1
0
mirror of https://github.com/osmarks/mycorrhiza.git synced 2025-01-07 10:20:26 +00:00

Reject upload requests for .git paths

Fixes #107
This commit is contained in:
Umar Getagazov 2021-10-27 12:43:36 +07:00
parent 742f34ae9a
commit 6eab333ba8
2 changed files with 9 additions and 4 deletions

View File

@ -14,7 +14,7 @@ func canFactory(
dispatcher func(*hyphae.Hypha, *user.User, *l18n.Localizer) (string, string), dispatcher func(*hyphae.Hypha, *user.User, *l18n.Localizer) (string, string),
noRightsMsg string, noRightsMsg string,
notExistsMsg string, notExistsMsg string,
careAboutExistence bool, mustExist bool,
) func(*user.User, *hyphae.Hypha, *l18n.Localizer) (string, error) { ) func(*user.User, *hyphae.Hypha, *l18n.Localizer) (string, error) {
return func(u *user.User, h *hyphae.Hypha, lc *l18n.Localizer) (string, error) { return func(u *user.User, h *hyphae.Hypha, lc *l18n.Localizer) (string, error) {
if !u.CanProceed(action) { if !u.CanProceed(action) {
@ -22,7 +22,7 @@ func canFactory(
return lc.Get("ui.act_no_rights"), errors.New(lc.Get(noRightsMsg)) return lc.Get("ui.act_no_rights"), errors.New(lc.Get(noRightsMsg))
} }
if careAboutExistence && !h.Exists { if mustExist && !h.Exists {
rejectLogger(h, u, "does not exist") rejectLogger(h, u, "does not exist")
return lc.Get("ui.act_notexist"), errors.New(lc.Get(notExistsMsg)) return lc.Get("ui.act_notexist"), errors.New(lc.Get(notExistsMsg))
} }

View File

@ -72,8 +72,7 @@ func uploadHelp(h *hyphae.Hypha, hop *history.Op, ext string, data []byte, u *us
originalFullPath = &h.TextPath originalFullPath = &h.TextPath
originalText = "" // for backlink update originalText = "" // for backlink update
) )
// Reject if the path is outside the hyphae dir if isBadPath(fullPath) {
if !strings.HasPrefix(fullPath, files.HyphaeDir()) {
err := errors.New("bad path") err := errors.New("bad path")
return hop.WithErrAbort(err), err.Error() return hop.WithErrAbort(err), err.Error()
} }
@ -110,3 +109,9 @@ func uploadHelp(h *hyphae.Hypha, hop *history.Op, ext string, data []byte, u *us
} }
return hop.WithFiles(fullPath).WithUser(u).Apply(), "" return hop.WithFiles(fullPath).WithUser(u).Apply(), ""
} }
func isBadPath(pathname string) bool {
return !strings.HasPrefix(pathname, files.HyphaeDir()) ||
strings.Contains(pathname, "..") ||
strings.Contains(pathname, "/.git/")
}