From a59d8ec67a0b07aa49148a6ff008ed5377546829 Mon Sep 17 00:00:00 2001 From: Kevin Hoffman Date: Wed, 13 Mar 2024 14:33:28 -0400 Subject: [PATCH] rejects shares to bogus account keys --- internal/globalservice/event_api.go | 5 +++++ natster/catalog.go | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/internal/globalservice/event_api.go b/internal/globalservice/event_api.go index 7bed68a..b31ffb9 100644 --- a/internal/globalservice/event_api.go +++ b/internal/globalservice/event_api.go @@ -11,6 +11,7 @@ import ( "github.com/nats-io/nats.go" "github.com/nats-io/nats.go/jetstream" + "github.com/nats-io/nkeys" "github.com/synadia-labs/natster/internal/models" ) @@ -330,6 +331,10 @@ func (srv *GlobalService) validateCatalogSharedEvent(accountKey string, evt mode if acct == nil { return errors.New("rejecting catalog_shared event, can't share from a nonexistent account") } + if !nkeys.IsValidPublicAccountKey(evt.Target) { + // sadly this will prevent us from sharing to ABOB or AALICE + return errors.New("target account is not a valid public key") + } if slices.ContainsFunc(acct.OutShares, func(cat shareEntry) bool { return cat.Account == accountKey && cat.Catalog == evt.Catalog }) { diff --git a/natster/catalog.go b/natster/catalog.go index facb327..601e1e1 100644 --- a/natster/catalog.go +++ b/natster/catalog.go @@ -344,7 +344,7 @@ func ShareCatalog(ctx *fisk.ParseContext) error { return err } - fmt.Printf("Shared catalog '%s' with target '%s'. Note: Natster makes no guarantees that the target account exists.\n", + fmt.Printf("Shared catalog '%s' with target '%s'.\nNote: Natster's backend makes no guarantees that the target account exists.\n", ShareOpts.Name, ShareOpts.AccountKey, )