Skip to content

Commit 5ee0090

Browse files
8825088250
committed
Signed-off-by: Daniel <845765@qq.com>
1 parent 79264d3 commit 5ee0090

3 files changed

Lines changed: 67 additions & 28 deletions

File tree

kernel/api/import.go

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -68,8 +68,17 @@ func importSY(c *gin.Context) {
6868
ret.Msg = err.Error()
6969
return
7070
}
71-
writePath := filepath.Join(util.TempDir, "import", file.Filename)
71+
72+
writePath := filepath.Join(importDir, file.Filename)
73+
if !util.IsSubPath(importDir, writePath) {
74+
logging.LogErrorf("import path [%s] is not sub path of import dir [%s]", writePath, importDir)
75+
ret.Code = -1
76+
ret.Msg = "import path is not sub path of import dir"
77+
return
78+
}
79+
7280
defer os.RemoveAll(writePath)
81+
7382
writer, err := os.OpenFile(writePath, os.O_RDWR|os.O_CREATE, 0644)
7483
if err != nil {
7584
logging.LogErrorf("open import .sy.zip [%s] failed: %s", writePath, err)
@@ -119,14 +128,14 @@ func importData(c *gin.Context) {
119128
return
120129
}
121130

122-
tmpImport := filepath.Join(util.TempDir, "import")
123-
err = os.MkdirAll(tmpImport, 0755)
131+
importDir := filepath.Join(util.TempDir, "import")
132+
err = os.MkdirAll(importDir, 0755)
124133
if err != nil {
125134
ret.Code = -1
126135
ret.Msg = "create temp import dir failed"
127136
return
128137
}
129-
dataZipPath := filepath.Join(tmpImport, util.CurrentTimeSecondsStr()+".zip")
138+
dataZipPath := filepath.Join(importDir, util.CurrentTimeSecondsStr()+".zip")
130139
defer os.RemoveAll(dataZipPath)
131140
dataZipFile, err := os.Create(dataZipPath)
132141
if err != nil {
@@ -225,8 +234,17 @@ func importZipMd(c *gin.Context) {
225234
ret.Msg = err.Error()
226235
return
227236
}
237+
228238
writePath := filepath.Join(util.TempDir, "import", file.Filename)
239+
if !util.IsSubPath(importDir, writePath) {
240+
logging.LogErrorf("import path [%s] is not sub path of import dir [%s]", writePath, importDir)
241+
ret.Code = -1
242+
ret.Msg = "import path is not sub path of import dir"
243+
return
244+
}
245+
229246
defer os.RemoveAll(writePath)
247+
230248
writer, err := os.OpenFile(writePath, os.O_RDWR|os.O_CREATE, 0644)
231249
if err != nil {
232250
logging.LogErrorf("open import .zip [%s] failed: %s", writePath, err)

kernel/api/sync.go

Lines changed: 30 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -79,8 +79,15 @@ func importSyncProviderWebDAV(c *gin.Context) {
7979
return
8080
}
8181

82-
tmp := filepath.Join(importDir, f.Filename)
83-
if err = os.WriteFile(tmp, data, 0644); err != nil {
82+
writePath := filepath.Join(importDir, f.Filename)
83+
if !util.IsSubPath(importDir, writePath) {
84+
logging.LogErrorf("import path [%s] is not sub path of import dir [%s]", writePath, importDir)
85+
ret.Code = -1
86+
ret.Msg = "import path is not sub path of import dir"
87+
return
88+
}
89+
90+
if err = os.WriteFile(writePath, data, 0644); err != nil {
8491
logging.LogErrorf("import WebDAV provider failed: %s", err)
8592
ret.Code = -1
8693
ret.Msg = err.Error()
@@ -89,15 +96,15 @@ func importSyncProviderWebDAV(c *gin.Context) {
8996

9097
tmpDir := filepath.Join(importDir, "webdav")
9198
os.RemoveAll(tmpDir)
92-
if strings.HasSuffix(strings.ToLower(tmp), ".zip") {
93-
if err = gulu.Zip.Unzip(tmp, tmpDir); err != nil {
99+
if strings.HasSuffix(strings.ToLower(writePath), ".zip") {
100+
if err = gulu.Zip.Unzip(writePath, tmpDir); err != nil {
94101
logging.LogErrorf("import WebDAV provider failed: %s", err)
95102
ret.Code = -1
96103
ret.Msg = err.Error()
97104
return
98105
}
99-
} else if strings.HasSuffix(strings.ToLower(tmp), ".json") {
100-
if err = gulu.File.CopyFile(tmp, filepath.Join(tmpDir, f.Filename)); err != nil {
106+
} else if strings.HasSuffix(strings.ToLower(writePath), ".json") {
107+
if err = gulu.File.CopyFile(writePath, filepath.Join(tmpDir, f.Filename)); err != nil {
101108
logging.LogErrorf("import WebDAV provider failed: %s", err)
102109
ret.Code = -1
103110
ret.Msg = err.Error()
@@ -124,8 +131,8 @@ func importSyncProviderWebDAV(c *gin.Context) {
124131
return
125132
}
126133

127-
tmp = filepath.Join(tmpDir, entries[0].Name())
128-
data, err = os.ReadFile(tmp)
134+
writePath = filepath.Join(tmpDir, entries[0].Name())
135+
data, err = os.ReadFile(writePath)
129136
if err != nil {
130137
logging.LogErrorf("import WebDAV provider failed: %s", err)
131138
ret.Code = -1
@@ -265,8 +272,15 @@ func importSyncProviderS3(c *gin.Context) {
265272
return
266273
}
267274

268-
tmp := filepath.Join(importDir, f.Filename)
269-
if err = os.WriteFile(tmp, data, 0644); err != nil {
275+
writePath := filepath.Join(importDir, f.Filename)
276+
if !util.IsSubPath(importDir, writePath) {
277+
logging.LogErrorf("import path [%s] is not sub path of import dir [%s]", writePath, importDir)
278+
ret.Code = -1
279+
ret.Msg = "import path is not sub path of import dir"
280+
return
281+
}
282+
283+
if err = os.WriteFile(writePath, data, 0644); err != nil {
270284
logging.LogErrorf("import S3 provider failed: %s", err)
271285
ret.Code = -1
272286
ret.Msg = err.Error()
@@ -275,15 +289,15 @@ func importSyncProviderS3(c *gin.Context) {
275289

276290
tmpDir := filepath.Join(importDir, "s3")
277291
os.RemoveAll(tmpDir)
278-
if strings.HasSuffix(strings.ToLower(tmp), ".zip") {
279-
if err = gulu.Zip.Unzip(tmp, tmpDir); err != nil {
292+
if strings.HasSuffix(strings.ToLower(writePath), ".zip") {
293+
if err = gulu.Zip.Unzip(writePath, tmpDir); err != nil {
280294
logging.LogErrorf("import S3 provider failed: %s", err)
281295
ret.Code = -1
282296
ret.Msg = err.Error()
283297
return
284298
}
285-
} else if strings.HasSuffix(strings.ToLower(tmp), ".json") {
286-
if err = gulu.File.CopyFile(tmp, filepath.Join(tmpDir, f.Filename)); err != nil {
299+
} else if strings.HasSuffix(strings.ToLower(writePath), ".json") {
300+
if err = gulu.File.CopyFile(writePath, filepath.Join(tmpDir, f.Filename)); err != nil {
287301
logging.LogErrorf("import S3 provider failed: %s", err)
288302
ret.Code = -1
289303
ret.Msg = err.Error()
@@ -310,8 +324,8 @@ func importSyncProviderS3(c *gin.Context) {
310324
return
311325
}
312326

313-
tmp = filepath.Join(tmpDir, entries[0].Name())
314-
data, err = os.ReadFile(tmp)
327+
writePath = filepath.Join(tmpDir, entries[0].Name())
328+
data, err = os.ReadFile(writePath)
315329
if err != nil {
316330
logging.LogErrorf("import S3 provider failed: %s", err)
317331
ret.Code = -1

kernel/api/system.go

Lines changed: 15 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -441,8 +441,15 @@ func importConf(c *gin.Context) {
441441
return
442442
}
443443

444-
tmp := filepath.Join(importDir, f.Filename)
445-
if err = os.WriteFile(tmp, data, 0644); err != nil {
444+
writePath := filepath.Join(importDir, f.Filename)
445+
if !util.IsSubPath(importDir, writePath) {
446+
logging.LogErrorf("import path [%s] is not sub path of import dir [%s]", writePath, importDir)
447+
ret.Code = -1
448+
ret.Msg = "import path is not sub path of import dir"
449+
return
450+
}
451+
452+
if err = os.WriteFile(writePath, data, 0644); err != nil {
446453
logging.LogErrorf("import conf failed: %s", err)
447454
ret.Code = -1
448455
ret.Msg = err.Error()
@@ -451,15 +458,15 @@ func importConf(c *gin.Context) {
451458

452459
tmpDir := filepath.Join(importDir, "conf")
453460
os.RemoveAll(tmpDir)
454-
if strings.HasSuffix(strings.ToLower(tmp), ".zip") {
455-
if err = gulu.Zip.Unzip(tmp, tmpDir); err != nil {
461+
if strings.HasSuffix(strings.ToLower(writePath), ".zip") {
462+
if err = gulu.Zip.Unzip(writePath, tmpDir); err != nil {
456463
logging.LogErrorf("import conf failed: %s", err)
457464
ret.Code = -1
458465
ret.Msg = err.Error()
459466
return
460467
}
461-
} else if strings.HasSuffix(strings.ToLower(tmp), ".json") {
462-
if err = gulu.File.CopyFile(tmp, filepath.Join(tmpDir, f.Filename)); err != nil {
468+
} else if strings.HasSuffix(strings.ToLower(writePath), ".json") {
469+
if err = gulu.File.CopyFile(writePath, filepath.Join(tmpDir, f.Filename)); err != nil {
463470
logging.LogErrorf("import conf failed: %s", err)
464471
ret.Code = -1
465472
ret.Msg = err.Error()
@@ -486,8 +493,8 @@ func importConf(c *gin.Context) {
486493
return
487494
}
488495

489-
tmp = filepath.Join(tmpDir, entries[0].Name())
490-
data, err = os.ReadFile(tmp)
496+
writePath = filepath.Join(tmpDir, entries[0].Name())
497+
data, err = os.ReadFile(writePath)
491498
if err != nil {
492499
logging.LogErrorf("import conf failed: %s", err)
493500
ret.Code = -1

0 commit comments

Comments
 (0)