brajkovic
/
resource_manager
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed issue with relative paths leaving parent folder

This commit is contained in:
Borna Rajković 2024-01-07 20:23:15 +01:00
parent 5afa848fec
commit 009cd8f654
2 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
api/api.go
View File

@ -53,6 +53,10 @@ func HandleUpload(resourceManager resource.Manager) gin.HandlerFunc {
c.AbortWithStatusJSON(400, gin.H{"error": "bad request"}) c.AbortWithStatusJSON(400, gin.H{"error": "bad request"})
return return
} }
if !isValidPath(request.Path) {
c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
return
}
content, err := base64.StdEncoding.DecodeString(request.Content) content, err := base64.StdEncoding.DecodeString(request.Content)
if err != nil { if err != nil {
c.AbortWithStatusJSON(400, gin.H{"error": "bad request"}) c.AbortWithStatusJSON(400, gin.H{"error": "bad request"})
@ -83,6 +87,13 @@ func HandleUpload(resourceManager resource.Manager) gin.HandlerFunc {
} }
} }
func isValidPath(currentPath string) bool {
if strings.HasPrefix(currentPath, "../") || strings.Contains(currentPath, "/../") {
return false
}
return true
}
func HandleCopy(resourceManager resource.Manager) gin.HandlerFunc { func HandleCopy(resourceManager resource.Manager) gin.HandlerFunc {
return func(c *gin.Context) { return func(c *gin.Context) {
from := c.Query("from") from := c.Query("from")
@ -103,6 +114,10 @@ func HandleCopy(resourceManager resource.Manager) gin.HandlerFunc {
func HandlePresign(resourceManager resource.Manager) gin.HandlerFunc { func HandlePresign(resourceManager resource.Manager) gin.HandlerFunc {
return func(c *gin.Context) { return func(c *gin.Context) {
path := c.Query("path") path := c.Query("path")
if !isValidPath(path) {
c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
return
}
url, err := resourceManager.Presign(c, path) url, err := resourceManager.Presign(c, path)
if err != nil { if err != nil {
c.AbortWithStatus(404) c.AbortWithStatus(404)
@ -126,6 +141,10 @@ func HandleDownload(resourceManager resource.Manager) gin.HandlerFunc {
} else { } else {
path = c.Query("path") path = c.Query("path")
} }
if !isValidPath(path) {
c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
return
}
log.Printf("Downloading '%s'...", path) log.Printf("Downloading '%s'...", path)
data, err := resourceManager.Download(c, path) data, err := resourceManager.Download(c, path)
if err == nil { if err == nil {
@ -141,6 +160,10 @@ func HandleDownload(resourceManager resource.Manager) gin.HandlerFunc {
func HandleDelete(resourceManager resource.Manager) gin.HandlerFunc { func HandleDelete(resourceManager resource.Manager) gin.HandlerFunc {
return func(c *gin.Context) { return func(c *gin.Context) {
path := c.Query("path") path := c.Query("path")
if !isValidPath(path) {
c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
return
}
log.Printf("Deleting '%s'...", path) log.Printf("Deleting '%s'...", path)
if err := resourceManager.Delete(path); err != nil { if err := resourceManager.Delete(path); err != nil {
_ = c.AbortWithError(400, err) _ = c.AbortWithError(400, err)

2
api/middleware.go
View File

@ -53,7 +53,7 @@ func Secure(types ...security.Type) gin.HandlerFunc {
if !exists { if !exists {
abort(c, nil, http.StatusUnauthorized, "missing auth") abort(c, nil, http.StatusUnauthorized, "missing auth")
} else { } else {
securityType := security.Type(value.(string)) securityType := value.(security.Type)
for _, t := range types { for _, t := range types {
if t == securityType { if t == securityType {
return return