From 61a7c342a834253008acc05775c432e9da888e00 Mon Sep 17 00:00:00 2001
From: Aidaho <aidaho@roxy-wi.org>
Date: Thu, 10 Apr 2025 08:52:37 +0300
Subject: [PATCH] v8.1.7: Refactor and enhance cert routes and frontend
 blacklist handling

Replaced unsafe input checks with Pydantic validation, improving route type safety. Adjusted blacklist handling logic in the frontend and templates for better consistency. Fixed minor JS selector bugs and added hidden input for group_id in the config template.
---
 app/routes/add/routes.py                      | 26 +++++++++----------
 .../haproxy_section/templates/section.j2      |  2 +-
 app/static/js/edit_config.js                  | 16 ++++++++++--
 app/templates/ajax/config_show.html           |  1 +
 4 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/app/routes/add/routes.py b/app/routes/add/routes.py
index 184c4624..3da47e39 100644
--- a/app/routes/add/routes.py
+++ b/app/routes/add/routes.py
@@ -1,12 +1,12 @@
 import os
-from typing import Union
+from typing import Literal
 
 from flask import render_template, request, jsonify, redirect, url_for, g
 from flask_jwt_extended import jwt_required, get_jwt
 from flask_pydantic import validate
-from pydantic import IPvAnyAddress
 
-from app.modules.roxywi.class_models import SSLCertUploadRequest, DataStrResponse, SavedServerRequest, BaseResponse
+from app.modules.roxywi.class_models import SSLCertUploadRequest, DataStrResponse, SavedServerRequest, BaseResponse, \
+    EscapedString
 from app.routes.add import bp
 import app.modules.db.add as add_sql
 import app.modules.db.server as server_sql
@@ -19,7 +19,6 @@ import app.modules.roxy_wi_tools as roxy_wi_tools
 from app.views.service.haproxy_section_views import (GlobalSectionView, DefaultsSectionView, ListenSectionView,
                                                      UserListSectionView, PeersSectionView)
 from app.views.service.haproxy_lists_views import HaproxyListView
-from app.modules.roxywi.class_models import DomainName
 
 get_config = roxy_wi_tools.GetConfigVar()
 
@@ -106,9 +105,8 @@ def get_section_html():
 
 
 @bp.route('/haproxy/bwlists/<color>/<int:group>')
-def get_bwlists(color, group):
-    color = common.checkAjaxInput(color)
-
+@validate()
+def get_bwlists(color: Literal['black', 'white'], group):
     return add_mod.get_bwlists_for_autocomplete(color, group)
 
 
@@ -196,8 +194,8 @@ def get_certs(server_id: int):
 
 
 @bp.route('/cert/<int:server_id>/<cert_id>', methods=['DELETE', 'GET'])
-def get_cert(server_id: int, cert_id: str):
-    cert_id = common.checkAjaxInput(cert_id)
+@validate()
+def get_cert(server_id: int, cert_id: EscapedString):
     server_ip = server_sql.get_server(server_id).ip
     if request.method == 'DELETE':
         return add_mod.del_ssl_cert(server_ip, cert_id)
@@ -209,17 +207,17 @@ def get_cert(server_id: int, cert_id: str):
 @validate(body=SSLCertUploadRequest)
 def upload_cert(body: SSLCertUploadRequest):
     try:
-        data = add_mod.upload_ssl_cert(body.server_ip, body.name, body.cert.replace("'", ""))
+        data = add_mod.upload_ssl_cert(body.server_ip, body.name, body.cert.replace("'", ""), body.cert_type)
         return jsonify(data), 201
     except Exception as e:
         return roxywi_common.handler_exceptions_for_json_data(e, 'Cannot upload SSL certificate')
 
 
-@bp.route('/cert/get/raw/<server_ip>/<cert_id>')
+@bp.route('/cert/get/raw/<server_id>/<cert_id>')
 @validate()
-def get_cert_raw(server_ip: Union[IPvAnyAddress, DomainName], cert_id):
-    cert_id = common.checkAjaxInput(cert_id)
-    return add_mod.get_ssl_raw_cert(str(server_ip), cert_id)
+def get_cert_raw(server_id: int, cert_id: EscapedString):
+    server_ip = server_sql.get_server(server_id).ip
+    return add_mod.get_ssl_raw_cert(server_ip, cert_id)
 
 
 @bp.route('/map', methods=['POST', 'PUT', 'DELETE', 'GET'])
diff --git a/app/scripts/ansible/roles/haproxy_section/templates/section.j2 b/app/scripts/ansible/roles/haproxy_section/templates/section.j2
index 65623a9b..f3e27415 100644
--- a/app/scripts/ansible/roles/haproxy_section/templates/section.j2
+++ b/app/scripts/ansible/roles/haproxy_section/templates/section.j2
@@ -32,7 +32,7 @@
     tcp-request content reject
     {% endif %}
     {% if config.blacklist and config.blacklist != 'None' -%}
-    tcp-request connection reject if { src -f {{ haproxy_dir }}/white/{{ config.blacklist }} }
+    tcp-request connection reject if { src -f {{ haproxy_dir }}/black/{{ config.blacklist }} }
     {% endif %}
 
     {% if config.acls != 'None' -%}
diff --git a/app/static/js/edit_config.js b/app/static/js/edit_config.js
index ec79faf3..950e83be 100644
--- a/app/static/js/edit_config.js
+++ b/app/static/js/edit_config.js
@@ -93,6 +93,18 @@ function openSection(section) {
 					$(section_id + ' input[name="port"]').get(i).value = bind.port;
 					i++;
 				}
+				if (data.blacklist) {
+					$('#'+section_type+'_blacklist_checkbox').prop("checked", true);
+					$("#" + section_type + "_blacklist-hide").show("fast");
+				} else {
+					$('#'+section_type+'_blacklist_checkbox').prop("checked", false);
+				}
+				if (data.whitelist) {
+					$('#'+section_type+'_whitelist_checkbox').prop("checked", true);
+					$("#" + section_type + "_whitelist-hide").show("fast");
+				} else {
+					$('#'+section_type+'_whitelist_checkbox').prop("checked", false);
+				}
 			}
 			if (section_type === 'listen' || section_type === 'backend') {
 				if (data.config.backend_servers) {
@@ -366,7 +378,7 @@ function addProxy(form_name, generate=false) {
 					data.data = data.data.replace(/\n/g, "<br>");
 					if (returnNiceCheckingConfig(data.data) === 0) {
 						toastr.info('Section has been added. Do not forget to restart the server');
-						let ip = frm.find('select[name=serv]').val();
+						let ip = $('select[name=serv]').val();
 						localStorage.setItem('restart', ip);
 						resetProxySettings();
 					}
@@ -401,7 +413,7 @@ function editProxy(form_name, dialog_id, generate=false) {
 				data.data = data.data.replace(/\n/g, "<br>");
 				if (returnNiceCheckingConfig(data.data) === 0) {
 					toastr.info('Section has been updated. Do not forget to restart the server');
-					let ip = frm.find('select[name=serv]').val();
+					let ip = $('select[name=serv]').val();
 					localStorage.setItem('restart', ip);
 					showConfig();
 					$(dialog_id).dialog( "close" );
diff --git a/app/templates/ajax/config_show.html b/app/templates/ajax/config_show.html
index 1de0ba5b..08487956 100644
--- a/app/templates/ajax/config_show.html
+++ b/app/templates/ajax/config_show.html
@@ -424,6 +424,7 @@
             openSection('{{ edit_section }}');
         {% endif %}
 	</script>
+<input type="hidden" id="group_id" value="{{ g.user_params['group_id']|string() }}">
 <div id="edit-section" style="display: none;"></div>
 <div id="dialog-confirm" style="display: none;">
     <p><span class="ui-icon ui-icon-alert" style="float:left; margin:3px 12px 20px 0;"></span>Are you sure?</p>