Skip to content

fix: API security hardening and stability improvements#5

Open
Daymarvi wants to merge 1 commit into
webalexeu:mainfrom
Daymarvi:fix/api-security-and-reliability
Open

fix: API security hardening and stability improvements#5
Daymarvi wants to merge 1 commit into
webalexeu:mainfrom
Daymarvi:fix/api-security-and-reliability

Conversation

@Daymarvi

Copy link
Copy Markdown

Summary

This PR improves the WinBGP API security and stability with 4 changes:

Changes

  1. Input validation on RouteName (Security)

    • Reject API query string RouteName containing non-alphanumeric characters (;, |, ', spaces, etc.)
    • Returns HTTP 400 Bad Request with a warning logged to Event Log
    • Prevents potential injection when RouteName is passed to WinBGP cmdlets
  2. Request processing try/catch (Stability)

    • Wrap all GET/POST request processing in try/catch
    • A single failed request (e.g. ConvertTo-Json error, Get-BgpPeer timeout) no longer crashes the entire API listener
    • Returns HTTP 500 Internal Server Error instead of killing the listener
  3. HttpListener try/finally (Resource leak)

    • Ensure $listener.Stop() and $listener.Close() are always called, even on unhandled exception
    • Prevents the listening port from remaining blocked after a crash
  4. EventLog Dispose (Memory leak)

    • [System.Diagnostics.EventLog]::new() in Write-Log with AdditionalFields was never disposed
    • Added try/finally with $NewEvent.Dispose() to prevent handle exhaustion in long-running service

Test Results

Tested on proper server (WinBGP service running, 3 active routes):

Test Description Expected Result
1a RouteName=test;evil 400 ✅ 400
1b RouteName=test|whoami 400 ✅ 400
1c RouteName=test'drop 400 ✅ 400
1d Valid RouteName (dots, hyphens) 200 ✅ 200
2 GET /api/nonexistent 501, API still running
3 Event Log Warnings logged for rejected requests
4 GET /api/routes Returns 3 routes
5 GET /metrics Prometheus metrics returned

Event Log evidence from winbgp -logs

17/06/2026 07:56:36 Warning API rejected invalid RouteName 'test'drop' from '127.0.0.1'
17/06/2026 07:56:30 Warning API rejected invalid RouteName 'test|whoami' from '127.0.0.1'
17/06/2026 07:56:15 Warning API rejected invalid RouteName 'test;evil' from '127.0.0.1'

Files changed

  • src/WinBGP-API.ps1

- Add RouteName input validation: reject non-alphanumeric characters
  to prevent injection via API query strings (returns HTTP 400)
- Wrap request processing in try/catch to prevent a single failed
  request from crashing the entire API listener (returns HTTP 500)
- Wrap HttpListener lifecycle in try/finally to ensure cleanup on
  unhandled exception (prevents port remaining blocked)
- Fix EventLog handle leak: Dispose() EventLog objects in Write-Log
  when using AdditionalFields (prevents handle exhaustion)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant