nilix/felt
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

anti path traversal

Browse source
This commit is contained in:
Iris Lightshard 2024-05-03 19:21:51 -06:00
parent 140e775d66
commit 9e754b0733
Signed by: Iris Lightshard
GPG key ID: 688407174966CAF3
2 changed files with 14 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
admin/admin.go
View file

@ -17,6 +17,7 @@ import (
"os" "os"
"path/filepath" "path/filepath"
"regexp" "regexp"
"strings"
) )
func apiGetTableList(next http.Handler, udb auth.UserStore) http.Handler { func apiGetTableList(next http.Handler, udb auth.UserStore) http.Handler {
@ -201,16 +202,23 @@ func apiUploadImg(next http.Handler, dbAdapter mongodb.DbAdapter, uploads, uploa
// check for filename; call create to overwrite regardless // check for filename; call create to overwrite regardless
// get file data from multipart form // get file data from multipart form
header := f.File["file"][0] header := f.File["file"][0]
if strings.Contains(header.Filename, "/") {
w.WriteHeader(422)
next.ServeHTTP(w, req)
return
}
file, err := header.Open() file, err := header.Open()
if err != nil { if err != nil {
fmt.Println(err.Error()) fmt.Println(err.Error())
w.WriteHeader(500) w.WriteHeader(500)
next.ServeHTTP(w, req) next.ServeHTTP(w, req)
return
} }
fileData, err := ioutil.ReadAll(file) fileData, err := ioutil.ReadAll(file)
if err != nil { if err != nil {
w.WriteHeader(500) w.WriteHeader(500)
next.ServeHTTP(w, req) next.ServeHTTP(w, req)
return
} }
// write to file // write to file
destPath := filepath.Join(uploads, tableKey.Name, uploadType, header.Filename) destPath := filepath.Join(uploads, tableKey.Name, uploadType, header.Filename)
@ -282,7 +290,6 @@ func apiListImages(next http.Handler, uploads string, uploadType string, udb aut
} }
w.WriteHeader(422) w.WriteHeader(422)
next.ServeHTTP(w, req) next.ServeHTTP(w, req)
return
} }
return http.HandlerFunc(handlerFunc) return http.HandlerFunc(handlerFunc)
@ -316,6 +323,11 @@ func apiDeleteImage(next http.Handler, uploads string, uploadType string, udb au
if dbAdapter.CheckTable(tableKey) { if dbAdapter.CheckTable(tableKey) {
// if the file exists, delete it and return 201 // if the file exists, delete it and return 201
filename := urlParams["file"] filename := urlParams["file"]
if strings.Contains(filename, "/") {
w.WriteHeader(422)
next.ServeHTTP(w, req)
return
}
fullPath := filepath.Join(uploads, tableName, uploadType, filename) fullPath := filepath.Join(uploads, tableName, uploadType, filename)
s, err := os.Stat(fullPath) s, err := os.Stat(fullPath)
if err == nil && !s.IsDir() { if err == nil && !s.IsDir() {

2
static/index.html
View file

@ -146,7 +146,7 @@
</form> </form>
</details> </details>
<div id="lag" style="display:none;">lag...</div> <div id="lag" style="display:none;">lag...</div>
<div class="ui_win" id="felt_info"><a href="https://hacklab.nilfm.cc/felt">felt v0.2.6</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LICENSE">license</a>) | built with <a href="https://leafletjs.com">leaflet</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LEAFLET_LICENSE">license</a>) </div> <div class="ui_win" id="felt_info"><a href="https://hacklab.nilfm.cc/felt">felt v0.2.7</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LICENSE">license</a>) | built with <a href="https://leafletjs.com">leaflet</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LEAFLET_LICENSE">license</a>) </div>
</nav> </nav>
</body> </body>
<script>L_DISABLE_3D = window.location.hash.toLowerCase() === "#no3d";</script> <script>L_DISABLE_3D = window.location.hash.toLowerCase() === "#no3d";</script>