From 625b79e3b3bdc3c13e3a966cd72d80708b1e77e0 Mon Sep 17 00:00:00 2001 From: Daniel Date: Fri, 5 Jun 2020 14:00:44 +0200 Subject: [PATCH 1/2] Detect PID loops in api auth --- firewall/api.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/firewall/api.go b/firewall/api.go index b156d020..30557050 100644 --- a/firewall/api.go +++ b/firewall/api.go @@ -112,6 +112,7 @@ func authenticateAPIRequest(ctx context.Context, pktInfo *packet.Info) (retry bo return true, fmt.Errorf("failed to get process: %s", err) } originalPid := proc.Pid + var previousPid int // go up up to two levels, if we don't match for i := 0; i < 5; i++ { @@ -130,11 +131,20 @@ func authenticateAPIRequest(ctx context.Context, pktInfo *packet.Info) (retry bo procsChecked = append(procsChecked, proc.Path) if i < 4 { + // save previous PID + previousPid = proc.Pid + // get parent process proc, err = process.GetOrFindProcess(ctx, proc.ParentPid) if err != nil { return true, fmt.Errorf("failed to get process: %s", err) } + + // abort if we are looping + if proc.Pid == previousPid { + // this also catches -1 pid loops + break + } } } From e1d39e88bae1e921b0e6512281158b68eda59ddb Mon Sep 17 00:00:00 2001 From: Daniel Date: Fri, 5 Jun 2020 14:00:51 +0200 Subject: [PATCH 2/2] Improve logging --- firewall/api.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/firewall/api.go b/firewall/api.go index 30557050..73832fbf 100644 --- a/firewall/api.go +++ b/firewall/api.go @@ -20,7 +20,10 @@ import ( const ( deniedMsgUnidentified = `%wFailed to identify the requesting process. -You can enable the Development Mode to disable API authentication for development purposes.` +You can enable the Development Mode to disable API authentication for development purposes. + +If you are seeing this message in the Portmaster App, please restart the app or right-click and select "Reload". +In the future, this issue will be remediated automatically.` deniedMsgSystem = `%wSystem access to the Portmaster API is not permitted. You can enable the Development Mode to disable API authentication for development purposes.` @@ -56,7 +59,7 @@ func startAPIAuth() { log.Tracef("filter: api port set to %d", apiPort) } -func apiAuthenticator(s *http.Server, r *http.Request) (err error) { +func apiAuthenticator(ctx context.Context, s *http.Server, r *http.Request) (err error) { if devMode() { return nil } @@ -73,9 +76,7 @@ func apiAuthenticator(s *http.Server, r *http.Request) (err error) { return fmt.Errorf("failed to get remote IP/Port: %s", err) } - ctx, tracer := log.AddTracer(r.Context()) - tracer.Tracef("filter: authenticating API request from %s", r.RemoteAddr) - defer tracer.Submit() + log.Tracer(r.Context()).Tracef("filter: authenticating API request from %s", r.RemoteAddr) // It is very important that this works, retry extensively (every 250ms for 5s) var retry bool