steam 2fa for polling and security

local/utl/security/download_verifier.go

@@ -0,0 +1,76 @@
+package security
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"time"
+)
+
+type DownloadVerifier struct {
+	client *http.Client
+}
+
+func NewDownloadVerifier() *DownloadVerifier {
+	return &DownloadVerifier{
+		client: &http.Client{
+			Timeout: 30 * time.Second,
+			Transport: &http.Transport{
+				DisableKeepAlives: true,
+			},
+		},
+	}
+}
+
+func (dv *DownloadVerifier) VerifyAndDownload(url, outputPath, expectedSHA256 string) error {
+	if url == "" {
+		return fmt.Errorf("URL cannot be empty")
+	}
+	if outputPath == "" {
+		return fmt.Errorf("output path cannot be empty")
+	}
+
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		return fmt.Errorf("failed to create request: %v", err)
+	}
+
+	req.Header.Set("User-Agent", "ACC-Server-Manager/1.0")
+
+	resp, err := dv.client.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to download: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("download failed with status: %d", resp.StatusCode)
+	}
+
+	file, err := os.Create(outputPath)
+	if err != nil {
+		return fmt.Errorf("failed to create output file: %v", err)
+	}
+	defer file.Close()
+
+	hash := sha256.New()
+	writer := io.MultiWriter(file, hash)
+
+	_, err = io.Copy(writer, resp.Body)
+	if err != nil {
+		os.Remove(outputPath)
+		return fmt.Errorf("failed to write file: %v", err)
+	}
+
+	if expectedSHA256 != "" {
+		actualHash := fmt.Sprintf("%x", hash.Sum(nil))
+		if actualHash != expectedSHA256 {
+			os.Remove(outputPath)
+			return fmt.Errorf("file hash mismatch: expected %s, got %s", expectedSHA256, actualHash)
+		}
+	}
+
+	return nil
+}

local/utl/security/path_validator.go

@@ -0,0 +1,95 @@
+package security
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+)
+
+type PathValidator struct {
+	allowedBasePaths []string
+	blockedPatterns  []*regexp.Regexp
+}
+
+func NewPathValidator() *PathValidator {
+	blockedPatterns := []*regexp.Regexp{
+		regexp.MustCompile(`\.\.`),
+		regexp.MustCompile(`[<>:"|?*]`),
+		regexp.MustCompile(`^(CON|PRN|AUX|NUL|COM[1-9]|LPT[1-9])$`),
+		regexp.MustCompile(`\x00`),
+		regexp.MustCompile(`^\\\\`),
+		regexp.MustCompile(`^[a-zA-Z]:\\Windows`),
+		regexp.MustCompile(`^[a-zA-Z]:\\Program Files`),
+	}
+
+	return &PathValidator{
+		allowedBasePaths: []string{
+			`C:\ACC-Servers`,
+			`D:\ACC-Servers`,
+			`E:\ACC-Servers`,
+			`C:\SteamCMD`,
+			`D:\SteamCMD`,
+			`E:\SteamCMD`,
+		},
+		blockedPatterns: blockedPatterns,
+	}
+}
+
+func (pv *PathValidator) ValidateInstallPath(path string) error {
+	if path == "" {
+		return fmt.Errorf("path cannot be empty")
+	}
+
+	cleanPath := filepath.Clean(path)
+	absPath, err := filepath.Abs(cleanPath)
+	if err != nil {
+		return fmt.Errorf("invalid path: %v", err)
+	}
+
+	for _, pattern := range pv.blockedPatterns {
+		if pattern.MatchString(absPath) || pattern.MatchString(strings.ToUpper(filepath.Base(absPath))) {
+			return fmt.Errorf("path contains forbidden patterns")
+		}
+	}
+
+	allowed := false
+	for _, basePath := range pv.allowedBasePaths {
+		if strings.HasPrefix(strings.ToLower(absPath), strings.ToLower(basePath)) {
+			allowed = true
+			break
+		}
+	}
+
+	if !allowed {
+		return fmt.Errorf("path must be within allowed directories: %v", pv.allowedBasePaths)
+	}
+
+	if len(absPath) > 260 {
+		return fmt.Errorf("path too long (max 260 characters)")
+	}
+
+	parentDir := filepath.Dir(absPath)
+	if parentInfo, err := os.Stat(parentDir); err == nil {
+		if !parentInfo.IsDir() {
+			return fmt.Errorf("parent path is not a directory")
+		}
+	}
+
+	return nil
+}
+
+func (pv *PathValidator) AddAllowedBasePath(path string) error {
+	absPath, err := filepath.Abs(path)
+	if err != nil {
+		return fmt.Errorf("invalid base path: %v", err)
+	}
+
+	pv.allowedBasePaths = append(pv.allowedBasePaths, absPath)
+	return nil
+}
+
+func (pv *PathValidator) GetAllowedBasePaths() []string {
+	return append([]string(nil), pv.allowedBasePaths...)
+}