Fixed issue with relative paths leaving parent folder

This commit is contained in:
Borna Rajković 2024-01-07 20:23:15 +01:00
parent 5afa848fec
commit 009cd8f654
2 changed files with 24 additions and 1 deletions

View File

@ -53,6 +53,10 @@ func HandleUpload(resourceManager resource.Manager) gin.HandlerFunc {
c.AbortWithStatusJSON(400, gin.H{"error": "bad request"})
return
}
if !isValidPath(request.Path) {
c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
return
}
content, err := base64.StdEncoding.DecodeString(request.Content)
if err != nil {
c.AbortWithStatusJSON(400, gin.H{"error": "bad request"})
@ -83,6 +87,13 @@ func HandleUpload(resourceManager resource.Manager) gin.HandlerFunc {
}
}
func isValidPath(currentPath string) bool {
if strings.HasPrefix(currentPath, "../") || strings.Contains(currentPath, "/../") {
return false
}
return true
}
func HandleCopy(resourceManager resource.Manager) gin.HandlerFunc {
return func(c *gin.Context) {
from := c.Query("from")
@ -103,6 +114,10 @@ func HandleCopy(resourceManager resource.Manager) gin.HandlerFunc {
func HandlePresign(resourceManager resource.Manager) gin.HandlerFunc {
return func(c *gin.Context) {
path := c.Query("path")
if !isValidPath(path) {
c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
return
}
url, err := resourceManager.Presign(c, path)
if err != nil {
c.AbortWithStatus(404)
@ -126,6 +141,10 @@ func HandleDownload(resourceManager resource.Manager) gin.HandlerFunc {
} else {
path = c.Query("path")
}
if !isValidPath(path) {
c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
return
}
log.Printf("Downloading '%s'...", path)
data, err := resourceManager.Download(c, path)
if err == nil {
@ -141,6 +160,10 @@ func HandleDownload(resourceManager resource.Manager) gin.HandlerFunc {
func HandleDelete(resourceManager resource.Manager) gin.HandlerFunc {
return func(c *gin.Context) {
path := c.Query("path")
if !isValidPath(path) {
c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
return
}
log.Printf("Deleting '%s'...", path)
if err := resourceManager.Delete(path); err != nil {
_ = c.AbortWithError(400, err)

View File

@ -53,7 +53,7 @@ func Secure(types ...security.Type) gin.HandlerFunc {
if !exists {
abort(c, nil, http.StatusUnauthorized, "missing auth")
} else {
securityType := security.Type(value.(string))
securityType := value.(security.Type)
for _, t := range types {
if t == securityType {
return