ech-rotate: validate get dns_records before proceeding with rotation

vincejv · vincejv · commit d9c034da2c21 · 2025-11-03T18:31:22.000+08:00
diff --git a/ech-rotate.sh b/ech-rotate.sh
@@ -62,11 +62,27 @@ rotate_ech() {
     reload_nginx
 
     # 5. Backup DNS records for rollback
+    log "Backing up current HTTPS DNS records..."
     backup_file=$(mktemp)
-    curl -s -X GET "$CF_ZONE_URL/$CF_ZONE_ID/dns_records?type=HTTPS" \
+
+    BACKUP_RESP=$(curl -s --fail-with-body -X GET \
+        "$CF_ZONE_URL/$CF_ZONE_ID/dns_records?type=HTTPS" \
         -H "Authorization: Bearer $CF_API_TOKEN" \
-        -H "Content-Type: application/json" \
-        > "$backup_file"
+        -H "Content-Type: application/json" ) || {
+            log "Failed to contact Cloudflare for backup"
+            return 1
+        }
+
+    # Validate JSON and success flag
+    if ! jq -e '.success == true and (.result | type=="array")' >/dev/null 2>&1 <<<"$BACKUP_RESP"; then
+        log "Backup failed: invalid or unsuccessful Cloudflare response"
+        echo "$BACKUP_RESP" | jq -C . >&2 || echo "$BACKUP_RESP" >&2
+        return 1
+    fi
+
+    # Write only validated data
+    echo "$BACKUP_RESP" > "$backup_file"
+    log "Backup saved to $backup_file (entries: $(jq '.result | length' "$backup_file"))"
 
     # 5-6. Update DNS Records
     source /usr/local/bin/update-https-records.sh
diff --git a/update-https-records.sh b/update-https-records.sh
@@ -25,7 +25,7 @@ update_https_records() {
     # 3. Publish HTTPS DNS record to Cloudflare (update only ech field)
     # Common curl options
     # use the DNS batch API schema (posts, patches, puts, deletes)
-    CURL_OPTS=(-s --retry 5 --retry-delay 2 --retry-connrefused)
+    CURL_OPTS=(-s --fail-with-body --retry 5 --retry-delay 2 --retry-connrefused)
 
     POSTS=()
     PATCHES=()
@@ -35,7 +35,17 @@ update_https_records() {
         --data-urlencode "type=HTTPS" \
         -H "Authorization: Bearer $CF_API_TOKEN" \
         -H "Content-Type: application/json" \
-        "$CF_ZONE_URL/$CF_ZONE_ID/dns_records")
+        "$CF_ZONE_URL/$CF_ZONE_ID/dns_records") || {
+            log "Curl request failed (transport or HTTP error) when fetching existing DNS records"
+            return 1
+        }
+
+    # Validate JSON + success flag
+    if ! jq -e '.success == true' >/dev/null 2>&1 <<<"$ALL_RECORDS"; then
+        log "Cloudflare API returned failure or invalid JSON"
+        echo "$ALL_RECORDS" | jq -C . >&2 || echo "$ALL_RECORDS" >&2
+        return 1
+    fi
 
     for d in "${SUBDOMAINS_ARR[@]}"; do
         RECORD_RAW=$(jq --arg name "$d" '.result[] | select(.name==$name)' <<<"$ALL_RECORDS")
