anti path traversal

This commit is contained in:
Iris Lightshard 2024-05-03 19:21:51 -06:00
parent 140e775d66
commit 9e754b0733
Signed by: Iris Lightshard
GPG key ID: 688407174966CAF3
2 changed files with 14 additions and 2 deletions

View file

@ -17,6 +17,7 @@ import (
"os"
"path/filepath"
"regexp"
"strings"
)
func apiGetTableList(next http.Handler, udb auth.UserStore) http.Handler {
@ -201,16 +202,23 @@ func apiUploadImg(next http.Handler, dbAdapter mongodb.DbAdapter, uploads, uploa
// check for filename; call create to overwrite regardless
// get file data from multipart form
header := f.File["file"][0]
if strings.Contains(header.Filename, "/") {
w.WriteHeader(422)
next.ServeHTTP(w, req)
return
}
file, err := header.Open()
if err != nil {
fmt.Println(err.Error())
w.WriteHeader(500)
next.ServeHTTP(w, req)
return
}
fileData, err := ioutil.ReadAll(file)
if err != nil {
w.WriteHeader(500)
next.ServeHTTP(w, req)
return
}
// write to file
destPath := filepath.Join(uploads, tableKey.Name, uploadType, header.Filename)
@ -282,7 +290,6 @@ func apiListImages(next http.Handler, uploads string, uploadType string, udb aut
}
w.WriteHeader(422)
next.ServeHTTP(w, req)
return
}
return http.HandlerFunc(handlerFunc)
@ -316,6 +323,11 @@ func apiDeleteImage(next http.Handler, uploads string, uploadType string, udb au
if dbAdapter.CheckTable(tableKey) {
// if the file exists, delete it and return 201
filename := urlParams["file"]
if strings.Contains(filename, "/") {
w.WriteHeader(422)
next.ServeHTTP(w, req)
return
}
fullPath := filepath.Join(uploads, tableName, uploadType, filename)
s, err := os.Stat(fullPath)
if err == nil && !s.IsDir() {

View file

@ -146,7 +146,7 @@
</form>
</details>
<div id="lag" style="display:none;">lag...</div>
<div class="ui_win" id="felt_info"><a href="https://hacklab.nilfm.cc/felt">felt v0.2.6</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LICENSE">license</a>) | built with <a href="https://leafletjs.com">leaflet</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LEAFLET_LICENSE">license</a>) </div>
<div class="ui_win" id="felt_info"><a href="https://hacklab.nilfm.cc/felt">felt v0.2.7</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LICENSE">license</a>) | built with <a href="https://leafletjs.com">leaflet</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LEAFLET_LICENSE">license</a>) </div>
</nav>
</body>
<script>L_DISABLE_3D = window.location.hash.toLowerCase() === "#no3d";</script>