Merge branch 'fix/input-validation' into feat/security-audit-fixes

2026-02-08 08:54:05 +00:00 · 2026-01-22 14:07:06 +08:00 · 2026-01-22 14:07:06 +08:00 · c1d0723392
commit c1d0723392
parent c8e3743e9f 4f3a07c5e2
2 changed files with 89 additions and 5 deletions
--- a/src/message.c
+++ b/src/message.c
@ -48,6 +48,13 @@ int message_load(message_t **messages, int max_messages) {

    /* Now read the messages */
    while (fgets(line, sizeof(line), fp) && count < max_messages) {
+        /* Check for oversized lines */
+        size_t line_len = strlen(line);
+        if (line_len >= sizeof(line) - 1) {
+            fprintf(stderr, "Warning: Skipping oversized line in messages.log\n");
+            continue;
+        }
+
        /* Format: RFC3339_timestamp|username|content */
        char line_copy[2048];
        strncpy(line_copy, line, sizeof(line_copy) - 1);
@ -57,10 +64,19 @@ int message_load(message_t **messages, int max_messages) {
        char *username = strtok(NULL, "|");
        char *content = strtok(NULL, "\n");

+        /* Validate all fields exist */
        if (!timestamp_str || !username || !content) {
            continue;
        }

+        /* Validate field lengths */
+        if (strlen(username) >= MAX_USERNAME_LEN) {
+            continue;
+        }
+        if (strlen(content) >= MAX_MESSAGE_LEN) {
+            continue;
+        }
+
        /* Parse ISO 8601 timestamp */
        struct tm tm = {0};
        char *result = strptime(timestamp_str, "%Y-%m-%dT%H:%M:%S", &tm);
@ -68,9 +84,19 @@ int message_load(message_t **messages, int max_messages) {
            continue;
        }

-        msg_array[count].timestamp = mktime(&tm);
+        /* Validate timestamp is reasonable (not in far future or past) */
+        time_t msg_time = mktime(&tm);
+        time_t now = time(NULL);
+        if (msg_time > now + 86400 || msg_time < now - 31536000 * 10) {
+            /* Skip messages more than 1 day in future or 10 years in past */
+            continue;
+        }
+
+        msg_array[count].timestamp = msg_time;
        strncpy(msg_array[count].username, username, MAX_USERNAME_LEN - 1);
+        msg_array[count].username[MAX_USERNAME_LEN - 1] = '\0';
        strncpy(msg_array[count].content, content, MAX_MESSAGE_LEN - 1);
+        msg_array[count].content[MAX_MESSAGE_LEN - 1] = '\0';
        count++;
    }

@ -92,8 +118,30 @@ int message_save(const message_t *msg) {
    gmtime_r(&msg->timestamp, &tm_info);
    strftime(timestamp, sizeof(timestamp), "%Y-%m-%dT%H:%M:%SZ", &tm_info);

+    /* Sanitize username and content to prevent log injection */
+    char safe_username[MAX_USERNAME_LEN];
+    char safe_content[MAX_MESSAGE_LEN];
+
+    strncpy(safe_username, msg->username, sizeof(safe_username) - 1);
+    safe_username[sizeof(safe_username) - 1] = '\0';
+
+    strncpy(safe_content, msg->content, sizeof(safe_content) - 1);
+    safe_content[sizeof(safe_content) - 1] = '\0';
+
+    /* Replace pipe characters and newlines to prevent log format corruption */
+    for (char *p = safe_username; *p; p++) {
+        if (*p == '|' || *p == '\n' || *p == '\r') {
+            *p = '_';
+        }
+    }
+    for (char *p = safe_content; *p; p++) {
+        if (*p == '|' || *p == '\n' || *p == '\r') {
+            *p = ' ';
+        }
+    }
+
    /* Write to file: timestamp|username|content */
-    fprintf(fp, "%s|%s|%s\n", timestamp, msg->username, msg->content);
+    fprintf(fp, "%s|%s|%s\n", timestamp, safe_username, safe_content);

    fclose(fp);
    return 0;
--- a/src/ssh_server.c
+++ b/src/ssh_server.c
@ -17,6 +17,33 @@
 /* Global SSH bind instance */
 static ssh_bind g_sshbind = NULL;

+/* Validate username to prevent injection attacks */
+static bool is_valid_username(const char *username) {
+    if (!username || username[0] == '\0') {
+        return false;
+    }
+
+    /* Reject usernames starting with special characters */
+    if (username[0] == ' ' || username[0] == '.' || username[0] == '-') {
+        return false;
+    }
+
+    /* Check for illegal characters that could cause injection */
+    const char *illegal_chars = "|;&$`\n\r<>(){}[]'\"\\";
+    for (size_t i = 0; i < strlen(username); i++) {
+        /* Reject control characters (except tab) */
+        if (username[i] < 32 && username[i] != 9) {
+            return false;
+        }
+        /* Reject shell metacharacters */
+        if (strchr(illegal_chars, username[i])) {
+            return false;
+        }
+    }
+
+    return true;
+}
+
 /* Generate or load SSH host key */
 static int setup_host_key(ssh_bind sshbind) {
    struct stat st;
@ -212,9 +239,18 @@ static int read_username(client_t *client) {
        client->username[MAX_USERNAME_LEN - 1] = '\0';
    } else {
        strncpy(client->username, username, MAX_USERNAME_LEN - 1);
-        /* Truncate to 20 characters */
-        if (utf8_strlen(client->username) > 20) {
-            utf8_truncate(client->username, 20);
+        client->username[MAX_USERNAME_LEN - 1] = '\0';
+
+        /* Validate username for security */
+        if (!is_valid_username(client->username)) {
+            client_printf(client, "Invalid username. Using 'anonymous' instead.\r\n");
+            strcpy(client->username, "anonymous");
+            sleep(1);  /* Slow down rapid retry attempts */
+        } else {
+            /* Truncate to 20 characters */
+            if (utf8_strlen(client->username) > 20) {
+                utf8_truncate(client->username, 20);
+            }
        }
    }