From 887ff4afeaaf2d6750321638dc5ba087e321a4e4 Mon Sep 17 00:00:00 2001 From: Jason Ross Date: Fri, 15 Sep 2023 12:02:46 -0500 Subject: [PATCH] fix(client): fix security issues in adguardhome client (#4) * fix(client): Check uint16 bounds for user provided port see https://github.com/csfreak/adguard-exporter/security/code-scanning/4 * fix(client): add option to disable tls verification defaults to false see https://github.com/csfreak/adguard-exporter/security/code-scanning/3 --- README.md | 3 +++ config/configuration.go | 42 ++++++++++++++++++++------------------ internal/adguard/client.go | 14 +++++-------- main.go | 6 +++--- 4 files changed, 33 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index b5d8afc..ff9257a 100644 --- a/README.md +++ b/README.md @@ -228,6 +228,9 @@ scrape_configs: # Port to be used for the exporter -server_port string (optional) (default "9617") + +# Disable TLS verification +-insecure_tls_skip_verify bool (optional) (default "false") ``` ## Available Prometheus metrics diff --git a/config/configuration.go b/config/configuration.go index e8137b0..9461125 100644 --- a/config/configuration.go +++ b/config/configuration.go @@ -17,30 +17,32 @@ import ( // Config is the exporter CLI configuration. type Config struct { - AdguardProtocol string `config:"adguard_protocol"` - AdguardHostname string `config:"adguard_hostname"` - AdguardUsername string `config:"adguard_username"` - AdguardPassword string `config:"adguard_password"` - AdguardPort string `config:"adguard_port"` - ServerPort string `config:"server_port"` - Interval time.Duration `config:"interval"` - LogLimit string `config:"log_limit"` - RDnsEnabled bool `config:"rdns_enabled"` - PasswordFromFile bool `config:"password_from_file"` + AdguardProtocol string `config:"adguard_protocol"` + AdguardHostname string `config:"adguard_hostname"` + AdguardUsername string `config:"adguard_username"` + AdguardPassword string `config:"adguard_password"` + AdguardPort string `config:"adguard_port"` + ServerPort string `config:"server_port"` + Interval time.Duration `config:"interval"` + LogLimit string `config:"log_limit"` + RDnsEnabled bool `config:"rdns_enabled"` + PasswordFromFile bool `config:"password_from_file"` + InsecureTLSSkipVerify bool `config:"insecure_tls_skip_verify"` } func getDefaultConfig() *Config { return &Config{ - AdguardProtocol: "http", - AdguardHostname: "127.0.0.1", - AdguardUsername: "", - AdguardPassword: "", - AdguardPort: "80", - ServerPort: "9617", - Interval: 10 * time.Second, - LogLimit: "1000", - RDnsEnabled: true, - PasswordFromFile: false, + AdguardProtocol: "http", + AdguardHostname: "127.0.0.1", + AdguardUsername: "", + AdguardPassword: "", + AdguardPort: "80", + ServerPort: "9617", + Interval: 10 * time.Second, + LogLimit: "1000", + RDnsEnabled: true, + PasswordFromFile: false, + InsecureTLSSkipVerify: false, } } diff --git a/internal/adguard/client.go b/internal/adguard/client.go index 918e551..46e2bca 100644 --- a/internal/adguard/client.go +++ b/internal/adguard/client.go @@ -39,9 +39,9 @@ type Client struct { } // NewClient method initializes a new AdGuard client. -func NewClient(protocol, hostname, username, password, adport string, interval time.Duration, logLimit string, rdnsenabled bool) *Client { +func NewClient(protocol, hostname, username, password, adport string, interval time.Duration, logLimit string, rdnsenabled bool, insecuretls bool) *Client { - temp, err := strconv.Atoi(adport) + temp, err := strconv.ParseInt(adport, 10, 16) if err != nil { log.Fatal(err) } @@ -56,7 +56,9 @@ func NewClient(protocol, hostname, username, password, adport string, interval t interval: interval, logLimit: logLimit, httpClient: http.Client{ - Transport: &http.Transport{TLSClientConfig: GetTlsConfig()}, + Transport: &http.Transport{TLSClientConfig: &tls.Config{ + InsecureSkipVerify: insecuretls, + }}, CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse }, @@ -263,12 +265,6 @@ func (c *Client) authenticateRequest(req *http.Request) { req.SetBasicAuth(c.username, c.password) } -func GetTlsConfig() *tls.Config { - return &tls.Config{ - InsecureSkipVerify: true, - } -} - func isValidIp(ip string) bool { if net.ParseIP(ip) == nil { return false diff --git a/main.go b/main.go index 3eee50c..5afc90f 100644 --- a/main.go +++ b/main.go @@ -26,14 +26,14 @@ func main() { metrics.Init() - initAdguardClient(conf.AdguardProtocol, conf.AdguardHostname, conf.AdguardUsername, conf.AdguardPassword, conf.AdguardPort, conf.Interval, conf.LogLimit, conf.RDnsEnabled) + initAdguardClient(conf.AdguardProtocol, conf.AdguardHostname, conf.AdguardUsername, conf.AdguardPassword, conf.AdguardPort, conf.Interval, conf.LogLimit, conf.RDnsEnabled, conf.InsecureTLSSkipVerify) initHttpServer(conf.ServerPort) handleExitSignal() } -func initAdguardClient(protocol, hostname, username, password, port string, interval time.Duration, logLimit string, rdnsenabled bool) { - client := adguard.NewClient(protocol, hostname, username, password, port, interval, logLimit, rdnsenabled) +func initAdguardClient(protocol, hostname, username, password, port string, interval time.Duration, logLimit string, rdnsenabled bool, insecuretls bool) { + client := adguard.NewClient(protocol, hostname, username, password, port, interval, logLimit, rdnsenabled, insecuretls) go client.Scrape() }