From 0969bbdda92aef8568e72dbdda338b7cdf920191 Mon Sep 17 00:00:00 2001
From: jwijenbergh <jeroenwijenbergh@protonmail.com>
Date: Tue, 31 Jan 2023 12:15:22 +0100
Subject: Server: Add script-security 0 to the OpenVPN config

This prevents scripts from being executed by default. Clients can
override this by either using the OpenVPN --script-security flag or
add a script-security setting themselves.
---
 client/client_test.go     |  6 ++++--
 internal/server/server.go | 13 +++++++++++--
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/client/client_test.go b/client/client_test.go
index b4b944b..4356736 100644
--- a/client/client_test.go
+++ b/client/client_test.go
@@ -391,7 +391,8 @@ func TestPreferTCP(t *testing.T) {
 		t.Fatalf("Config error: %v", configErr)
 	}
 
-	if !strings.HasSuffix(config.Config, "udp") {
+	// We also test for script security 0 here
+	if !strings.HasSuffix(config.Config, "udp\nscript-security 0") {
 		t.Fatalf("Suffix for prefer TCP is not in the right order for config: %s", config)
 	}
 
@@ -401,8 +402,9 @@ func TestPreferTCP(t *testing.T) {
 		t.Fatalf("Config error: %v", configErr)
 	}
 
+	// We also test for script security 0 here
 	if config.Type == "openvpn" &&
-		!strings.HasSuffix(config.Config, "tcp") {
+		!strings.HasSuffix(config.Config, "tcp\nscript-security 0") {
 		t.Fatalf("Suffix for disable prefer TCP is not in the right order for config: %s", config.Config)
 	}
 }
diff --git a/internal/server/server.go b/internal/server/server.go
index 7503219..0a0ac95 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -284,19 +284,28 @@ func Config(server Server, wireguardSupport bool, preferTCP bool) (*ConfigData,
 		}
 	}
 
+	var cfg *ConfigData
+
 	switch {
 	// The config supports wireguard and optionally openvpn
 	case wg:
 		// A wireguard connect call needs to generate a wireguard key and add it to the config
 		// Also the server could send back an OpenVPN config if it supports OpenVPN
-		return wireguardGetConfig(server, preferTCP, ovpn)
+		cfg, err = wireguardGetConfig(server, preferTCP, ovpn)
 	//  The config only supports OpenVPN
 	case ovpn:
-		return openVPNGetConfig(server, preferTCP)
+		cfg, err = openVPNGetConfig(server, preferTCP)
 		// The config supports no available protocol because the profile only supports WireGuard but the client doesn't
 	default:
 		return nil, errors.Errorf("no supported protocol found")
 	}
+
+	// Add script security 0 to disable OpenVPN scripts
+	// The client may override this but we provide the default protection here
+	if err == nil && cfg.Type == "openvpn" {
+		cfg.Config += "\nscript-security 0"
+	}
+	return cfg, err
 }
 
 func Disconnect(server Server) error {
-- 
cgit v1.2.3