Validate client and proxy supplied strings

Malicious clients and proxies can provide potentially malicious strings in the polls. This validates the NAT type and proxy type strings to ensure that malformed strings are not displayed on a web page or passed to any of our monitoring infrastructure. If a client or proxy supplies an invalid NAT type, we return an error message. If a proxy supplies an unknown proxy type, we set the proxy type to unknown.
2025-10-13 11:11:30 -04:00 · 2022-01-12 10:53:58 -05:00 · 2022-01-12 10:53:58 -05:00 · b35a79ac24
commit b35a79ac24
parent aeb0794d28
3 changed files with 41 additions and 8 deletions
--- a/common/messages/client.go
+++ b/common/messages/client.go
@ -6,6 +6,8 @@ package messages
 import (
 	"encoding/json"
 	"fmt"
+
+	"git.torproject.org/pluggable-transports/snowflake.git/v2/common/nat"
 )

 const ClientVersion = "1.0"
@ -73,8 +75,14 @@ func DecodeClientPollRequest(data []byte) (*ClientPollRequest, error) {
 		return nil, fmt.Errorf("no supplied offer")
 	}

-	if message.NAT == "" {
-		message.NAT = "unknown"
+	switch message.NAT {
+	case "":
+		message.NAT = nat.NATUnknown
+	case nat.NATUnknown:
+	case nat.NATRestricted:
+	case nat.NATUnrestricted:
+	default:
+		return nil, fmt.Errorf("invalid NAT type")
 	}

 	return &message, nil
--- a/common/messages/messages_test.go
+++ b/common/messages/messages_test.go
@ -22,7 +22,7 @@ func TestDecodeProxyPollRequest(t *testing.T) {
 			{
 				//Version 1.0 proxy message
 				"ymbcCMto7KHNGYlp",
-				"",
+				"unknown",
 				"unknown",
 				0,
 				`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0"}`,
--- a/common/messages/proxy.go
+++ b/common/messages/proxy.go
@ -7,9 +7,18 @@ import (
 	"encoding/json"
 	"fmt"
 	"strings"
+
+	"git.torproject.org/pluggable-transports/snowflake.git/v2/common/nat"
 )

-const version = "1.2"
+const (
+	version = "1.2"
+
+	ProxyStandalone = "standalone"
+	ProxyWebext     = "webext"
+	ProxyBadge      = "badge"
+	ProxyUnknown    = "unknown"
+)

 /* Version 1.2 specification:

@ -116,12 +125,28 @@ func DecodePollRequest(data []byte) (sid string, proxyType string, natType strin
 		return
 	}

-	natType = message.NAT
-	if natType == "" {
-		natType = "unknown"
+	switch message.NAT {
+	case "":
+		message.NAT = nat.NATUnknown
+	case nat.NATUnknown:
+	case nat.NATRestricted:
+	case nat.NATUnrestricted:
+	default:
+		err = fmt.Errorf("invalid NAT type")
+		return
 	}

-	return message.Sid, message.Type, natType, message.Clients, nil
+	// we don't reject polls with an unknown proxy type because we encourage
+	// projects that embed proxy code to include their own type
+	switch message.Type {
+	case ProxyStandalone:
+	case ProxyWebext:
+	case ProxyBadge:
+	default:
+		message.Type = ProxyUnknown
+	}
+
+	return message.Sid, message.Type, message.NAT, message.Clients, nil
 }

 type ProxyPollResponse struct {