Validate the incoming nodekey with regex before attempting to parse

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-11-03 14:32:39 +09:00 · 2022-09-23 11:51:38 +02:00
parent d06ba7b522
commit 2bb34751d1
2 changed files with 19 additions and 0 deletions
--- a/api.go
+++ b/api.go
@@ -95,6 +95,22 @@ func (h *Headscale) RegisterWebAPI(
 	vars := mux.Vars(req)
 	nodeKeyStr, ok := vars["nkey"]

+	if !NodePublicKeyRegex.Match([]byte(nodeKeyStr)) {
+		log.Warn().Str("node_key", nodeKeyStr).Msg("Invalid node key passed to registration url")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusUnauthorized)
+		_, err := writer.Write([]byte("Unauthorized"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
 	// We need to make sure we dont open for XSS style injections, if the parameter that
 	// is passed as a key is not parsable/validated as a NodePublic key, then fail to render
 	// the template and log an error.
--- a/utils.go
+++ b/utils.go
@@ -17,6 +17,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"regexp"
 	"strconv"
 	"strings"

@@ -64,6 +65,8 @@ const (
 	ZstdCompression = "zstd"
 )

+var NodePublicKeyRegex = regexp.MustCompile("nodekey:[a-fA-F0-9]+")
+
 func MachinePublicKeyStripPrefix(machineKey key.MachinePublic) string {
 	return strings.TrimPrefix(machineKey.String(), machinePublicHexPrefix)
 }