Skip to content

Commit

Permalink
security issue - CVE-2023-29401
Browse files Browse the repository at this point in the history
Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment function

References
gin-gonic/gin#3555
gin-gonic/gin#3556
https://pkg.go.dev/vuln/GO-2023-1737

Co-authored-by: MHSanaei <ho3ein.sanaei@gmail.com>
  • Loading branch information
alireza0 and MHSanaei committed May 15, 2023
1 parent 33e41f1 commit bcb90ac
Showing 1 changed file with 14 additions and 1 deletion.
15 changes: 14 additions & 1 deletion web/controller/server.go
Original file line number Diff line number Diff line change
@@ -1,13 +1,18 @@
package controller

import (
"fmt"
"net/http"
"regexp"
"time"
"x-ui/web/global"
"x-ui/web/service"

"github.com/gin-gonic/gin"
)

var filenameRegex = regexp.MustCompile(`^[a-zA-Z0-9_\-.]+$`)

type ServerController struct {
BaseController

Expand Down Expand Up @@ -136,9 +141,17 @@ func (a *ServerController) getDb(c *gin.Context) {
jsonMsg(c, "get Database", err)
return
}

filename := "x-ui.db"

if !filenameRegex.MatchString(filename) {
c.AbortWithError(http.StatusBadRequest, fmt.Errorf("invalid filename"))
return
}

// Set the headers for the response
c.Header("Content-Type", "application/octet-stream")
c.Header("Content-Disposition", "attachment; filename=x-ui.db")
c.Header("Content-Disposition", "attachment; filename="+filename)

// Write the file contents to the response
c.Writer.Write(db)
Expand Down

0 comments on commit bcb90ac

Please sign in to comment.