From fb87b50c0531f37c50c6d7e7b6d3c1751212ca08 Mon Sep 17 00:00:00 2001
From: Martin Braun <braun@neuroforge.de>
Date: Tue, 14 Nov 2023 01:39:36 +0100
Subject: [PATCH] fix validation of endpoint spec

---
 swarmgate/app.ts | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/swarmgate/app.ts b/swarmgate/app.ts
index 41bd4dc..444cf33 100644
--- a/swarmgate/app.ts
+++ b/swarmgate/app.ts
@@ -199,6 +199,20 @@ function doesVolumeExist(volumeName: string): Promise<boolean> {
   });
 }
 
+async function isValidEndpoint(
+  res: express.Response,
+  endpoint: Docker.Endpoint): Promise<boolean> {
+  if (endpoint.Spec?.Ports) {
+    for (const port of endpoint.Spec?.Ports) {
+      if (!ALLOW_PORT_EXPOSE) {
+        res.status(403).send(`Access denied: Exposing ports is not allowed.`);
+        return false;
+      }
+    }
+  }
+  return true;
+}
+
 type TaskTemplate = {
   ContainerSpec?: {
     Secrets?: { SecretName: string }[],
@@ -208,7 +222,6 @@ type TaskTemplate = {
   },
   Runtime?: string,
   Networks?: { Target: string }[],
-  EndpointSpec?: { Ports?: { TargetPort: number, Protocol: string }[] }
 }
 // returns true if we should continue
 async function isValidTaskTemplate(
@@ -235,15 +248,6 @@ async function isValidTaskTemplate(
     }
   }
 
-  if (taskTemplate.EndpointSpec?.Ports) {
-    for (const port of taskTemplate.EndpointSpec.Ports) {
-      if (!ALLOW_PORT_EXPOSE) {
-        res.status(403).send(`Access denied: Exposing ports is not allowed.`);
-        return false;
-      }
-    }
-  }
-
   if (containerSpec) {
     if (containerSpec.Secrets) {
       for (const secret of containerSpec.Secrets) {
@@ -311,6 +315,10 @@ app.post('/:version?/services/create', async (req, res) => {
       return;
     }
 
+    if(serviceSpec.EndpointSpec && !await isValidEndpoint(res, serviceSpec.EndpointSpec)) {
+      return;
+    }
+
     serviceSpec.Labels = { ...serviceSpec.Labels, [label]: labelValue };
     if (taskTemplate.ContainerSpec) {
       taskTemplate.ContainerSpec.Labels = { ...taskTemplate.ContainerSpec.Labels || {}, [label]: labelValue };
@@ -353,6 +361,10 @@ app.post('/:version?/services/:id/update', async (req, res) => {
         }
       }
 
+      if(updateSpec.EndpointSpec && !await isValidEndpoint(res, updateSpec.EndpointSpec)) {
+        return;
+      }
+
       const service = docker.getService(serviceId);
 
       updateSpec.version = req.query.version;