Validate client and proxy supplied strings

Malicious clients and proxies can provide potentially malicious strings
in the polls. This validates the NAT type and proxy type strings to
ensure that malformed strings are not displayed on a web page
or passed to any of our monitoring infrastructure.

If a client or proxy supplies an invalid NAT type, we return an error
message. If a proxy supplies an unknown proxy type, we set the proxy
type to unknown.

common/messages/client.go

@@ -6,6 +6,8 @@ package messages
 import (
 	"encoding/json"
 	"fmt"
+
+	"git.torproject.org/pluggable-transports/snowflake.git/v2/common/nat"
 )
 
 const ClientVersion = "1.0"
@@ -73,8 +75,14 @@ func DecodeClientPollRequest(data []byte) (*ClientPollRequest, error) {
 		return nil, fmt.Errorf("no supplied offer")
 	}
 
-	if message.NAT == "" {
-		message.NAT = "unknown"
+	switch message.NAT {
+	case "":
+		message.NAT = nat.NATUnknown
+	case nat.NATUnknown:
+	case nat.NATRestricted:
+	case nat.NATUnrestricted:
+	default:
+		return nil, fmt.Errorf("invalid NAT type")
 	}
 
 	return &message, nil

common/messages/messages_test.go

@@ -22,7 +22,7 @@ func TestDecodeProxyPollRequest(t *testing.T) {
 			{
 				//Version 1.0 proxy message
 				"ymbcCMto7KHNGYlp",
-				"",
+				"unknown",
 				"unknown",
 				0,
 				`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0"}`,

common/messages/proxy.go

@@ -7,9 +7,18 @@ import (
 	"encoding/json"
 	"fmt"
 	"strings"
+
+	"git.torproject.org/pluggable-transports/snowflake.git/v2/common/nat"
 )
 
-const version = "1.2"
+const (
+	version = "1.2"
+
+	ProxyStandalone = "standalone"
+	ProxyWebext     = "webext"
+	ProxyBadge      = "badge"
+	ProxyUnknown    = "unknown"
+)
 
 /* Version 1.2 specification:
 
@@ -116,12 +125,28 @@ func DecodePollRequest(data []byte) (sid string, proxyType string, natType strin
 		return
 	}
 
-	natType = message.NAT
-	if natType == "" {
-		natType = "unknown"
+	switch message.NAT {
+	case "":
+		message.NAT = nat.NATUnknown
+	case nat.NATUnknown:
+	case nat.NATRestricted:
+	case nat.NATUnrestricted:
+	default:
+		err = fmt.Errorf("invalid NAT type")
+		return
+	}
+
+	// we don't reject polls with an unknown proxy type because we encourage
+	// projects that embed proxy code to include their own type
+	switch message.Type {
+	case ProxyStandalone:
+	case ProxyWebext:
+	case ProxyBadge:
+	default:
+		message.Type = ProxyUnknown
 	}
 
-	return message.Sid, message.Type, natType, message.Clients, nil
+	return message.Sid, message.Type, message.NAT, message.Clients, nil
 }
 
 type ProxyPollResponse struct {