vincent/aptly
1
0
Fork 0
mirror of https://github.com/aptly-dev/aptly.git synced 2026-06-11 06:24:04 +00:00
Code Issues Projects Releases Wiki Activity

more sanitize

Browse Source
This commit is contained in:
André Roth
2024-10-11 13:37:33 +02:00
parent 7742980426
commit cefc09a41b
5 changed files with 22 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/files.go
+5 -5
View File
@@ -73,7 +73,7 @@ func apiFilesUpload(c *gin.Context) {
return return
} }
path := filepath.Join(context.UploadPath(), utils.PathSanitize(c.Params.ByName("dir"))) path := filepath.Join(context.UploadPath(), utils.SanitizePath(c.Params.ByName("dir")))
err := os.MkdirAll(path, 0777) err := os.MkdirAll(path, 0777)
if err != nil { if err != nil {
@@ -129,7 +129,7 @@ func apiFilesListFiles(c *gin.Context) {
list := []string{} list := []string{}
listLock := &sync.Mutex{} listLock := &sync.Mutex{}
root := filepath.Join(context.UploadPath(), utils.PathSanitize(c.Params.ByName("dir"))) root := filepath.Join(context.UploadPath(), utils.SanitizePath(c.Params.ByName("dir")))
err := filepath.Walk(root, func(path string, _ os.FileInfo, err error) error { err := filepath.Walk(root, func(path string, _ os.FileInfo, err error) error {
if err != nil { if err != nil {
@@ -165,7 +165,7 @@ func apiFilesDeleteDir(c *gin.Context) {
return return
} }
err := os.RemoveAll(filepath.Join(context.UploadPath(), utils.PathSanitize(c.Params.ByName("dir")))) err := os.RemoveAll(filepath.Join(context.UploadPath(), utils.SanitizePath(c.Params.ByName("dir"))))
if err != nil { if err != nil {
AbortWithJSONError(c, 500, err) AbortWithJSONError(c, 500, err)
return return
@@ -180,8 +180,8 @@ func apiFilesDeleteFile(c *gin.Context) {
return return
} }
dir := utils.PathSanitize(c.Params.ByName("dir")) dir := utils.SanitizePath(c.Params.ByName("dir"))
name := utils.PathSanitize(c.Params.ByName("name")) name := utils.SanitizePath(c.Params.ByName("name"))
if !verifyPath(name) { if !verifyPath(name) {
AbortWithJSONError(c, 400, fmt.Errorf("wrong file")) AbortWithJSONError(c, 400, fmt.Errorf("wrong file"))
return return
api/gpg.go
+5
View File
@@ -8,6 +8,7 @@ import (
"strings" "strings"
"github.com/aptly-dev/aptly/pgp" "github.com/aptly-dev/aptly/pgp"
"github.com/aptly-dev/aptly/utils"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
) )
@@ -23,6 +24,10 @@ func apiGPGAddKey(c *gin.Context) {
if c.Bind(&b) != nil { if c.Bind(&b) != nil {
return return
} }
b.Keyserver = utils.SanitizePath(b.Keyserver)
b.GpgKeyID = utils.SanitizePath(b.GpgKeyID)
b.GpgKeyArmor = utils.SanitizePath(b.GpgKeyArmor)
// b.Keyring can be an absolute path
var err error var err error
args := []string{"--no-default-keyring", "--allow-non-selfsigned-uid"} args := []string{"--no-default-keyring", "--allow-non-selfsigned-uid"}
api/publish.go
+4 -4
View File
@@ -44,10 +44,10 @@ func getSigner(options *SigningOptions) (pgp.Signer, error) {
return signer, nil return signer, nil
} }
// Replace '_' with '/' and double '__' with single '_', PathSanitize // Replace '_' with '/' and double '__' with single '_', SanitizePath
func slashEscape(path string) string { func slashEscape(path string) string {
result := strings.Replace(strings.Replace(path, "_", "/", -1), "//", "_", -1) result := strings.Replace(strings.Replace(path, "_", "/", -1), "//", "_", -1)
result = utils.PathSanitize(result) result = utils.SanitizePath(result)
if result == "" { if result == "" {
result = "." result = "."
} }
@@ -115,7 +115,7 @@ func apiPublishRepoOrSnapshot(c *gin.Context) {
return return
} }
b.Distribution = utils.PathSanitize(b.Distribution) b.Distribution = utils.SanitizePath(b.Distribution)
signer, err := getSigner(&b.Signing) signer, err := getSigner(&b.Signing)
if err != nil { if err != nil {
@@ -254,7 +254,7 @@ func apiPublishRepoOrSnapshot(c *gin.Context) {
func apiPublishUpdateSwitch(c *gin.Context) { func apiPublishUpdateSwitch(c *gin.Context) {
param := slashEscape(c.Params.ByName("prefix")) param := slashEscape(c.Params.ByName("prefix"))
storage, prefix := deb.ParsePrefix(param) storage, prefix := deb.ParsePrefix(param)
distribution := utils.PathSanitize(c.Params.ByName("distribution")) distribution := utils.SanitizePath(c.Params.ByName("distribution"))
var b struct { var b struct {
ForceOverwrite bool ForceOverwrite bool
api/repos.go
+4 -4
View File
@@ -343,8 +343,8 @@ func apiReposPackageFromDir(c *gin.Context) {
return return
} }
dirParam := utils.PathSanitize(c.Params.ByName("dir")) dirParam := utils.SanitizePath(c.Params.ByName("dir"))
fileParam := utils.PathSanitize(c.Params.ByName("file")) fileParam := utils.SanitizePath(c.Params.ByName("file"))
if fileParam != "" && !verifyPath(fileParam) { if fileParam != "" && !verifyPath(fileParam) {
AbortWithJSONError(c, 400, fmt.Errorf("wrong file")) AbortWithJSONError(c, 400, fmt.Errorf("wrong file"))
return return
@@ -620,8 +620,8 @@ func apiReposIncludePackageFromDir(c *gin.Context) {
var sources []string var sources []string
var taskName string var taskName string
dirParam := utils.PathSanitize(c.Params.ByName("dir")) dirParam := utils.SanitizePath(c.Params.ByName("dir"))
fileParam := utils.PathSanitize(c.Params.ByName("file")) fileParam := utils.SanitizePath(c.Params.ByName("file"))
if fileParam != "" && !verifyPath(fileParam) { if fileParam != "" && !verifyPath(fileParam) {
AbortWithJSONError(c, 400, fmt.Errorf("wrong file")) AbortWithJSONError(c, 400, fmt.Errorf("wrong file"))
return return
utils/utils.go
+4 -2
View File
@@ -24,9 +24,11 @@ func DirIsAccessible(filename string) error {
return nil return nil
} }
// Remove leading '/', remove '..' // Remove leading '/', remove '..', '$' and '`'
func PathSanitize(path string) (result string) { func SanitizePath(path string) (result string) {
result = strings.Replace(path, "..", "", -1) result = strings.Replace(path, "..", "", -1)
result = strings.Replace(result, "$", "", -1)
result = strings.Replace(result, "`", "", -1)
result = strings.TrimLeft(result, "/") result = strings.TrimLeft(result, "/")
return return
} }