Skip to content

Commit

Permalink
Only serve image files on ./image
Browse files Browse the repository at this point in the history
This is an addition to the existing XSS fix in the previous commit.
  • Loading branch information
jmattheis committed Dec 29, 2022
1 parent 022603d commit 33d86e4
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 9 deletions.
15 changes: 10 additions & 5 deletions api/application.go
Original file line number Diff line number Diff line change
Expand Up @@ -328,11 +328,7 @@ func (a *ApplicationAPI) UploadApplicationImage(ctx *gin.Context) {
}

ext := filepath.Ext(file.Filename)

switch ext {
case ".gif", ".png", ".jpg", ".jpeg":
// ok
default:
if !ValidApplicationImageExt(ext) {
ctx.AbortWithError(400, errors.New("invalid file extension"))
return
}
Expand Down Expand Up @@ -391,3 +387,12 @@ func generateNonExistingImageName(imgDir string, gen func() string) string {
}
}
}

func ValidApplicationImageExt(ext string) bool {
switch ext {
case ".gif", ".png", ".jpg", ".jpeg":
return true
default:
return false
}
}
23 changes: 19 additions & 4 deletions router/router.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ package router

import (
"fmt"
"net/http"
"path/filepath"
"regexp"
"time"

Expand All @@ -14,7 +16,7 @@ import (
"github.com/gotify/server/v2/config"
"github.com/gotify/server/v2/database"
"github.com/gotify/server/v2/docs"
"github.com/gotify/server/v2/error"
gerror "github.com/gotify/server/v2/error"
"github.com/gotify/server/v2/model"
"github.com/gotify/server/v2/plugin"
"github.com/gotify/server/v2/ui"
Expand All @@ -24,8 +26,8 @@ import (
func Create(db *database.GormDatabase, vInfo *model.VersionInfo, conf *config.Configuration) (*gin.Engine, func()) {
g := gin.New()

g.Use(gin.LoggerWithFormatter(logFormatter), gin.Recovery(), error.Handler(), location.Default())
g.NoRoute(error.NotFound())
g.Use(gin.LoggerWithFormatter(logFormatter), gin.Recovery(), gerror.Handler(), location.Default())
g.NoRoute(gerror.NotFound())

streamHandler := stream.New(time.Duration(conf.Server.Stream.PingPeriodSeconds)*time.Second, 15*time.Second, conf.Server.Stream.AllowedOrigins)
authentication := auth.Auth{DB: db}
Expand Down Expand Up @@ -61,7 +63,8 @@ func Create(db *database.GormDatabase, vInfo *model.VersionInfo, conf *config.Co

g.GET("/health", healthHandler.Health)
g.GET("/swagger", docs.Serve)
g.Static("/image", conf.UploadedImagesDir)
g.StaticFS("/image", &onlyImageFS{inner: gin.Dir(conf.UploadedImagesDir, false)})

g.GET("/docs", docs.UI)

g.Use(func(ctx *gin.Context) {
Expand Down Expand Up @@ -194,3 +197,15 @@ func logFormatter(param gin.LogFormatterParams) string {
param.ErrorMessage,
)
}

type onlyImageFS struct {
inner http.FileSystem
}

func (fs *onlyImageFS) Open(name string) (http.File, error) {
ext := filepath.Ext(name)
if !api.ValidApplicationImageExt(ext) {
return nil, fmt.Errorf("invalid file")
}
return fs.inner.Open(name)
}

0 comments on commit 33d86e4

Please sign in to comment.