From 85ed968444165b444db5fbfbe3ba6aa82775d895 Mon Sep 17 00:00:00 2001 From: Danylo Kuvshynov Date: Sat, 1 May 2021 17:29:37 +0300 Subject: [PATCH 1/2] Added sessionId validation for proxied requests --- handlers.go | 52 ++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 48 insertions(+), 4 deletions(-) diff --git a/handlers.go b/handlers.go index 8bf143a..ce0b42c 100644 --- a/handlers.go +++ b/handlers.go @@ -181,7 +181,13 @@ func (app *App) HandleProxy(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) sessionID, ok := vars["sessionId"] if !ok { - app.logger.Error("session id not found") + app.logger.WithField("request", fmt.Sprintf("%s %s", r.Method, r.URL.Path)).Error("session id not found") + tools.JSONError(w, "session id not found", http.StatusBadRequest) + return + } + + if !isValidSession(sessionID) { + app.logger.WithField("request", fmt.Sprintf("%s %s", r.Method, r.URL.Path)).Errorf("%s is not valid session id", sessionID) tools.JSONError(w, "session id not found", http.StatusBadRequest) return } @@ -237,7 +243,13 @@ func (app *App) HandleReverseProxy(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) sessionID, ok := vars["sessionId"] if !ok { - app.logger.Error("session id not found") + app.logger.WithField("request", fmt.Sprintf("%s %s", r.Method, r.URL.Path)).Error("session id not found") + tools.JSONError(w, "session id not found", http.StatusBadRequest) + return + } + + if !isValidSession(sessionID) { + app.logger.WithField("request", fmt.Sprintf("%s %s", r.Method, r.URL.Path)).Errorf("%s is not valid session id", sessionID) tools.JSONError(w, "session id not found", http.StatusBadRequest) return } @@ -271,7 +283,12 @@ func (app *App) HandleVNC() websocket.Handler { vars := mux.Vars(wsconn.Request()) sessionID, ok := vars["sessionId"] if !ok { - app.logger.Error("session id not found") + app.logger.WithField("request", fmt.Sprintf("%s %s", wsconn.Request().Method, wsconn.Request().URL.Path)).Error("session id not found") + return + } + + if !isValidSession(sessionID) { + app.logger.WithField("request", fmt.Sprintf("%s %s", wsconn.Request().Method, wsconn.Request().URL.Path)).Errorf("%s is not valid session id", sessionID) return } @@ -310,7 +327,12 @@ func (app *App) HandleLogs() websocket.Handler { vars := mux.Vars(wsconn.Request()) sessionID, ok := vars["sessionId"] if !ok { - app.logger.Error("session id not found") + app.logger.WithField("request", fmt.Sprintf("%s %s", wsconn.Request().Method, wsconn.Request().URL.Path)).Error("session id not found") + return + } + + if !isValidSession(sessionID) { + app.logger.WithField("request", fmt.Sprintf("%s %s", wsconn.Request().Method, wsconn.Request().URL.Path)).Errorf("%s is not valid session id", sessionID) return } @@ -388,6 +410,28 @@ func parseImage(image string) (container string) { return browser } +func isValidSession(session string) bool { + /* + A UUID is made up of hex digits (4 chars each) along with 4 "- symbols, + which make its length equal to 36 characters. + */ + + sLen := len(session) + + if sLen >= 36 { + switch sLen { + case 36: + _, err := uuid.Parse(session) + return err == nil + default: + sess := session[len(session)-36:] + _, err := uuid.Parse(sess) + return err == nil + } + } + return false +} + func getSessionStats(sessions []platform.Service) (active []platform.Service, pending []platform.Service) { active = make([]platform.Service, 0) pending = make([]platform.Service, 0) From 418a684ce3c4e393c0694dd80fcbb3ba8ea2bbe9 Mon Sep 17 00:00:00 2001 From: Danylo Kuvshynov Date: Mon, 3 May 2021 00:02:31 +0300 Subject: [PATCH 2/2] fix high CPU usage --- selenosis.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/selenosis.go b/selenosis.go index 407fb4e..82f005b 100644 --- a/selenosis.go +++ b/selenosis.go @@ -80,7 +80,10 @@ func New(logger *log.Logger, client platform.Platform, browsers *config.Browsers ch := client.Watch() go func() { - for { + for event := <-ch: { + + + } select { case event := <-ch: switch event.PlatformObject.(type) { @@ -147,11 +150,7 @@ func New(logger *log.Logger, client platform.Platform, browsers *config.Browsers } storage.Quota().Put(quota) } - default: - break } - default: - break } } }()