Merge pull request #93 from ProgrammingLab/gedorinku/fix_redis

Add validation

Author: gedorinku

app/interceptor/session_auth.go

@@ -2,6 +2,7 @@ package interceptor
 
 import (
 	"context"
+	"regexp"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -28,6 +29,8 @@ var (
 	ErrMetadataNotFound = errors.New("metadata not found in context")
 	// ErrInvalidAuthorizationMetadata is returned when authorization metadata is invalid
 	ErrInvalidAuthorizationMetadata = status.Error(codes.InvalidArgument, "Invalid authorization metadata")
+
+	sessionRegexp = regexp.MustCompile(`^[a-z0-9]{64}$`)
 )
 
 type currentUserIDKey struct{}
@@ -76,6 +79,10 @@ func (a *Authorizator) authorization(ctx context.Context, req interface{}, info
 	}
 
 	sessionID := strings.TrimSpace(d[len(SessionAuthorizationType):])
+	if !sessionRegexp.MatchString(sessionID) {
+		return nil, util.ErrUnauthenticated
+	}
+
 	s, err := a.SessionStore(ctx).GetSession(sessionID)
 	if err != nil {
 		grpclog.Error(err)

infra/store/session/session_store.go

@@ -81,6 +81,10 @@ func (s *sessionStoreImpl) GetSession(sessionID string) (*model.Session, error)
 		return nil, errors.WithStack(err)
 	}
 
+	if keys[0] != redisKey(sessionID)+":"+v {
+		return nil, errors.WithStack(errSessionNotFound)
+	}
+
 	id, err := strconv.ParseInt(v, 10, 64)
 	if err != nil {
 		return nil, errors.WithStack(err)
@@ -102,7 +106,16 @@ func (s *sessionStoreImpl) DeleteSession(sessionID string) error {
 		return errors.WithStack(errSessionNotFound)
 	}
 
-	_, err = s.client.Del(keys...).Result()
+	v, err := s.client.Get(keys[0]).Result()
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	if keys[0] != redisKey(sessionID)+":"+v {
+		return errors.WithStack(errSessionNotFound)
+	}
+
+	_, err = s.client.Del(keys[0]).Result()
 	return errors.WithStack(err)
 }