Fixed issue with relative paths leaving parent folder
This commit is contained in:
Borna Rajković
parent
5afa848fec
commit
009cd8f654
23
api/api.go
23
api/api.go
|
|
@ -53,6 +53,10 @@ func HandleUpload(resourceManager resource.Manager) gin.HandlerFunc {
|
|||
c.AbortWithStatusJSON(400, gin.H{"error": "bad request"})
|
||||
return
|
||||
}
|
||||
if !isValidPath(request.Path) {
|
||||
c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
|
||||
return
|
||||
}
|
||||
content, err := base64.StdEncoding.DecodeString(request.Content)
|
||||
if err != nil {
|
||||
c.AbortWithStatusJSON(400, gin.H{"error": "bad request"})
|
||||
|
|
@ -83,6 +87,13 @@ func HandleUpload(resourceManager resource.Manager) gin.HandlerFunc {
|
|||
}
|
||||
}
|
||||
|
||||
func isValidPath(currentPath string) bool {
|
||||
if strings.HasPrefix(currentPath, "../") || strings.Contains(currentPath, "/../") {
|
||||
return false
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
func HandleCopy(resourceManager resource.Manager) gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
from := c.Query("from")
|
||||
|
|
@ -103,6 +114,10 @@ func HandleCopy(resourceManager resource.Manager) gin.HandlerFunc {
|
|||
func HandlePresign(resourceManager resource.Manager) gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
path := c.Query("path")
|
||||
if !isValidPath(path) {
|
||||
c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
|
||||
return
|
||||
}
|
||||
url, err := resourceManager.Presign(c, path)
|
||||
if err != nil {
|
||||
c.AbortWithStatus(404)
|
||||
|
|
@ -126,6 +141,10 @@ func HandleDownload(resourceManager resource.Manager) gin.HandlerFunc {
|
|||
} else {
|
||||
path = c.Query("path")
|
||||
}
|
||||
if !isValidPath(path) {
|
||||
c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
|
||||
return
|
||||
}
|
||||
log.Printf("Downloading '%s'...", path)
|
||||
data, err := resourceManager.Download(c, path)
|
||||
if err == nil {
|
||||
|
|
@ -141,6 +160,10 @@ func HandleDownload(resourceManager resource.Manager) gin.HandlerFunc {
|
|||
func HandleDelete(resourceManager resource.Manager) gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
path := c.Query("path")
|
||||
if !isValidPath(path) {
|
||||
c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
|
||||
return
|
||||
}
|
||||
log.Printf("Deleting '%s'...", path)
|
||||
if err := resourceManager.Delete(path); err != nil {
|
||||
_ = c.AbortWithError(400, err)
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ func Secure(types ...security.Type) gin.HandlerFunc {
|
|||
if !exists {
|
||||
abort(c, nil, http.StatusUnauthorized, "missing auth")
|
||||
} else {
|
||||
securityType := security.Type(value.(string))
|
||||
securityType := value.(security.Type)
|
||||
for _, t := range types {
|
||||
if t == securityType {
|
||||
return
|
||||
|
|
|
|||
Loading…
Reference in New Issue