    # All users requests have a sequential ID
-    # this checks how many requests we have
-    # and gives us a free ID so we can save
-    # our request
-    # This sets the ID of the request we're
-    # abou to save to dsik
+    # The below picks the next ID based on
+    # how many requests we already have saved
+    # to disk
    if(len(glob.glob(ACCOUNT_DIR + str("[0-9]*ident*"))) == 0):
        new_id = int(INIT_REQ_ID)
        new_id_str = INIT_REQ_ID
    else:
-        max_id = max(list(map( lambda path : path.split("/")[-1].split(".")[0] , glob.glob(str(ACCOUNT_DIR) + "[0-9]*ident*"))))
-        # max_id = max(list(map( lambda path : path.split("/")[-1].split(".")[0] , glob.glob("./test/[0-9]*ident*"))))
+        max_id = max(
+            list(map(
+                lambda path : path.split("/")[-1].split(".")[0],
+                glob.glob(str(ACCOUNT_DIR) + "[0-9]*ident*")))
+        )
        zpad = len(max_id)
        new_id = int(max_id)+1
        new_id_str = str(new_id).zfill(zpad)
--- a/requirements.txt
+++ b/requirements.txt
@ -1 +1,2 @@
 Flask==1.1.2
+sshpubkeys==3.1.0
Author	SHA1	Message	Date
gashapwn	90e1a3a73b	reworded some comments. removed some newlines.	2020-11-28 02:12:02 +00:00
gashapwn	2ad636e887	reformatted some more lambdas	2020-11-28 02:01:20 +00:00
gashapwn	d74d38a582	added validations for shell enum	2020-11-28 01:58:23 +00:00
gashapwn	8fafc34bcb	reformatted req method	2020-11-28 01:46:10 +00:00
gashapwn	e8a9e53c35	added validations for sshkey pub_key email	2020-11-28 01:41:17 +00:00