handle missing dns-packet and user-flags

For reasons not yet known, userBlocklistFlagUint may go missing, and that causes issues in dns-operation which don't at all expect it (null, undefined). Fix that by treating empty, null, undefined strings as just empty, and returning early from functions that can't do much with missing user-flags. In a similar issue seen in prod, current-request doesn't do well with a missing (undefined, null) decodedDnsPacket obj. So, before using it in current-request make sure it is set to an equivalent empty obj.
serverless-dns · Dec 24, 2021 · bc6dc50 · amithm7 · Dec 24, 2021 · ignoramous
1 parent f2b3439
commit bc6dc50
Show file tree

Hide file tree

Showing 8 changed files with 54 additions and 18 deletions.
diff --git a/src/basic/userOperation.js b/src/basic/userOperation.js
@@ -7,6 +7,7 @@
  */
 import { LocalCache as LocalCache } from "../cache-wrapper/cache-wrapper.js";
 import { BlocklistFilter } from "../blocklist-wrapper/blocklistWrapper.js";
+import * as util from "../helpers/util.js";
 
 export class UserOperation {
   constructor() {
@@ -23,7 +24,7 @@ export class UserOperation {
   async RethinkModule(param) {
     return this.loadUser(param);
   }
-  
+
   loadUser(param) {
     let response = {};
     response.isException = false;
@@ -57,7 +58,7 @@ export class UserOperation {
         currentUser.userBlocklistFlagUint = response.userBlocklistFlagUint;
         currentUser.flagVersion = response.flagVersion;
 
-        if (currentUser.userBlocklistFlagUint !== "") {
+        if (!util.emptyString(currentUser.userBlocklistFlagUint)) {
           currentUser.userServiceListUint = this.blocklistFilter
             .flagIntersection(
               currentUser.userBlocklistFlagUint,

diff --git a/src/blocklist-wrapper/blocklistFilter.js b/src/blocklist-wrapper/blocklistFilter.js
@@ -9,7 +9,7 @@
 import { Buffer } from "buffer";
 import { LocalCache } from "../cache-wrapper/cache-wrapper.js";
 import { customTagToFlag as _customTagToFlag } from "./radixTrie.js";
-
+import * as util from "../helpers/util.js";
 import { base32, rbase32 } from "./b32.js";
 
 export class BlocklistFilter {
@@ -83,12 +83,14 @@ export class BlocklistFilter {
   }
 
   flagIntersection(flag1, flag2) {
+    // handle empty flags
+    if (util.emptyString(flag1) || util.emptyString(flag2)) return false;
+
     try {
       let flag1Header = flag1[0];
       let flag2Header = flag2[0];
       let intersectHeader = flag1Header & flag2Header;
       if (intersectHeader == 0) {
-        //console.log("first return")
         return false;
       }
       let flag1Length = flag1.length - 1;
@@ -101,7 +103,6 @@ export class BlocklistFilter {
         if ((flag1Header & 1) == 1) {
           if ((tmpInterectHeader & 1) == 1) {
             tmpBodyIntersect = flag1[flag1Length] & flag2[flag2Length];
-            //console.log(flag1[flag1Length] + " :&: " + flag2[flag2Length] + " -- " + tmpBodyIntersect)
             if (tmpBodyIntersect == 0) {
               intersectHeader = intersectHeader ^ maskHeaderForBodyEmpty;
             } else {
@@ -118,9 +119,7 @@ export class BlocklistFilter {
         flag2Header = flag2Header >>> 1;
         maskHeaderForBodyEmpty = maskHeaderForBodyEmpty * 2;
       }
-      //console.log(intersectBody)
       if (intersectHeader == 0) {
-        //console.log("Second Return")
         return false;
       }
       const intersectFlag = new Uint16Array(intersectBody.length + 1);

diff --git a/src/dns-operation/dnsAggCache.js b/src/dns-operation/dnsAggCache.js
@@ -9,6 +9,7 @@
 import DNSParserWrap from "./dnsParserWrap.js";
 import DNSBlockOperation from "./dnsBlockOperation.js";
 import { BlocklistFilter } from "../blocklist-wrapper/blocklistWrapper.js";
+import * as util from "../helpers/util.js";
 
 export default class DNSAggCache {
   constructor() {
@@ -102,7 +103,7 @@ async function parseCacheapiResponse(
       reqDecodedDnsPacket.questions[0].type == "HTTPS" ||
       reqDecodedDnsPacket.questions[0].type == "SVCB") &&
     metaData.blocklistInfo &&
-    userBlocklistInfo.userBlocklistFlagUint !== ""
+    !util.emptyString(userBlocklistInfo.userBlocklistFlagUint)
   ) {
     metaData.blocklistInfo = new Map(Object.entries(metaData.blocklistInfo));
     let blockResponse = dnsBlockOperation.checkDomainBlocking(

diff --git a/src/dns-operation/dnsBlock.js b/src/dns-operation/dnsBlock.js
@@ -8,6 +8,7 @@
 
 import DNSParserWrap from "./dnsParserWrap.js";
 import DNSBlockOperation from "./dnsBlockOperation.js";
+import * as util from "../helpers/util.js";
 
 export default class DNSBlock {
   constructor() {
@@ -34,9 +35,8 @@ export default class DNSBlock {
     response.data.isBlocked = false;
     response.data.blockedB64Flag = "";
     try {
-      if (param.userBlocklistInfo.userBlocklistFlagUint.length !== "") {
+      if (hasBlocklistStamp(param)) {
         let domainNameBlocklistInfo;
-        // FIXME: handle HTTPS/SVCB
         if (
           (param.requestDecodedDnsPacket.questions.length >= 1) &&
           (param.requestDecodedDnsPacket.questions[0].type == "A" ||
@@ -77,6 +77,12 @@ export default class DNSBlock {
   }
 }
 
+function hasBlocklistStamp(param) {
+  return param &&
+    param.userBlocklistInfo &&
+    !util.emptyString(param.userBlocklistInfo.userBlocklistFlagUint);
+}
+
 function toCacheApi(param, wCache, domainNameBlocklistInfo) {
   const dn =
     param.requestDecodedDnsPacket.questions[0].name.trim().toLowerCase() + ":" +

diff --git a/src/dns-operation/dnsBlockOperation.js b/src/dns-operation/dnsBlockOperation.js
@@ -91,4 +91,4 @@ function checkDomainNameUserFlagIntersection(
       throw e;
     }
     return response;
-  }
+  }
diff --git a/src/dns-operation/dnsResponseBlock.js b/src/dns-operation/dnsResponseBlock.js
@@ -7,11 +7,13 @@
  */
 
 import DNSBlockOperation from "./dnsBlockOperation.js";
+import * as util from "../helpers/util.js";
 
 export default class DNSResponseBlock {
   constructor() {
     this.dnsBlockOperation = new DNSBlockOperation();
   }
+
   /**
    * @param {*} param
    * @param {*} param.userBlocklistInfo
@@ -28,7 +30,7 @@ export default class DNSResponseBlock {
     response.data.isBlocked = false;
     response.data.blockedB64Flag = "";
     try {
-      if (param.userBlocklistInfo.userBlocklistFlagUint !== "") {
+      if (hasBlocklistStamp(param)) {
         if (
           param.responseDecodedDnsPacket.answers.length > 0 &&
           param.responseDecodedDnsPacket.answers[0].type == "CNAME"
@@ -76,6 +78,7 @@ function checkHttpsSvcbBlock(
     }
   }
 }
+
 function checkCnameBlock(param, response, dnsBlockOperation) {
   let cname = param.responseDecodedDnsPacket.answers[0].data.trim().toLowerCase();
   let domainNameBlocklistInfo = param.blocklistFilter.getDomainInfo(
@@ -111,3 +114,10 @@ function checkCnameBlock(param, response, dnsBlockOperation) {
     }
   }
 }
+
+function hasBlocklistStamp(param) {
+  return param &&
+    param.userBlocklistInfo &&
+    !util.emptyString(param.userBlocklistInfo.userBlocklistFlagUint);
+}
+
diff --git a/src/helpers/currentRequest.js b/src/helpers/currentRequest.js
@@ -13,7 +13,7 @@ import * as util from "../helpers/util.js";
 export default class CurrentRequest {
   constructor() {
     this.blockedB64Flag = "";
-    this.decodedDnsPacket = undefined;
+    this.decodedDnsPacket = this.emptyDecodedDnsPacket();
     this.httpResponse = undefined;
     this.isException = false;
     this.exceptionStack = undefined;
@@ -25,21 +25,34 @@ export default class CurrentRequest {
     this.dnsParser = new DnsParser();
   }
 
+  emptyDecodedDnsPacket() {
+    return { id: 0, questions: null };
+  }
+
+  initDecodedDnsPacketIfNeeded() {
+    if (!this.decodedDnsPacket) {
+      this.decodedDnsPacket = this.emptyDecodedDnsPacket();
+    }
+  }
+
   dnsExceptionResponse() {
+    this.initDecodedDnsPacketIfNeeded();
+
     const qid = this.decodedDnsPacket.id;
     const questions = this.decodedDnsPacket.questions;
     const ex = {
       exceptionFrom: this.exceptionFrom,
       exceptionStack: this.exceptionStack,
     };
+    const servfail = dnsutil.servfail(qid, questions);
     this.httpResponse = new Response(
-      dnsutil.servfail(qid, questions),
       {
+        servfail,
         headers : util.concatHeaders(
           this.headers(),
           this.additionalHeader(JSON.stringify(ex)),
         ),
-        status : 200, // rfc8484 section-4.2.1
+        status : (servfail) ? 200 : 500, // rfc8484 section-4.2.1
       },
     );
   }
@@ -67,6 +80,7 @@ export default class CurrentRequest {
   }
 
   dnsBlockResponse() {
+    this.initDecodedDnsPacketIfNeeded();
     try {
       this.decodedDnsPacket.type = "response";
       this.decodedDnsPacket.rcode = "NOERROR";

diff --git a/src/helpers/util.js b/src/helpers/util.js
@@ -68,7 +68,7 @@ export function corsHeaders() {
 
 /**
  * @param {String} ua - User Agent string
- * @returns 
+ * @returns
  */
 export function corsHeadersIfNeeded(ua) {
   // allow cors when user agents claiming to be browsers
@@ -104,7 +104,7 @@ export function concatHeaders() {
 
 /**
  * @param {Request} request - Request
- * @returns 
+ * @returns
  */
 export function copyHeaders(request) {
   const headers = {}
@@ -213,7 +213,7 @@ export function safeBox(fn, defaultResponse = null) {
 
 /**
  * @param {Request} req - Request
- * @returns 
+ * @returns
  */
 export function isDnsMsg(req) {
   return req.headers.get("Accept") === "application/dns-message" ||
@@ -240,3 +240,8 @@ export function errResponse(id, err) {
     data: false,
   }
 }
+
+export function emptyString(str) {
+    return !str || str.length === 0
+}
+