ben.carrasco/jambonz-api-server
1
0
Fork 0
mirror of https://github.com/jambonz/jambonz-api-server.git synced 2026-03-21 18:57:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix/carrier entry data (#542)

Browse Source 
* protect against invalid carrier data entry

* sec fixes
This commit is contained in:
Dave Horton
2026-02-09 10:40:59 -05:00
committed by GitHub
parent 2d62dbb564
commit 9875686f92
3 changed files with 806 additions and 1348 deletions
Download Patch File Download Diff File Expand all files Collapse all files

131
lib/routes/api/voip-carriers.js
View File

@@ -6,6 +6,97 @@ const decorate = require('./decorate');
const sysError = require('../error');
const { parseVoipCarrierSid } = require('./utils');
/**
* Validates that a SIP realm/domain value is properly formatted.
* @param {string} realm - The realm to validate
* @returns {boolean} - true if valid, false otherwise
*/
const isValidSipRealm = (realm) => {
if (!realm) return true; // null/undefined is allowed (falls back to gateway IP)
// Must not have leading/trailing whitespace
if (realm !== realm.trim()) return false;
// Must not start with sip: or sips:
if (/^sips?:/i.test(realm)) return false;
// Must not contain whitespace
if (/\s/.test(realm)) return false;
// Must be a valid domain (contains dot) or valid IPv4
const isIPv4 = /^(\d{1,3}\.){3}\d{1,3}$/.test(realm);
const hasDot = realm.includes('.');
return isIPv4 || hasDot;
};
/**
* Checks if a string contains any whitespace characters.
* @param {string} str - The string to check
* @returns {boolean} - true if whitespace found, false otherwise
*/
const hasWhitespace = (str) => /\s/.test(str);
/**
* Validates registration-related fields for voip_carriers.
* @param {object} body - The request body
* @param {object} existing - Existing carrier data (for updates)
* @throws {DbErrorBadRequest} - If validation fails
*/
const validateRegistrationFields = (body, existing = null) => {
const requiresRegister = body.requires_register ?? existing?.requires_register;
// When requires_register is being enabled or is already enabled
if (requiresRegister) {
const username = body.register_username ?? existing?.register_username;
const password = body.register_password ?? existing?.register_password;
// register_username is required
if (!username || (typeof username === 'string' && username.trim() === '')) {
throw new DbErrorBadRequest('register_username is required when requires_register is true');
}
// register_username must not contain whitespace
if (typeof username === 'string' && hasWhitespace(username)) {
throw new DbErrorBadRequest('register_username must not contain whitespace');
}
// register_password is required
if (!password || (typeof password === 'string' && password.trim() === '')) {
throw new DbErrorBadRequest('register_password is required when requires_register is true');
}
}
// Validate register_username format if being set (even when requires_register is false)
if (body.register_username !== undefined && body.register_username !== null && body.register_username !== '') {
if (hasWhitespace(body.register_username)) {
throw new DbErrorBadRequest('register_username must not contain whitespace');
}
}
// Validate register_sip_realm format (if provided)
if (body.register_sip_realm !== undefined && body.register_sip_realm !== null) {
if (body.register_sip_realm === '') {
throw new DbErrorBadRequest('register_sip_realm must not be empty string; use null to fall back to gateway IP');
}
if (!isValidSipRealm(body.register_sip_realm)) {
throw new DbErrorBadRequest(
'register_sip_realm must be a valid domain or IP address (no sip: prefix, no spaces)'
);
}
}
// Validate register_from_domain format (if provided)
if (body.register_from_domain !== undefined &&
body.register_from_domain !== null &&
body.register_from_domain !== '') {
if (!isValidSipRealm(body.register_from_domain)) {
throw new DbErrorBadRequest(
'register_from_domain must be a valid domain or IP address (no sip: prefix, no spaces)'
);
}
}
};
const validate = async(req) => {
const {lookupAppBySid, lookupAccountBySid} = req.app.locals;
@@ -33,19 +124,51 @@ const validate = async(req) => {
const account = await lookupAccountBySid(req.body.account_sid);
if (!account) throw new DbErrorBadRequest('unknown account_sid');
}
/* validate registration fields */
validateRegistrationFields(req.body);
};
const validateUpdate = async(req, sid) => {
const {lookupCarrierBySid} = req.app.locals;
await validate(req);
const {lookupCarrierBySid, lookupAppBySid, lookupAccountBySid} = req.app.locals;
if (process.env.JAMBONES_ADMIN_CARRIER == 1 && (!req.user.hasScope('service_provider')
&& !req.user.hasScope('admin'))) {
throw new DbErrorBadRequest('insufficient privileges');
}
/* account level user can only act on carriers associated to his/her account */
if (req.user.hasAccountAuth) {
req.body.account_sid = req.user.account_sid;
}
if (req.body.application_sid && !req.body.account_sid) {
throw new DbErrorBadRequest('account_sid missing');
}
if (req.body.application_sid) {
const application = await lookupAppBySid(req.body.application_sid);
if (!application) throw new DbErrorBadRequest('unknown application_sid');
if (application.account_sid !== req.body.account_sid) {
throw new DbErrorBadRequest('application_sid does not exist for specified account_sid');
}
}
else if (req.body.account_sid) {
const account = await lookupAccountBySid(req.body.account_sid);
if (!account) throw new DbErrorBadRequest('unknown account_sid');
}
/* get existing carrier for validation context */
const existing = await lookupCarrierBySid(sid);
if (req.user.hasAccountAuth) {
/* can only update carriers for the user's account */
const carrier = await lookupCarrierBySid(sid);
if (carrier.account_sid != req.user.account_sid) {
if (existing.account_sid != req.user.account_sid) {
throw new DbErrorUnprocessableRequest('carrier belongs to a different user');
}
}
/* validate registration fields with existing carrier context */
validateRegistrationFields(req.body, existing);
};
const validateDelete = async(req, sid) => {

1832
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

191
test/voip-carriers.js
View File

@@ -67,10 +67,10 @@ test('voip carrier tests', async(t) => {
name: 'robb',
requires_register: true,
register_username: 'foo',
register_sip_realm: 'bar',
register_sip_realm: 'sip.bar.com',
register_password: 'baz',
register_from_user: 'fromme',
register_from_domain: 'fromdomain'
register_from_domain: 'from.domain.com'
}
});
t.ok(result.statusCode === 204, 'successfully updated voip carrier');
@@ -244,3 +244,190 @@ test('voip carrier tests', async(t) => {
}
});
test('voip carrier registration field validation', async(t) => {
const app = require('../app');
let sid;
try {
let result;
/* Test: register_username required when requires_register is true */
result = await request.post('/VoipCarriers', {
resolveWithFullResponse: true,
simple: false,
auth: authAdmin,
json: true,
body: {
name: 'test carrier',
requires_register: true,
register_password: 'password123',
register_sip_realm: 'sip.example.com'
}
});
t.ok(result.statusCode === 400 && result.body.msg.includes('register_username is required'),
'returns 400 if requires_register=true but no register_username');
/* Test: register_password required when requires_register is true */
result = await request.post('/VoipCarriers', {
resolveWithFullResponse: true,
simple: false,
auth: authAdmin,
json: true,
body: {
name: 'test carrier',
requires_register: true,
register_username: 'testuser',
register_sip_realm: 'sip.example.com'
}
});
t.ok(result.statusCode === 400 && result.body.msg.includes('register_password is required'),
'returns 400 if requires_register=true but no register_password');
/* Test: register_username must not contain whitespace */
result = await request.post('/VoipCarriers', {
resolveWithFullResponse: true,
simple: false,
auth: authAdmin,
json: true,
body: {
name: 'test carrier',
requires_register: true,
register_username: 'my trunk',
register_password: 'password123'
}
});
t.ok(result.statusCode === 400 && result.body.msg.includes('must not contain whitespace'),
'returns 400 if register_username contains spaces');
/* Test: register_sip_realm must not have sip: prefix */
result = await request.post('/VoipCarriers', {
resolveWithFullResponse: true,
simple: false,
auth: authAdmin,
json: true,
body: {
name: 'test carrier',
requires_register: true,
register_username: 'user',
register_password: 'pass',
register_sip_realm: 'sip:example.com'
}
});
t.ok(result.statusCode === 400 && result.body.msg.includes('no sip: prefix'),
'returns 400 if register_sip_realm starts with sip:');
/* Test: register_sip_realm must be valid domain format (contain a dot) */
result = await request.post('/VoipCarriers', {
resolveWithFullResponse: true,
simple: false,
auth: authAdmin,
json: true,
body: {
name: 'test carrier',
requires_register: true,
register_username: 'user',
register_password: 'pass',
register_sip_realm: 'Switch'
}
});
t.ok(result.statusCode === 400 && result.body.msg.includes('valid domain or IP'),
'returns 400 if register_sip_realm is not a valid domain');
/* Test: register_sip_realm must not be empty string */
result = await request.post('/VoipCarriers', {
resolveWithFullResponse: true,
simple: false,
auth: authAdmin,
json: true,
body: {
name: 'test carrier',
requires_register: true,
register_username: 'user',
register_password: 'pass',
register_sip_realm: ''
}
});
t.ok(result.statusCode === 400 && result.body.msg.includes('must not be empty string'),
'returns 400 if register_sip_realm is empty string');
/* Test: register_sip_realm can be null (falls back to gateway IP) */
result = await request.post('/VoipCarriers', {
resolveWithFullResponse: true,
auth: authAdmin,
json: true,
body: {
name: 'test carrier null realm',
requires_register: true,
register_username: 'user',
register_password: 'pass',
register_sip_realm: null
}
});
t.ok(result.statusCode === 201, 'succeeds if register_sip_realm is null');
sid = result.body.sid;
await deleteObjectBySid(request, '/VoipCarriers', sid);
/* Test: Valid IPv4 address is accepted as register_sip_realm */
result = await request.post('/VoipCarriers', {
resolveWithFullResponse: true,
auth: authAdmin,
json: true,
body: {
name: 'test carrier ipv4',
requires_register: true,
register_username: 'user',
register_password: 'pass',
register_sip_realm: '192.168.1.100'
}
});
t.ok(result.statusCode === 201, 'succeeds if register_sip_realm is valid IPv4');
sid = result.body.sid;
await deleteObjectBySid(request, '/VoipCarriers', sid);
/* Test: Valid domain is accepted as register_sip_realm */
result = await request.post('/VoipCarriers', {
resolveWithFullResponse: true,
auth: authAdmin,
json: true,
body: {
name: 'test carrier domain',
requires_register: true,
register_username: 'user',
register_password: 'pass',
register_sip_realm: 'sip.example.com'
}
});
t.ok(result.statusCode === 201, 'succeeds if register_sip_realm is valid domain');
sid = result.body.sid;
/* Test: Update to enable requires_register without credentials fails */
const sid2Result = await request.post('/VoipCarriers', {
resolveWithFullResponse: true,
auth: authAdmin,
json: true,
body: {
name: 'test carrier no reg'
}
});
const sid2 = sid2Result.body.sid;
result = await request.put(`/VoipCarriers/${sid2}`, {
resolveWithFullResponse: true,
simple: false,
auth: authAdmin,
json: true,
body: {
requires_register: true
}
});
t.ok(result.statusCode === 400 && result.body.msg.includes('register_username is required'),
'returns 400 when enabling requires_register without credentials');
await deleteObjectBySid(request, '/VoipCarriers', sid);
await deleteObjectBySid(request, '/VoipCarriers', sid2);
} catch (err) {
console.error(err);
t.end(err);
}
});