Fix 5 security issues: path traversal, rate limit bypass, CORS, installer integrity

- Switch wellknown handler from raw HeaderMap to TypedHeader<Host>,
  add subdomain validation (RFC 1035 labels) to block path traversal
  and cross-tenant exposure via crafted Host headers
- Default rate limiter to PeerIpKeyExtractor; opt into proxy header
  trust via TRUST_PROXY_HEADERS env var
- Restrict CORS to GET method with Accept/Content-Type headers
- Add SHA256 checksum verification to install.sh

Author: ericbeland

config/deploy.yml

@@ -33,3 +33,4 @@ env:
     RUST_LOG: "sorcery_server=info"
     TENANTS_DIR: "/app/tenants"
     BASE_DOMAIN: "srcuri.com"
+    TRUST_PROXY_HEADERS: "true"

src/main.rs

@@ -10,12 +10,14 @@ use axum::{
 use axum_extra::TypedHeader;
 use headers::Host;
 use httpdate::HttpDate;
-use std::net::SocketAddr;
+use std::net::{IpAddr, SocketAddr};
 use std::path::PathBuf;
 use std::sync::Arc;
 use std::time::{Duration, SystemTime};
 use tower_governor::{
-    governor::GovernorConfigBuilder, key_extractor::SmartIpKeyExtractor, GovernorLayer,
+    governor::GovernorConfigBuilder,
+    key_extractor::{KeyExtractor, PeerIpKeyExtractor, SmartIpKeyExtractor},
+    GovernorError, GovernorLayer,
 };
 use tower_http::cors::{Any, CorsLayer};
 use tower_http::trace::TraceLayer;
@@ -30,6 +32,23 @@ use sorcery_server::{
 const ONE_DAY_SECS: u64 = 86_400;
 const NINETY_DAYS_SECS: u64 = 7_776_000;
 
+#[derive(Debug, Clone, Copy)]
+struct ConfigurableIpExtractor {
+    trust_proxy: bool,
+}
+
+impl KeyExtractor for ConfigurableIpExtractor {
+    type Key = IpAddr;
+
+    fn extract<T>(&self, req: &axum::http::Request<T>) -> Result<Self::Key, GovernorError> {
+        if self.trust_proxy {
+            SmartIpKeyExtractor.extract(req)
+        } else {
+            PeerIpKeyExtractor.extract(req)
+        }
+    }
+}
+
 #[tokio::main]
 async fn main() {
     if let Err(err) = run().await {
@@ -59,12 +78,15 @@ async fn run() -> anyhow::Result<()> {
         base_domain,
     };
 
-    // Rate limiting: 60 requests per minute per IP (1 request per second on average)
+    let trust_proxy = std::env::var("TRUST_PROXY_HEADERS")
+        .map(|v| v.eq_ignore_ascii_case("true") || v == "1")
+        .unwrap_or(false);
+
     let governor_config = Arc::new(
         GovernorConfigBuilder::default()
             .per_second(1)
             .burst_size(60)
-            .key_extractor(SmartIpKeyExtractor)
+            .key_extractor(ConfigurableIpExtractor { trust_proxy })
             .finish()
             .context("build rate limiter config")?,
     );
@@ -86,8 +108,8 @@ async fn run() -> anyhow::Result<()> {
         .layer(
             CorsLayer::new()
                 .allow_origin(Any)
-                .allow_methods(Any)
-                .allow_headers(Any),
+                .allow_methods([axum::http::Method::GET])
+                .allow_headers([header::ACCEPT, header::CONTENT_TYPE]),
         )
         .layer(TraceLayer::new_for_http());
 

src/routes/wellknown.rs

@@ -1,6 +1,8 @@
 #![allow(clippy::items_after_statements)]
 
-use axum::{debug_handler, extract::State, http::HeaderMap, response::Json};
+use axum::{debug_handler, extract::State, response::Json};
+use axum_extra::TypedHeader;
+use headers::Host;
 use std::sync::Arc;
 
 use crate::tenant::config::TenantConfig;
@@ -9,14 +11,10 @@ use crate::AppState;
 #[debug_handler]
 pub async fn wellknown_handler(
     State(state): State<AppState>,
-    headers: HeaderMap,
+    TypedHeader(host): TypedHeader<Host>,
 ) -> Json<Arc<TenantConfig>> {
-    let host = headers
-        .get("host")
-        .and_then(|h| h.to_str().ok())
-        .unwrap_or(&state.base_domain);
-
-    let subdomain = crate::tenant::TenantManager::extract_subdomain(host);
+    let hostname = host.hostname();
+    let subdomain = crate::tenant::TenantManager::extract_subdomain(hostname);
     let config = state.tenant_manager.get_config(&subdomain).await;
     Json(config)
 }

src/static/install.sh

@@ -246,6 +246,59 @@ install_linux_appimage() {
     success "$APP_NAME installed to $app_path"
 }
 
+verify_checksum() {
+    local artifact_path="$1"
+    local version="$2"
+    local artifact_name
+    artifact_name=$(basename "$artifact_path")
+
+    local checksums_url="https://github.com/$REPO/releases/download/$version/SHA256SUMS"
+    local checksums_file
+    checksums_file="$(dirname "$artifact_path")/SHA256SUMS"
+
+    info "Verifying artifact checksum..."
+
+    if command -v curl >/dev/null 2>&1; then
+        if ! curl -fsSL -o "$checksums_file" "$checksums_url" 2>/dev/null; then
+            warn "SHA256SUMS not available for this release, skipping verification"
+            return 0
+        fi
+    elif command -v wget >/dev/null 2>&1; then
+        if ! wget -q -O "$checksums_file" "$checksums_url" 2>/dev/null; then
+            warn "SHA256SUMS not available for this release, skipping verification"
+            return 0
+        fi
+    fi
+
+    local expected_hash
+    expected_hash=$(grep "$artifact_name" "$checksums_file" | awk '{print $1}')
+
+    if [ -z "$expected_hash" ]; then
+        warn "No checksum entry for $artifact_name, skipping verification"
+        rm -f "$checksums_file"
+        return 0
+    fi
+
+    local actual_hash
+    if command -v sha256sum >/dev/null 2>&1; then
+        actual_hash=$(sha256sum "$artifact_path" | awk '{print $1}')
+    elif command -v shasum >/dev/null 2>&1; then
+        actual_hash=$(shasum -a 256 "$artifact_path" | awk '{print $1}')
+    else
+        warn "Neither sha256sum nor shasum found, skipping verification"
+        rm -f "$checksums_file"
+        return 0
+    fi
+
+    rm -f "$checksums_file"
+
+    if [ "$actual_hash" != "$expected_hash" ]; then
+        error "Checksum mismatch! Expected $expected_hash, got $actual_hash. The download may be corrupted or tampered with."
+    fi
+
+    success "Checksum verified"
+}
+
 launch_app() {
     local os="$1"
 
@@ -306,6 +359,7 @@ main() {
     local artifact_path="$temp_dir/$artifact_name"
 
     download_file "$artifact_url" "$artifact_path"
+    verify_checksum "$artifact_path" "$version"
 
     case "$os" in
         macos)

src/tenant/mod.rs

@@ -13,6 +13,18 @@ pub struct TenantManager {
     tenants_dir: PathBuf,
 }
 
+fn is_valid_subdomain(s: &str) -> bool {
+    let len = s.len();
+    if len == 0 || len > 63 {
+        return false;
+    }
+    if s.starts_with('-') || s.ends_with('-') {
+        return false;
+    }
+    s.bytes()
+        .all(|b| b.is_ascii_lowercase() || b.is_ascii_digit() || b == b'-')
+}
+
 impl TenantManager {
     #[must_use]
     pub fn new(tenants_dir: PathBuf) -> Self {
@@ -47,16 +59,106 @@ impl TenantManager {
     }
 
     #[must_use]
-    #[allow(clippy::option_if_let_else)]
     pub fn extract_subdomain(host: &str) -> String {
-        if let Some(subdomain) = host.split('.').next() {
-            if subdomain == "srcuri" || subdomain.contains(':') {
-                "default".to_string()
-            } else {
-                subdomain.to_string()
-            }
-        } else {
-            "default".to_string()
+        let host_without_port = host.split(':').next().unwrap_or(host);
+
+        match host_without_port.split('.').next() {
+            Some("srcuri") => "default".to_string(),
+            Some(sub) if is_valid_subdomain(sub) => sub.to_string(),
+            _ => "default".to_string(),
         }
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn valid_subdomains() {
+        assert_eq!(TenantManager::extract_subdomain("acme.srcuri.com"), "acme");
+        assert_eq!(
+            TenantManager::extract_subdomain("my-tenant.srcuri.com"),
+            "my-tenant"
+        );
+        assert_eq!(TenantManager::extract_subdomain("a1b2.srcuri.com"), "a1b2");
+    }
+
+    #[test]
+    fn srcuri_returns_default() {
+        assert_eq!(TenantManager::extract_subdomain("srcuri.com"), "default");
+    }
+
+    #[test]
+    fn path_traversal_returns_default() {
+        assert_eq!(
+            TenantManager::extract_subdomain("../etc.srcuri.com"),
+            "default"
+        );
+        assert_eq!(
+            TenantManager::extract_subdomain("foo/bar.srcuri.com"),
+            "default"
+        );
+        assert_eq!(
+            TenantManager::extract_subdomain("..%2fetc.srcuri.com"),
+            "default"
+        );
+    }
+
+    #[test]
+    fn uppercase_returns_default() {
+        assert_eq!(
+            TenantManager::extract_subdomain("ACME.srcuri.com"),
+            "default"
+        );
+        assert_eq!(
+            TenantManager::extract_subdomain("Acme.srcuri.com"),
+            "default"
+        );
+    }
+
+    #[test]
+    fn empty_returns_default() {
+        assert_eq!(TenantManager::extract_subdomain(""), "default");
+        assert_eq!(TenantManager::extract_subdomain(".srcuri.com"), "default");
+    }
+
+    #[test]
+    fn too_long_returns_default() {
+        let long = format!("{}.srcuri.com", "a".repeat(64));
+        assert_eq!(TenantManager::extract_subdomain(&long), "default");
+    }
+
+    #[test]
+    fn leading_trailing_hyphen_returns_default() {
+        assert_eq!(
+            TenantManager::extract_subdomain("-acme.srcuri.com"),
+            "default"
+        );
+        assert_eq!(
+            TenantManager::extract_subdomain("acme-.srcuri.com"),
+            "default"
+        );
+    }
+
+    #[test]
+    fn port_stripping_works() {
+        assert_eq!(
+            TenantManager::extract_subdomain("acme.srcuri.com:8080"),
+            "acme"
+        );
+        assert_eq!(
+            TenantManager::extract_subdomain("srcuri.com:3000"),
+            "default"
+        );
+    }
+
+    #[test]
+    fn bare_hostname_without_dots() {
+        assert_eq!(TenantManager::extract_subdomain("localhost"), "localhost");
+        assert_eq!(
+            TenantManager::extract_subdomain("localhost:3000"),
+            "localhost"
+        );
+    }
+}

tests/integration_tests.rs

@@ -29,6 +29,7 @@ async fn test_wellknown_endpoint() {
         .oneshot(
             Request::builder()
                 .uri("/.well-known/srcuri.json")
+                .header("host", "srcuri.com")
                 .body(Body::empty())
                 .unwrap(),
         )
@@ -444,6 +445,48 @@ async fn test_valid_branch_accepted() {
     assert!(html.contains("srcuri://"));
 }
 
+#[tokio::test]
+async fn test_wellknown_traversal_host_rejected() {
+    let app = create_test_app();
+    let response = app
+        .oneshot(
+            Request::builder()
+                .uri("/.well-known/srcuri.json")
+                .header("host", "../etc.srcuri.com")
+                .body(Body::empty())
+                .unwrap(),
+        )
+        .await
+        .unwrap();
+
+    assert_eq!(
+        response.status(),
+        StatusCode::BAD_REQUEST,
+        "Path traversal in Host header should be rejected by typed extractor"
+    );
+}
+
+#[tokio::test]
+async fn test_wellknown_valid_tenant_returns_ok() {
+    use http_body_util::BodyExt;
+
+    let app = create_test_app();
+    let response = app
+        .oneshot(
+            Request::builder()
+                .uri("/.well-known/srcuri.json")
+                .header("host", "acme.srcuri.com")
+                .body(Body::empty())
+                .unwrap(),
+        )
+        .await
+        .unwrap();
+
+    assert_eq!(response.status(), StatusCode::OK);
+    let body = response.into_body().collect().await.unwrap().to_bytes();
+    let _json: serde_json::Value = serde_json::from_slice(&body).unwrap();
+}
+
 fn create_test_app() -> axum::Router {
     use axum::routing::get;
     use std::path::PathBuf;