From 320df7ec0caea969fdcce717b84c31afc6194015 Mon Sep 17 00:00:00 2001
From: Alejandro Sirgo Rica <asirgo@soleta.eu>
Date: Wed, 3 Jul 2024 15:16:32 +0200
Subject: views: validate MAC address after POST

Check if the provided MAC address is valid in every form where
the use has to provide one. Show an error message when the format
is incorrect.
---
 ogcp/views.py | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/ogcp/views.py b/ogcp/views.py
index e41e242..ae07f31 100644
--- a/ogcp/views.py
+++ b/ogcp/views.py
@@ -102,6 +102,13 @@ def normalize_mac(mac):
 def prettify_mac(mac):
     return (':'.join(mac[i:i+2] for i in range(0, 12, 2))).lower()
 
+def is_valid_normalized_mac(mac):
+    if len(mac) != 12:
+        return False
+    if not all(c in '0123456789abcdef' for c in mac):
+        return False
+    return True
+
 def ogserver_down(view):
     flash(_('Cannot talk to ogserver. Is ogserver down?'), category='error')
     return redirect(url_for(view))
@@ -1302,6 +1309,12 @@ def action_client_update():
             flash(_('Invalid IP address'), category='error')
             return redirect(url_for("scopes"))
 
+        mac_address = normalize_mac(form.mac.data)
+
+        if not is_valid_normalized_mac(mac_address):
+            flash(_('Invalid MAC address'), category='error')
+            return redirect(url_for("scopes"))
+
         payload = {"ip": form.ip.data,
                    "serial_number": form.serial_number.data,
                    "netdriver": "generic",
@@ -1313,7 +1326,7 @@ def action_client_update():
                    "room": int(form.room.data),
                    "name": form.name.data,
                    "boot": form.boot.data,
-                   "mac": normalize_mac(form.mac.data) }
+                   "mac": mac_address }
         server = get_server_from_ip_port(form.server.data)
         r = server.post('/client/update', payload)
         if r.status_code != requests.codes.ok:
@@ -1553,10 +1566,16 @@ def action_client_add():
             flash(_('Invalid IP address'), category='error')
             return redirect(url_for("scopes"))
 
+        mac_address = normalize_mac(form.mac.data)
+
+        if not is_valid_normalized_mac(mac_address):
+            flash(_('Invalid MAC address'), category='error')
+            return redirect(url_for("scopes"))
+
         payload = {"boot": form.boot.data,
                    "ip": form.ip.data,
                    "livedir": form.livedir.data,
-                   "mac": normalize_mac(form.mac.data),
+                   "mac": mac_address,
                    "maintenance": form.maintenance.data,
                    "name": form.name.data,
                    "netdriver": "generic",
-- 
cgit v1.2.3-18-g5258