fic/server
1
0
Fork 0
Code Issues Pull Requests 8 Releases Wiki Activity

admin: public sid can't contains / to avoid path traversal

Browse Source
This commit is contained in:
nemunaire 2024-03-14 12:38:28 +01:00
parent 19481962d5
commit ad72eb0b95
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
admin/api/public.go
View File

@ -7,6 +7,7 @@ import (
"net/http" "net/http"
"os" "os"
"path" "path"
"strings"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
) )
@ -65,6 +66,11 @@ func savePublicTo(path string, s FICPublicDisplay) error {
} }
func getPublic(c *gin.Context) { func getPublic(c *gin.Context) {
if strings.Contains(c.Params.ByName("sid"), "/") {
c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": "sid cannot contains /"})
return
}
if _, err := os.Stat(path.Join(DashboardDir, fmt.Sprintf("public%s.json", c.Params.ByName("sid")))); !os.IsNotExist(err) { if _, err := os.Stat(path.Join(DashboardDir, fmt.Sprintf("public%s.json", c.Params.ByName("sid")))); !os.IsNotExist(err) {
p, err := readPublic(path.Join(DashboardDir, fmt.Sprintf("public%s.json", c.Params.ByName("sid")))) p, err := readPublic(path.Join(DashboardDir, fmt.Sprintf("public%s.json", c.Params.ByName("sid"))))
if err != nil { if err != nil {
@ -81,6 +87,11 @@ func getPublic(c *gin.Context) {
} }
func deletePublic(c *gin.Context) { func deletePublic(c *gin.Context) {
if strings.Contains(c.Params.ByName("sid"), "/") {
c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": "sid cannot contains /"})
return
}
if err := savePublicTo(path.Join(DashboardDir, fmt.Sprintf("public%s.json", c.Params.ByName("sid"))), FICPublicDisplay{}); err != nil { if err := savePublicTo(path.Join(DashboardDir, fmt.Sprintf("public%s.json", c.Params.ByName("sid"))), FICPublicDisplay{}); err != nil {
log.Println("Unable to deletePublic:", err.Error()) log.Println("Unable to deletePublic:", err.Error())
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "An error occurs during scene deletion."}) c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "An error occurs during scene deletion."})
@ -91,6 +102,11 @@ func deletePublic(c *gin.Context) {
} }
func savePublic(c *gin.Context) { func savePublic(c *gin.Context) {
if strings.Contains(c.Params.ByName("sid"), "/") {
c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": "sid cannot contains /"})
return
}
var scenes FICPublicDisplay var scenes FICPublicDisplay
err := c.ShouldBindJSON(&scenes) err := c.ShouldBindJSON(&scenes)
if err != nil { if err != nil {