DataInbox - some security fixes

2024-07-15 19:46:02 +02:00
parent 26850c73ef
commit 6295e5263c
4 changed files with 70 additions and 2 deletions
--- a/WebAPI/Controllers/DataInboxController.cs
+++ b/WebAPI/Controllers/DataInboxController.cs
@@ -1,4 +1,5 @@
 using System.Data;
+using System.Text;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Data.SqlClient;
@@ -43,6 +44,61 @@ public class DataInboxController : Controller

        try
        {
+            if (
+                !Request.Headers.TryGetValue("Authorization", out var authHeader))
+            {
+                _logsController.AddEntry(new LogEntry
+                {
+                    Title = $"Unauthorized request - no authorization header ({dataInbox.Source})",
+                    Type = LogEntryType.Warning,
+                    LogType = LogType.DataInbox,
+                    CreatedAt = DateTime.UtcNow
+                });
+                return Unauthorized();
+            }
+
+            var credentialsArr = authHeader.ToString().Split(" ");
+            if (credentialsArr.Length != 2)
+            {
+                _logsController.AddEntry(new LogEntry
+                {
+                    Title = $"Unauthorized request - wrong auth header format ({dataInbox.Source})",
+                    Type = LogEntryType.Warning,
+                    LogType = LogType.DataInbox,
+                    CreatedAt = DateTime.UtcNow
+                });
+                return Unauthorized();
+            }
+
+            var authValue = Encoding.UTF8.GetString(Convert.FromBase64String(credentialsArr[1]));
+            var username = authValue.Split(':')[0];
+            var password = authValue.Split(':')[1];
+            if (username != _configuration["morska-user"] || password != _configuration["morska-pass"])
+            {
+                _logsController.AddEntry(new LogEntry
+                {
+                    Title = $"Unauthorized request - bad credentials ({dataInbox.Source})",
+                    Type = LogEntryType.Warning,
+                    LogType = LogType.PowerBi,
+                    CreatedAt = DateTime.UtcNow
+                });
+                return Unauthorized();
+            }
+            
+            // check if datainbox.data is base64 encoded value
+            if (!string.IsNullOrEmpty(dataInbox.Data) && !IsBase64String(dataInbox.Data))
+            {
+                _logsController.AddEntry(new LogEntry
+                {
+                    Title = $"Invalid data format - not base64 encoded ({dataInbox.Source})",
+                    Type = LogEntryType.Warning,
+                    LogType = LogType.DataInbox,
+                    CreatedAt = DateTime.UtcNow
+                });
+                return BadRequest("Invalid data format - not base64 encoded");
+            }
+            
+            
            dataInbox.Id = Guid.NewGuid();
            dataInbox.CreatedAt = DateTime.UtcNow;
            _db.DataInbox.Add(dataInbox);
@@ -77,4 +133,11 @@ public class DataInboxController : Controller
    {
        return Ok(_db.DataInbox);
    }
+    
+    // helpers
+    private bool IsBase64String(string data)
+    {
+        var bytes = new Span<byte>(new byte[256]); 
+        return Convert.TryFromBase64String(data, bytes, out _);
+    }
 }