fix: disallow out of range ports (#12414)

coderd/workspaceagentportshare.go

@@ -33,6 +33,25 @@ func (api *API) postWorkspaceAgentPortShare(rw http.ResponseWriter, r *http.Requ
 	if !req.ShareLevel.ValidPortShareLevel() {
 		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 			Message: "Port sharing level not allowed.",
+			Validations: []codersdk.ValidationError{
+				{
+					Field:  "share_level",
+					Detail: "Port sharing level not allowed.",
+				},
+			},
+		})
+		return
+	}
+
+	if req.Port < 9 || req.Port > 65535 {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Port must be between 9 and 65535.",
+			Validations: []codersdk.ValidationError{
+				{
+					Field:  "port",
+					Detail: "Port must be between 9 and 65535.",
+				},
+			},
 		})
 		return
 	}

coderd/workspaceagentportshare_test.go

@@ -54,6 +54,20 @@ func TestPostWorkspaceAgentPortShare(t *testing.T) {
 	})
 	require.Error(t, err)
 
+	// invalid port should fail
+	_, err = client.UpsertWorkspaceAgentPortShare(ctx, r.Workspace.ID, codersdk.UpsertWorkspaceAgentPortShareRequest{
+		AgentName:  agents[0].Name,
+		Port:       0,
+		ShareLevel: codersdk.WorkspaceAgentPortShareLevelPublic,
+	})
+	require.Error(t, err)
+	_, err = client.UpsertWorkspaceAgentPortShare(ctx, r.Workspace.ID, codersdk.UpsertWorkspaceAgentPortShareRequest{
+		AgentName:  agents[0].Name,
+		Port:       90000000,
+		ShareLevel: codersdk.WorkspaceAgentPortShareLevelPublic,
+	})
+	require.Error(t, err)
+
 	// OK, ignoring template max port share level because we are AGPL
 	ps, err := client.UpsertWorkspaceAgentPortShare(ctx, r.Workspace.ID, codersdk.UpsertWorkspaceAgentPortShareRequest{
 		AgentName:  agents[0].Name,