Do not panic if we can't parse a Regex type rule

If for some reason a Regex type rule can not be parsed, opensnitchd panics and exit. We drop regex.MustCompile() in favor of regex.Compile(), and in case of failure we just drop the packet. In either case, the daemon should not panic but it should not received an invalid rule either, specially from the UI. Closes #4
2025-03-04 08:34:40 +01:00 · 2020-02-14 23:15:14 +01:00 · 2020-02-14 23:15:14 +01:00 · 9207465d58
commit 9207465d58
parent a4a5637a22
3 changed files with 26 additions and 8 deletions
--- a/daemon/main.go
+++ b/daemon/main.go
@ -168,6 +168,11 @@ func onPacket(packet netfilter.Packet) {
 		// no rule matched, send a request to the
 		// UI client if connected and running
 		r, connected = uiClient.Ask(con)
+		if r == nil {
+			log.Error("Invalid rule received, skipping")
+			packet.SetVerdict(netfilter.NF_DROP)
+			return
+		}
 		if connected {
 			ok := false
 			pers := ""
--- a/daemon/rule/operator.go
+++ b/daemon/rule/operator.go
@ -46,26 +46,34 @@ type Operator struct {
 	re *regexp.Regexp
 }

-func NewOperator(t Type, o Operand, data string, list []Operator) Operator {
+func NewOperator(t Type, o Operand, data string, list []Operator) *Operator {
 	op := Operator{
 		Type:    t,
 		Operand: o,
 		Data:    data,
 		List:    list,
 	}
-	op.Compile()
-	return op
+	if err := op.Compile(); err != nil {
+		return nil
+	}
+	return &op
 }

-func (o *Operator) Compile() {
+func (o *Operator) Compile() error {
 	if o.Type == Simple {
 		o.cb = o.simpleCmp
 	} else if o.Type == Regexp {
 		o.cb = o.reCmp
-		o.re = regexp.MustCompile(o.Data)
+		if re, err := regexp.Compile(o.Data); err == nil {
+			o.re = re
+		} else {
+			return err
+		}
 	} else if o.Type == List {
 		o.Operand = OpList
 	}
+
+	return nil
 }

 func (o *Operator) String() string {
@ -88,7 +96,9 @@ func (o *Operator) listMatch(con *conman.Connection) bool {
 	res := true
 	for i := 0; i < len(o.List); i += 1 {
 		o := o.List[i]
-		o.Compile()
+		if err := o.Compile(); err != nil {
+			return false
+		}
 		res = res && o.Match(con)
 	}
 	return res
--- a/daemon/rule/rule.go
+++ b/daemon/rule/rule.go
@ -33,14 +33,14 @@ type Rule struct {
 	Operator Operator  `json:"operator"`
 }

-func Create(name string, action Action, duration Duration, op Operator) *Rule {
+func Create(name string, action Action, duration Duration, op *Operator) *Rule {
 	return &Rule{
 		Created:  time.Now(),
 		Enabled:  true,
 		Name:     name,
 		Action:   action,
 		Duration: duration,
-		Operator: op,
+		Operator: *op,
 	}
 }

@ -62,6 +62,9 @@ func Deserialize(reply *protocol.Rule) *Rule {
 		reply.Operator.Data,
 		make([]Operator, 0),
 	)
+	if operator == nil {
+		return nil
+	}

 	return Create(
 		reply.Name,