Added sessionId validation, fix high CPU usage.

alcounit · May 2, 2021 · 48098cd · 48098cd
2 parents a283926 + 418a684
commit 48098cd
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 9 deletions.
diff --git a/handlers.go b/handlers.go
@@ -181,7 +181,13 @@ func (app *App) HandleProxy(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	sessionID, ok := vars["sessionId"]
 	if !ok {
-		app.logger.Error("session id not found")
+		app.logger.WithField("request", fmt.Sprintf("%s %s", r.Method, r.URL.Path)).Error("session id not found")
+		tools.JSONError(w, "session id not found", http.StatusBadRequest)
+		return
+	}
+
+	if !isValidSession(sessionID) {
+		app.logger.WithField("request", fmt.Sprintf("%s %s", r.Method, r.URL.Path)).Errorf("%s is not valid session id", sessionID)
 		tools.JSONError(w, "session id not found", http.StatusBadRequest)
 		return
 	}
@@ -237,7 +243,13 @@ func (app *App) HandleReverseProxy(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	sessionID, ok := vars["sessionId"]
 	if !ok {
-		app.logger.Error("session id not found")
+		app.logger.WithField("request", fmt.Sprintf("%s %s", r.Method, r.URL.Path)).Error("session id not found")
+		tools.JSONError(w, "session id not found", http.StatusBadRequest)
+		return
+	}
+
+	if !isValidSession(sessionID) {
+		app.logger.WithField("request", fmt.Sprintf("%s %s", r.Method, r.URL.Path)).Errorf("%s is not valid session id", sessionID)
 		tools.JSONError(w, "session id not found", http.StatusBadRequest)
 		return
 	}
@@ -271,7 +283,12 @@ func (app *App) HandleVNC() websocket.Handler {
 		vars := mux.Vars(wsconn.Request())
 		sessionID, ok := vars["sessionId"]
 		if !ok {
-			app.logger.Error("session id not found")
+			app.logger.WithField("request", fmt.Sprintf("%s %s", wsconn.Request().Method, wsconn.Request().URL.Path)).Error("session id not found")
+			return
+		}
+
+		if !isValidSession(sessionID) {
+			app.logger.WithField("request", fmt.Sprintf("%s %s", wsconn.Request().Method, wsconn.Request().URL.Path)).Errorf("%s is not valid session id", sessionID)
 			return
 		}
 
@@ -310,7 +327,12 @@ func (app *App) HandleLogs() websocket.Handler {
 		vars := mux.Vars(wsconn.Request())
 		sessionID, ok := vars["sessionId"]
 		if !ok {
-			app.logger.Error("session id not found")
+			app.logger.WithField("request", fmt.Sprintf("%s %s", wsconn.Request().Method, wsconn.Request().URL.Path)).Error("session id not found")
+			return
+		}
+
+		if !isValidSession(sessionID) {
+			app.logger.WithField("request", fmt.Sprintf("%s %s", wsconn.Request().Method, wsconn.Request().URL.Path)).Errorf("%s is not valid session id", sessionID)
 			return
 		}
 
@@ -388,6 +410,28 @@ func parseImage(image string) (container string) {
 	return browser
 }
 
+func isValidSession(session string) bool {
+	/*
+		A UUID is made up of hex digits (4 chars each) along with 4 "- symbols,
+		which make its length equal to 36 characters.
+	*/
+
+	sLen := len(session)
+
+	if sLen >= 36 {
+		switch sLen {
+		case 36:
+			_, err := uuid.Parse(session)
+			return err == nil
+		default:
+			sess := session[len(session)-36:]
+			_, err := uuid.Parse(sess)
+			return err == nil
+		}
+	}
+	return false
+}
+
 func getSessionStats(sessions []platform.Service) (active []platform.Service, pending []platform.Service) {
 	active = make([]platform.Service, 0)
 	pending = make([]platform.Service, 0)

diff --git a/selenosis.go b/selenosis.go
@@ -80,7 +80,10 @@ func New(logger *log.Logger, client platform.Platform, browsers *config.Browsers
 
 	ch := client.Watch()
 	go func() {
-		for {
+		for event := <-ch: {
+
+
+		}
 			select {
 			case event := <-ch:
 				switch event.PlatformObject.(type) {
@@ -147,11 +150,7 @@ func New(logger *log.Logger, client platform.Platform, browsers *config.Browsers
 						}
 						storage.Quota().Put(quota)
 					}
-				default:
-					break
 				}
-			default:
-				break
 			}
 		}
 	}()