fix(api): sanitize LectureHall sources.

joschahenningsen · joschahenningsen · commit 0d83a672011c · 2025-07-24T18:47:15.000+02:00
In similar fashion to b995a23, we want to sanitize these values because they are used to execute commands in the worker and can be abused by admins or lecturers to run arbitrary commands
diff --git a/model/lecture_hall.go b/model/lecture_hall.go
@@ -1,6 +1,12 @@
 package model
 
-import "gorm.io/gorm"
+import (
+	"fmt"
+	"net/netip"
+	"net/url"
+
+	"gorm.io/gorm"
+)
 
 type LectureHall struct {
 	gorm.Model
@@ -65,3 +71,29 @@ func (l *LectureHall) ToDTO() *LectureHallDTO {
 		ExternalURL: l.ExternalURL,
 	}
 }
+
+// BeforeSave returns an error if either source is invalid.
+func (l *LectureHall) BeforeSave(*gorm.DB) error {
+	_, err := netip.ParseAddr(l.CameraIP)
+	if err != nil {
+		return fmt.Errorf("invalid camera IP address: %s", l.CameraIP)
+	}
+	u, err := url.Parse(l.CombIP)
+	if err != nil {
+		return fmt.Errorf("invalid comb URL: %s", u)
+	}
+	l.CombIP = u.String() // save parsed (and urlencoded) URL to database
+
+	u, err = url.Parse(l.CamIP)
+	if err != nil {
+		return fmt.Errorf("invalid cam URL: %s", u)
+	}
+	l.CamIP = u.String()
+
+	u, err = url.Parse(l.PresIP)
+	if err != nil {
+		return fmt.Errorf("invalid pres URL: %s", u)
+	}
+	l.PresIP = u.String()
+	return nil
+}
diff --git a/model/lecture_hall_test.go b/model/lecture_hall_test.go
@@ -1 +1,57 @@
 package model
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestBeforeSaveLectureHall(t *testing.T) {
+	cases := []struct {
+		l        LectureHall
+		expected LectureHall
+		wantErr  bool
+	}{
+		{
+			l: LectureHall{
+				CameraIP: "not an ip",
+			},
+			wantErr: true,
+		},
+		{
+			l: LectureHall{
+				CameraIP: "127.0.0.almostanip",
+			},
+			expected: LectureHall{
+				CameraIP: "",
+			},
+			wantErr: true,
+		},
+		{
+			l: LectureHall{
+				CameraIP: "127.0.0.1",
+				CamIP:    "somehost/malicious\" && stuff",
+			},
+			expected: LectureHall{
+				CameraIP: "127.0.0.1",
+				CamIP:    "somehost/malicious%22%20&&%20stuff",
+			},
+			wantErr: false,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(fmt.Sprintf("BeforeSave(%+v)", tc.l), func(t *testing.T) {
+			err := tc.l.BeforeSave(nil)
+			if err != nil && !tc.wantErr {
+				t.Errorf("BeforeCreateLectureHall(%+v): got error %v, want no error", tc.l, err)
+			} else if err == nil && tc.wantErr {
+				t.Errorf("BeforeCreateLectureHall(%+v): got no error, want error", tc.l)
+			}
+			if err == nil {
+				assert.Equal(t, tc.expected, tc.l)
+			}
+		})
+	}
+}
