fix(client): fix security issues in adguardhome client (#4)

* fix(client): Check uint16 bounds for user provided port see https://github.com/csfreak/adguard-exporter/security/code-scanning/4 * fix(client): add option to disable tls verification defaults to false see https://github.com/csfreak/adguard-exporter/security/code-scanning/3
2023-09-15 12:02:46 -05:00 · 2023-09-15 12:02:46 -05:00 · 887ff4afea
commit 887ff4afea
parent 483435d1e9
4 changed files with 33 additions and 32 deletions
--- a/README.md
+++ b/README.md
@ -228,6 +228,9 @@ scrape_configs:

 # Port to be used for the exporter
 -server_port string (optional) (default "9617")
+
+# Disable TLS verification
+-insecure_tls_skip_verify bool (optional) (default "false")
 ```

 ## Available Prometheus metrics
--- a/config/configuration.go
+++ b/config/configuration.go
@ -27,6 +27,7 @@ type Config struct {
 	LogLimit              string        `config:"log_limit"`
 	RDnsEnabled           bool          `config:"rdns_enabled"`
 	PasswordFromFile      bool          `config:"password_from_file"`
+	InsecureTLSSkipVerify bool          `config:"insecure_tls_skip_verify"`
 }

 func getDefaultConfig() *Config {
@ -41,6 +42,7 @@ func getDefaultConfig() *Config {
 		LogLimit:              "1000",
 		RDnsEnabled:           true,
 		PasswordFromFile:      false,
+		InsecureTLSSkipVerify: false,
 	}
 }

--- a/internal/adguard/client.go
+++ b/internal/adguard/client.go
@ -39,9 +39,9 @@ type Client struct {
 }

 // NewClient method initializes a new AdGuard  client.
-func NewClient(protocol, hostname, username, password, adport string, interval time.Duration, logLimit string, rdnsenabled bool) *Client {
+func NewClient(protocol, hostname, username, password, adport string, interval time.Duration, logLimit string, rdnsenabled bool, insecuretls bool) *Client {

-	temp, err := strconv.Atoi(adport)
+	temp, err := strconv.ParseInt(adport, 10, 16)
 	if err != nil {
 		log.Fatal(err)
 	}
@ -56,7 +56,9 @@ func NewClient(protocol, hostname, username, password, adport string, interval t
 		interval: interval,
 		logLimit: logLimit,
 		httpClient: http.Client{
-			Transport: &http.Transport{TLSClientConfig: GetTlsConfig()},
+			Transport: &http.Transport{TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: insecuretls,
+			}},
 			CheckRedirect: func(req *http.Request, via []*http.Request) error {
 				return http.ErrUseLastResponse
 			},
@ -263,12 +265,6 @@ func (c *Client) authenticateRequest(req *http.Request) {
 	req.SetBasicAuth(c.username, c.password)
 }

-func GetTlsConfig() *tls.Config {
-	return &tls.Config{
-		InsecureSkipVerify: true,
-	}
-}
-
 func isValidIp(ip string) bool {
 	if net.ParseIP(ip) == nil {
 		return false
--- a/main.go
+++ b/main.go
@ -26,14 +26,14 @@ func main() {

 	metrics.Init()

-	initAdguardClient(conf.AdguardProtocol, conf.AdguardHostname, conf.AdguardUsername, conf.AdguardPassword, conf.AdguardPort, conf.Interval, conf.LogLimit, conf.RDnsEnabled)
+	initAdguardClient(conf.AdguardProtocol, conf.AdguardHostname, conf.AdguardUsername, conf.AdguardPassword, conf.AdguardPort, conf.Interval, conf.LogLimit, conf.RDnsEnabled, conf.InsecureTLSSkipVerify)
 	initHttpServer(conf.ServerPort)

 	handleExitSignal()
 }

-func initAdguardClient(protocol, hostname, username, password, port string, interval time.Duration, logLimit string, rdnsenabled bool) {
-	client := adguard.NewClient(protocol, hostname, username, password, port, interval, logLimit, rdnsenabled)
+func initAdguardClient(protocol, hostname, username, password, port string, interval time.Duration, logLimit string, rdnsenabled bool, insecuretls bool) {
+	client := adguard.NewClient(protocol, hostname, username, password, port, interval, logLimit, rdnsenabled, insecuretls)
 	go client.Scrape()
 }