From a5ad98b2307af974dd498a84caec94fa613f7491 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Mon, 10 Jan 2022 01:00:12 +0100
Subject: firewall: validators: T2199: Improve port validation

---
 src/validators/port-multi | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100755 src/validators/port-multi

(limited to 'src')

diff --git a/src/validators/port-multi b/src/validators/port-multi
new file mode 100755
index 000000000..763d34e57
--- /dev/null
+++ b/src/validators/port-multi
@@ -0,0 +1,43 @@
+#!/usr/bin/python3
+
+import sys
+import re
+
+from vyos.util import read_file
+
+services_file = '/etc/services'
+
+def get_services():
+    names = []
+    service_data = read_file(services_file, "")
+    for line in service_data.split("\n"):
+        if not line or line[0] == '#':
+            continue
+        names.append(line.split(None, 1)[0])
+    return names
+
+if __name__ == '__main__':
+    if len(sys.argv)>1:
+        ports = sys.argv[1].split(",")
+        services = get_services()
+
+        for port in ports:
+            if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port):
+                port_1, port_2 = port.split('-')
+                if int(port_1) not in range(1, 65535) or int(port_2) not in range(1, 65535):
+                    print(f'Error: {port} is not a valid port range')
+                    sys.exit(1)
+                if int(port_1) > int(port_2):
+                    print(f'Error: {port} is not a valid port range')
+                    sys.exit(1)
+            elif port.isnumeric():
+                if int(port) not in range(1, 65535):
+                    print(f'Error: {port} is not a valid port')
+                    sys.exit(1)
+            elif port not in services:
+                print(f'Error: {port} is not a valid service name')
+                sys.exit(1)
+    else:
+        sys.exit(2)
+
+    sys.exit(0)
-- 
cgit v1.2.3


From da370b63b266254d9a7a7ae15274a9a70bcf5417 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Sun, 9 Jan 2022 23:37:12 +0100
Subject: validators: T4148: Add text output when validators fail

---
 src/validators/ipv4-range | 13 +++++++++----
 src/validators/port-range |  2 ++
 2 files changed, 11 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/validators/ipv4-range b/src/validators/ipv4-range
index cc59039f1..6492bfc52 100755
--- a/src/validators/ipv4-range
+++ b/src/validators/ipv4-range
@@ -7,6 +7,11 @@ ip2dec () {
     printf '%d\n' "$((a * 256 ** 3 + b * 256 ** 2 + c * 256 + d))"
 }
 
+error_exit() {
+  echo "Error: $1 is not a valid IPv4 address range"
+  exit 1
+}
+
 # Only run this if there is a hypen present in $1
 if [[ "$1" =~ "-" ]]; then
   # This only works with real bash (<<<) - split IP addresses into array with
@@ -15,21 +20,21 @@ if [[ "$1" =~ "-" ]]; then
 
   ipaddrcheck --is-ipv4-single ${strarr[0]}
   if [ $? -gt 0 ]; then
-    exit 1
+    error_exit $1
   fi
 
   ipaddrcheck --is-ipv4-single ${strarr[1]}
   if [ $? -gt 0 ]; then
-    exit 1
+    error_exit $1
   fi
 
   start=$(ip2dec ${strarr[0]})
   stop=$(ip2dec ${strarr[1]})
   if [ $start -ge $stop ]; then
-    exit 1
+    error_exit $1
   fi
 
   exit 0
 fi
 
-exit 1
+error_exit $1
diff --git a/src/validators/port-range b/src/validators/port-range
index abf0b09d5..6e68c8733 100755
--- a/src/validators/port-range
+++ b/src/validators/port-range
@@ -9,9 +9,11 @@ if __name__ == '__main__':
         if re.search('[0-9]{1,5}-[0-9]{1,5}', port_range):
             for tmp in port_range.split('-'):
                 if int(tmp) not in range(1, 65535):
+                    print(f'Error: {port_range} is not a valid port range')
                     sys.exit(1)
         else:
             if int(port_range) not in range(1, 65535):
+                print(f'Error: {port_range} is not a valid port')
                 sys.exit(1)
     else:
         sys.exit(2)
-- 
cgit v1.2.3


From 0a0e7d789e7e482b65cbca47bff1dcb427891a88 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Sun, 9 Jan 2022 23:45:04 +0100
Subject: validators: Stricter checking on port-range validator

---
 src/validators/port-range | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

(limited to 'src')

diff --git a/src/validators/port-range b/src/validators/port-range
index 6e68c8733..657a21e20 100755
--- a/src/validators/port-range
+++ b/src/validators/port-range
@@ -3,18 +3,21 @@
 import sys
 import re
 
+def error(port_range):
+    print(f'Error: {port_range} is not a valid port or port range')
+    sys.exit(1)
+
 if __name__ == '__main__':
     if len(sys.argv)>1:
         port_range = sys.argv[1]
-        if re.search('[0-9]{1,5}-[0-9]{1,5}', port_range):
-            for tmp in port_range.split('-'):
-                if int(tmp) not in range(1, 65535):
-                    print(f'Error: {port_range} is not a valid port range')
-                    sys.exit(1)
-        else:
-            if int(port_range) not in range(1, 65535):
-                print(f'Error: {port_range} is not a valid port')
-                sys.exit(1)
+        if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port_range):
+            port_1, port_2 = port_range.split('-')
+            if int(port_1) not in range(1, 65535) or int(port_2) not in range(1, 65535):
+                error(port_range)
+            if int(port_1) > int(port_2):
+                error(port_range)
+        elif not port_range.isnumeric() or int(port_range) not in range(1, 65535):
+                error(port_range)
     else:
         sys.exit(2)
 
-- 
cgit v1.2.3