Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: validate filepath in request #3248

Merged
merged 3 commits into from
Sep 29, 2024
Merged

fix: validate filepath in request #3248

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
282f1c3
check path
Yisaer Sep 27, 2024
622b609
add test
Yisaer Sep 27, 2024
159c32c
fix
Yisaer Sep 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions internal/server/async_rest.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
"github.com/gorilla/mux"

"github.com/lf-edge/ekuiper/v2/internal/pkg/async"
"github.com/lf-edge/ekuiper/v2/pkg/validate"
)

const (
Expand All @@ -44,6 +45,10 @@
handleError(w, err, "Invalid body: Error decoding json", logger)
return
}
if err := validate.ValidatePath(rsi.FilePath); err != nil {
handleError(w, err, "Invalid file path", logger)
return
}

Check warning on line 51 in internal/server/async_rest.go

View check run for this annotation

Codecov / codecov/patch

internal/server/async_rest.go#L48-L51 

Added lines #L48 - L51 were not covered by tests
taskID, err := handleDataImportAsyncTask(rsi, partial, stop)
if err != nil {
handleError(w, err, "", logger)
Expand Down
6 changes: 6 additions & 0 deletions internal/server/import_export.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
"github.com/lf-edge/ekuiper/v2/pkg/ast"
"github.com/lf-edge/ekuiper/v2/pkg/cast"
"github.com/lf-edge/ekuiper/v2/pkg/infra"
"github.com/lf-edge/ekuiper/v2/pkg/validate"
)

type ConfManager interface {
Expand Down Expand Up @@ -401,6 +402,11 @@
handleError(w, err, "Invalid body: Error decoding json", logger)
return
}
if err := validate.ValidatePath(rsi.FilePath); err != nil {
handleError(w, err, "", logger)
return
}

Check warning on line 408 in internal/server/import_export.go

View check run for this annotation

Codecov / codecov/patch

internal/server/import_export.go#L406-L408 

Added lines #L406 - L408 were not covered by tests

result, err := handleConfigurationImport(context.Background(), rsi, partial, stop)
if err != nil {
if result != nil && err.Error() == ProcessErr {
Expand Down
6 changes: 6 additions & 0 deletions internal/server/plugin_init.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
"github.com/lf-edge/ekuiper/v2/internal/plugin"
"github.com/lf-edge/ekuiper/v2/internal/plugin/native"
"github.com/lf-edge/ekuiper/v2/pkg/errorx"
"github.com/lf-edge/ekuiper/v2/pkg/validate"
)

var nativeManager *native.Manager
Expand Down Expand Up @@ -85,6 +86,11 @@
handleError(w, err, fmt.Sprintf("Invalid body: Error decoding the %s plugin json", plugin.PluginTypes[t]), logger)
return
}
if err := validate.ValidatePath(sd.GetFile()); err != nil {
handleError(w, err, "", logger)
return
}

Check warning on line 92 in internal/server/plugin_init.go

View check run for this annotation

Codecov / codecov/patch

internal/server/plugin_init.go#L90-L92 

Added lines #L90 - L92 were not covered by tests

err = nativeManager.Register(t, sd)
if err != nil {
handleError(w, err, fmt.Sprintf("%s plugins create command error", plugin.PluginTypes[t]), logger)
Expand Down
11 changes: 10 additions & 1 deletion internal/server/rest.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@
"github.com/lf-edge/ekuiper/v2/pkg/kv"
"github.com/lf-edge/ekuiper/v2/pkg/memory"
"github.com/lf-edge/ekuiper/v2/pkg/tracer"
"github.com/lf-edge/ekuiper/v2/pkg/validate"
)

const (
Expand Down Expand Up @@ -340,7 +341,10 @@
handleError(w, err, "Invalid body: missing necessary field", logger)
return
}

if err := validate.ValidatePath(fc.FilePath); err != nil {
handleError(w, err, "", logger)
return
}

Check warning on line 347 in internal/server/rest.go

View check run for this annotation

Codecov / codecov/patch

internal/server/rest.go#L345-L347 

Added lines #L345 - L347 were not covered by tests
filePath := filepath.Join(uploadDir, fc.Name)
err = upload(fc)
if err != nil {
Expand Down Expand Up @@ -404,6 +408,11 @@
vars := mux.Vars(r)
name := vars["name"]
filePath := filepath.Join(uploadDir, name)
if err := validate.ValidatePath(filePath); err != nil {
handleError(w, err, "", logger)
return
}

Check warning on line 414 in internal/server/rest.go

View check run for this annotation

Codecov / codecov/patch

internal/server/rest.go#L412-L414 

Added lines #L412 - L414 were not covered by tests

e := os.Remove(filePath)
if e != nil {
handleError(w, e, "Error deleting the file", logger)
Expand Down
5 changes: 5 additions & 0 deletions internal/server/schema_init.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
"github.com/lf-edge/ekuiper/v2/internal/pkg/def"
"github.com/lf-edge/ekuiper/v2/internal/schema"
"github.com/lf-edge/ekuiper/v2/pkg/errorx"
"github.com/lf-edge/ekuiper/v2/pkg/validate"
)

func init() {
Expand Down Expand Up @@ -70,6 +71,10 @@
handleError(w, err, "Invalid body: Error decoding schema json", logger)
return
}
if err := validate.ValidatePath(sch.FilePath); err != nil {
handleError(w, err, "", logger)
return
}

Check warning on line 77 in internal/server/schema_init.go

View check run for this annotation

Codecov / codecov/patch

internal/server/schema_init.go#L75-L77 

Added lines #L75 - L77 were not covered by tests
if err = sch.Validate(); err != nil {
handleError(w, nil, "Invalid body", logger)
return
Expand Down
5 changes: 5 additions & 0 deletions internal/server/service_init.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
"github.com/lf-edge/ekuiper/v2/internal/binder"
"github.com/lf-edge/ekuiper/v2/internal/service"
"github.com/lf-edge/ekuiper/v2/pkg/errorx"
"github.com/lf-edge/ekuiper/v2/pkg/validate"
)

var serviceManager *service.Manager
Expand Down Expand Up @@ -75,6 +76,10 @@
handleError(w, err, "Invalid body: Error decoding the %s service request payload", logger)
return
}
if err := validate.ValidatePath(sd.File); err != nil {
handleError(w, err, "", logger)
return
}

Check warning on line 82 in internal/server/service_init.go

View check run for this annotation

Codecov / codecov/patch

internal/server/service_init.go#L79-L82 

Added lines #L79 - L82 were not covered by tests
err = serviceManager.Create(sd)
if err != nil {
handleError(w, err, "service create command error", logger)
Expand Down
7 changes: 7 additions & 0 deletions pkg/validate/validate.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,10 @@ func ValidateID(id string) error {
}
return nil
}

func ValidatePath(path string) error {
if strings.Contains(path, "..") {
return fmt.Errorf("path: %s should not contain ..", path)
}
return nil
}
5 changes: 5 additions & 0 deletions pkg/validate/validate_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,8 @@ func TestValidateRuleID(t *testing.T) {
require.Equal(t, tc.err, ValidateID(tc.id))
}
}

func TestValidatePath(t *testing.T) {
require.Error(t, ValidatePath("../a"))
require.NoError(t, ValidatePath("./a"))
}
Loading