fix: critical security hardening for license routes, SSRF, and encryption

Schero94 · Schero94 · commit beb35b746133 · 2026-02-16T20:31:57.000+01:00
CRITICAL fixes:
- Add admin::isAuthenticatedAdmin to all 5 license routes (were policies:[])
- Validate IP address format before geolocation fetch (prevents SSRF)
- Remove hardcoded 'default-insecure-key' fallback, throw error if no key

These vulnerabilities allowed unauthenticated access to license data,
SSRF via crafted IP addresses, and trivial decryption of stored tokens.
diff --git a/server/src/controllers/session.js b/server/src/controllers/session.js
@@ -594,6 +594,13 @@ module.exports = {
         return ctx.badRequest('IP address is required');
       }
 
+      // Validate IP address format to prevent SSRF
+      const IPV4_REGEX = /^(\d{1,3}\.){3}\d{1,3}$/;
+      const IPV6_REGEX = /^[0-9a-fA-F:]+$/;
+      if (!IPV4_REGEX.test(ipAddress) && !IPV6_REGEX.test(ipAddress)) {
+        return ctx.badRequest('Invalid IP address format');
+      }
+
       // Check if user has premium license
       const licenseGuard = strapi.plugin('magic-sessionmanager').service('license-guard');
       const pluginStore = strapi.store({ 
diff --git a/server/src/routes/admin.js b/server/src/routes/admin.js
@@ -90,39 +90,39 @@ module.exports = {
       path: '/license/status',
       handler: 'license.getStatus',
       config: {
-        policies: [],
+        policies: ['admin::isAuthenticatedAdmin'],
       },
     },
     {
       method: 'POST',
       path: '/license/auto-create',
       handler: 'license.autoCreate',
       config: {
-        policies: [],
+        policies: ['admin::isAuthenticatedAdmin'],
       },
     },
     {
       method: 'POST',
       path: '/license/create',
       handler: 'license.createAndActivate',
       config: {
-        policies: [],
+        policies: ['admin::isAuthenticatedAdmin'],
       },
     },
     {
       method: 'POST',
       path: '/license/ping',
       handler: 'license.ping',
       config: {
-        policies: [],
+        policies: ['admin::isAuthenticatedAdmin'],
       },
     },
     {
       method: 'POST',
       path: '/license/store-key',
       handler: 'license.storeKey',
       config: {
-        policies: [],
+        policies: ['admin::isAuthenticatedAdmin'],
       },
     },
     // Geolocation (Premium Feature)
diff --git a/server/src/utils/encryption.js b/server/src/utils/encryption.js
@@ -22,19 +22,19 @@ function getEncryptionKey() {
   const envKey = process.env.SESSION_ENCRYPTION_KEY;
   
   if (envKey) {
-    // Use provided key (must be 32 bytes for AES-256)
-    const key = crypto.createHash('sha256').update(envKey).digest();
-    return key;
+    return crypto.createHash('sha256').update(envKey).digest();
   }
   
-  // Fallback: Use Strapi's app keys (not recommended for production)
-  const strapiKeys = process.env.APP_KEYS || process.env.API_TOKEN_SALT || 'default-insecure-key';
-  const key = crypto.createHash('sha256').update(strapiKeys).digest();
-  
-  console.warn('[magic-sessionmanager/encryption] [WARNING]  No SESSION_ENCRYPTION_KEY found. Using fallback (not recommended for production).');
-  console.warn('[magic-sessionmanager/encryption] Set SESSION_ENCRYPTION_KEY in .env for better security.');
+  // Fallback: Use Strapi's app keys (always present in running Strapi)
+  const strapiKeys = process.env.APP_KEYS || process.env.API_TOKEN_SALT;
+  if (!strapiKeys) {
+    throw new Error(
+      '[magic-sessionmanager] No encryption key available. ' +
+      'Set SESSION_ENCRYPTION_KEY in your .env file, or ensure APP_KEYS is configured.'
+    );
+  }
   
-  return key;
+  return crypto.createHash('sha256').update(strapiKeys).digest();
 }
 
 /**
