fix(client): fix security issues in adguardhome client (#4)

* fix(client): Check uint16 bounds for user provided port see https://github.com/csfreak/adguard-exporter/security/code-scanning/4 * fix(client): add option to disable tls verification defaults to false see https://github.com/csfreak/adguard-exporter/security/code-scanning/3
2023-09-15 12:02:46 -05:00 · 2023-09-15 12:02:46 -05:00 · 887ff4afea
commit 887ff4afea
parent 483435d1e9
4 changed files with 33 additions and 32 deletions
--- a/README.md
+++ b/README.md
@ -228,6 +228,9 @@ scrape_configs:

 # Port to be used for the exporter
 -server_port string (optional) (default "9617")
+
+# Disable TLS verification
+-insecure_tls_skip_verify bool (optional) (default "false")
 ```

 ## Available Prometheus metrics
--- a/config/configuration.go
+++ b/config/configuration.go
@ -17,30 +17,32 @@ import (

 // Config is the exporter CLI configuration.
 type Config struct {
-	AdguardProtocol  string        `config:"adguard_protocol"`
-	AdguardHostname  string        `config:"adguard_hostname"`
-	AdguardUsername  string        `config:"adguard_username"`
-	AdguardPassword  string        `config:"adguard_password"`
-	AdguardPort      string        `config:"adguard_port"`
-	ServerPort       string        `config:"server_port"`
-	Interval         time.Duration `config:"interval"`
-	LogLimit         string        `config:"log_limit"`
-	RDnsEnabled      bool          `config:"rdns_enabled"`
-	PasswordFromFile bool          `config:"password_from_file"`
+	AdguardProtocol       string        `config:"adguard_protocol"`
+	AdguardHostname       string        `config:"adguard_hostname"`
+	AdguardUsername       string        `config:"adguard_username"`
+	AdguardPassword       string        `config:"adguard_password"`
+	AdguardPort           string        `config:"adguard_port"`
+	ServerPort            string        `config:"server_port"`
+	Interval              time.Duration `config:"interval"`
+	LogLimit              string        `config:"log_limit"`
+	RDnsEnabled           bool          `config:"rdns_enabled"`
+	PasswordFromFile      bool          `config:"password_from_file"`
+	InsecureTLSSkipVerify bool          `config:"insecure_tls_skip_verify"`
 }

 func getDefaultConfig() *Config {
 	return &Config{
-		AdguardProtocol:  "http",
-		AdguardHostname:  "127.0.0.1",
-		AdguardUsername:  "",
-		AdguardPassword:  "",
-		AdguardPort:      "80",
-		ServerPort:       "9617",
-		Interval:         10 * time.Second,
-		LogLimit:         "1000",
-		RDnsEnabled:      true,
-		PasswordFromFile: false,
+		AdguardProtocol:       "http",
+		AdguardHostname:       "127.0.0.1",
+		AdguardUsername:       "",
+		AdguardPassword:       "",
+		AdguardPort:           "80",
+		ServerPort:            "9617",
+		Interval:              10 * time.Second,
+		LogLimit:              "1000",
+		RDnsEnabled:           true,
+		PasswordFromFile:      false,
+		InsecureTLSSkipVerify: false,
 	}
 }

--- a/internal/adguard/client.go
+++ b/internal/adguard/client.go
@ -39,9 +39,9 @@ type Client struct {
 }

 // NewClient method initializes a new AdGuard  client.
-func NewClient(protocol, hostname, username, password, adport string, interval time.Duration, logLimit string, rdnsenabled bool) *Client {
+func NewClient(protocol, hostname, username, password, adport string, interval time.Duration, logLimit string, rdnsenabled bool, insecuretls bool) *Client {

-	temp, err := strconv.Atoi(adport)
+	temp, err := strconv.ParseInt(adport, 10, 16)
 	if err != nil {
 		log.Fatal(err)
 	}
@ -56,7 +56,9 @@ func NewClient(protocol, hostname, username, password, adport string, interval t
 		interval: interval,
 		logLimit: logLimit,
 		httpClient: http.Client{
-			Transport: &http.Transport{TLSClientConfig: GetTlsConfig()},
+			Transport: &http.Transport{TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: insecuretls,
+			}},
 			CheckRedirect: func(req *http.Request, via []*http.Request) error {
 				return http.ErrUseLastResponse
 			},
@ -263,12 +265,6 @@ func (c *Client) authenticateRequest(req *http.Request) {
 	req.SetBasicAuth(c.username, c.password)
 }

-func GetTlsConfig() *tls.Config {
-	return &tls.Config{
-		InsecureSkipVerify: true,
-	}
-}
-
 func isValidIp(ip string) bool {
 	if net.ParseIP(ip) == nil {
 		return false
--- a/main.go
+++ b/main.go
@ -26,14 +26,14 @@ func main() {

 	metrics.Init()

-	initAdguardClient(conf.AdguardProtocol, conf.AdguardHostname, conf.AdguardUsername, conf.AdguardPassword, conf.AdguardPort, conf.Interval, conf.LogLimit, conf.RDnsEnabled)
+	initAdguardClient(conf.AdguardProtocol, conf.AdguardHostname, conf.AdguardUsername, conf.AdguardPassword, conf.AdguardPort, conf.Interval, conf.LogLimit, conf.RDnsEnabled, conf.InsecureTLSSkipVerify)
 	initHttpServer(conf.ServerPort)

 	handleExitSignal()
 }

-func initAdguardClient(protocol, hostname, username, password, port string, interval time.Duration, logLimit string, rdnsenabled bool) {
-	client := adguard.NewClient(protocol, hostname, username, password, port, interval, logLimit, rdnsenabled)
+func initAdguardClient(protocol, hostname, username, password, port string, interval time.Duration, logLimit string, rdnsenabled bool, insecuretls bool) {
+	client := adguard.NewClient(protocol, hostname, username, password, port, interval, logLimit, rdnsenabled, insecuretls)
 	go client.Scrape()
 }