From 02aae56f05f313e7a5bc59d1e2551864dbea9a12 Mon Sep 17 00:00:00 2001
From: Stephan de Wit <stephan.de.wit@deciso.com>
Date: Mon, 19 Jun 2023 13:49:39 +0200
Subject: [PATCH] dhcp: unbound_watcher: validate client hostnames

---
 src/opnsense/scripts/dhcp/unbound_watcher.py | 25 ++++++++++++++------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/src/opnsense/scripts/dhcp/unbound_watcher.py b/src/opnsense/scripts/dhcp/unbound_watcher.py
index 824252b27..94381c663 100755
--- a/src/opnsense/scripts/dhcp/unbound_watcher.py
+++ b/src/opnsense/scripts/dhcp/unbound_watcher.py
@@ -36,6 +36,7 @@ import time
 import tempfile
 import argparse
 import syslog
+import re
 from configparser import ConfigParser
 sys.path.insert(0, "/usr/local/opnsense/site-python")
 from daemonize import Daemonize
@@ -62,6 +63,10 @@ def unbound_control(commands, input=None, output_stream=None):
     if output_stream:
         output_stream.seek(0)
 
+def valid_hostname(hostname):
+    hostname = hostname.rstrip('.')
+    correct = re.compile("(?!-)[A-Z0-9-]{1,63}(?<!-)$", re.IGNORECASE)
+    return all(correct.match(part) for part in hostname.split('.'))
 
 class UnboundLocalData:
     def __init__(self):
@@ -144,13 +149,19 @@ def run_watcher(target_filename, default_domain, watch_file, config):
         for lease in dhcpdleases.watch():
             if 'ends' in lease and lease['ends'] > time.time() \
                     and 'client-hostname' in lease and 'address' in lease and lease['client-hostname']:
-                address = ipaddress.ip_address(lease['address'])
-                lease['domain'] = default_domain
-                for lease_config in lease_configs:
-                    if lease_config['start'] <= address <= lease_config['end']:
-                        lease['domain'] = lease_config['domain']
-                cached_leases[lease['address']] = lease
-                dhcpd_changed = True
+                if valid_hostname(lease['client-hostname']):
+                    address = ipaddress.ip_address(lease['address'])
+                    lease['domain'] = default_domain
+                    for lease_config in lease_configs:
+                        if lease_config['start'] <= address <= lease_config['end']:
+                            lease['domain'] = lease_config['domain']
+                    cached_leases[lease['address']] = lease
+                    dhcpd_changed = True
+                else:
+                    syslog.syslog(
+                        syslog.LOG_WARNING,
+                        "dhcpd leases: %s not a valid hostname, ignoring" % cached_leases[address]['client-hostname']
+                    )
 
         remove_rr = list()
         add_rr = list()