rejects shares to bogus account keys (#101)

synadia-labs · Mar 13, 2024 · fed64b8 · fed64b8
1 parent 135ed96
commit fed64b8
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/internal/globalservice/event_api.go b/internal/globalservice/event_api.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/nats-io/nats.go"
 	"github.com/nats-io/nats.go/jetstream"
+	"github.com/nats-io/nkeys"
 	"github.com/synadia-labs/natster/internal/models"
 )
 
@@ -330,6 +331,10 @@ func (srv *GlobalService) validateCatalogSharedEvent(accountKey string, evt mode
 	if acct == nil {
 		return errors.New("rejecting catalog_shared event, can't share from a nonexistent account")
 	}
+	if !nkeys.IsValidPublicAccountKey(evt.Target) {
+		// sadly this will prevent us from sharing to ABOB or AALICE
+		return errors.New("target account is not a valid public key")
+	}
 	if slices.ContainsFunc(acct.OutShares, func(cat shareEntry) bool {
 		return cat.Account == accountKey && cat.Catalog == evt.Catalog
 	}) {

diff --git a/natster/catalog.go b/natster/catalog.go
@@ -344,7 +344,7 @@ func ShareCatalog(ctx *fisk.ParseContext) error {
 		return err
 	}
 
-	fmt.Printf("Shared catalog '%s' with target '%s'. Note: Natster makes no guarantees that the target account exists.\n",
+	fmt.Printf("Shared catalog '%s' with target '%s'.\nNote: Natster's backend makes no guarantees that the target account exists.\n",
 		ShareOpts.Name,
 		ShareOpts.AccountKey,
 	)