github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-08 23:18:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix dns validation

Browse Source
This commit is contained in:
Fang-Pen Lin
2025-12-12 17:15:24 -08:00
parent 5627a696cb
commit 4cf6a5f26d
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
backend/src/ee/services/pki-acme/pki-acme-challenge-service.ts
View File

@@ -4,6 +4,7 @@ import axios, { AxiosError } from "axios";
import { TPkiAcmeChallenges } from "@app/db/schemas/pki-acme-challenges";
import { getConfig } from "@app/lib/config/env";
import { crypto } from "@app/lib/crypto/cryptography";
import { BadRequestError, NotFoundError } from "@app/lib/errors";
import { isPrivateIp } from "@app/lib/ip/ipRange";
import { logger } from "@app/lib/logger";
@@ -124,9 +125,11 @@ export const pkiAcmeChallengeServiceFactory = ({
const recordValues = records.map((chunks) => chunks.join(""));
const thumbprint = challenge.auth.account.publicKeyThumbprint;
const expectedChallengeResponseBody = `${challenge.auth.token}.${thumbprint}`;
const keyAuthorization = `${challenge.auth.token}.${thumbprint}`;
const digest = crypto.nativeCrypto.createHash("sha256").update(keyAuthorization).digest();
const expectedChallengeResponseValue = Buffer.from(digest).toString("base64url");
if (!recordValues.some((recordValue) => recordValue.trim() === expectedChallengeResponseBody)) {
if (!recordValues.some((recordValue) => recordValue.trim() === expectedChallengeResponseValue)) {
throw new AcmeIncorrectResponseError({ message: "ACME DNS-01 challenge response is not correct" });
}
};