From bcb90ac14aafd5d828f0d227456301c08a31ace4 Mon Sep 17 00:00:00 2001
From: Alireza Ahmadi <alireza7@gmail.com>
Date: Mon, 15 May 2023 20:41:24 +0200
Subject: [PATCH] security issue - CVE-2023-29401 Gin Web Framework does not
 properly sanitize filename parameter of Context.FileAttachment function

References
gin-gonic/gin#3555
gin-gonic/gin#3556
https://pkg.go.dev/vuln/GO-2023-1737

Co-authored-by: MHSanaei <ho3ein.sanaei@gmail.com>
---
 web/controller/server.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/web/controller/server.go b/web/controller/server.go
index 9e649e6ca2..7122d0cea7 100644
--- a/web/controller/server.go
+++ b/web/controller/server.go
@@ -1,6 +1,9 @@
 package controller
 
 import (
+	"fmt"
+	"net/http"
+	"regexp"
 	"time"
 	"x-ui/web/global"
 	"x-ui/web/service"
@@ -8,6 +11,8 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
+var filenameRegex = regexp.MustCompile(`^[a-zA-Z0-9_\-.]+$`)
+
 type ServerController struct {
 	BaseController
 
@@ -136,9 +141,17 @@ func (a *ServerController) getDb(c *gin.Context) {
 		jsonMsg(c, "get Database", err)
 		return
 	}
+
+	filename := "x-ui.db"
+
+	if !filenameRegex.MatchString(filename) {
+		c.AbortWithError(http.StatusBadRequest, fmt.Errorf("invalid filename"))
+		return
+	}
+
 	// Set the headers for the response
 	c.Header("Content-Type", "application/octet-stream")
-	c.Header("Content-Disposition", "attachment; filename=x-ui.db")
+	c.Header("Content-Disposition", "attachment; filename="+filename)
 
 	// Write the file contents to the response
 	c.Writer.Write(db)