aheh/MasterHttpRelayVPN-RUST
1
0
Fork 0
mirror of https://github.com/therealaleph/MasterHttpRelayVPN-RUST.git synced 2026-05-18 06:34:41 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix(domain-fronting): guard fallback JSON extraction

Browse Source 
Reject malformed fallback relay responses where JSON brace positions are inverted instead of slicing with invalid bounds.
This commit is contained in:
Captain Mirage
2026-05-16 16:52:57 +03:30
committed by GitHub
parent d56ddc692b
commit 2e2ea4f3f0
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/domain_fronter.rs
+18
View File
@@ -3036,6 +3036,12 @@ impl DomainFronter {
let end = text.rfind('}').ok_or_else(|| {
FronterError::BadResponse("no json end in tunnel response".into())
})?;
if start > end {
return Err(FronterError::BadResponse(format!(
"no valid json object in: {}",
&text.chars().take(200).collect::<String>()
)));
}
&text[start..=end]
};
Ok(serde_json::from_str(json_str)?)
@@ -3204,6 +3210,12 @@ impl DomainFronter {
let end = text.rfind('}').ok_or_else(|| {
FronterError::BadResponse("no json end in batch response".into())
})?;
if start > end {
return Err(FronterError::BadResponse(format!(
"no valid json object in: {}",
&text.chars().take(200).collect::<String>()
)));
}
&text[start..=end]
};
// Don't log payload content. Batch responses carry base64-encoded
@@ -4580,6 +4592,12 @@ fn parse_relay_json(body: &[u8]) -> Result<Vec<u8>, FronterError> {
&text.chars().take(200).collect::<String>()
))
})?;
if start > end {
return Err(FronterError::BadResponse(format!(
"no valid json object in: {}",
&text.chars().take(200).collect::<String>()
)));
}
serde_json::from_str(&text[start..=end])?
}
}