Skip to content

Commit

Permalink
Merge pull request kingwrcy#232 from xuewenG/fix/file-path-traversal
Browse files Browse the repository at this point in the history 
修复文件路径穿越漏洞
  • Loading branch information
@xuewenG
xuewenG authored Dec 11, 2024
2 parents b20997f + 43eeb84 commit 22082ae
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 28 deletions.
14 changes: 1 addition & 13 deletions backend/handler/file.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,18 +32,6 @@ func NewFileHandler(injector do.Injector) *FileHandler {
return &FileHandler{do.MustInvoke[BaseHandler](injector)}
}

func (f FileHandler) Get(c echo.Context) error {
filename := c.Param("filename")
if filename == "" {
return c.HTML(404, "not found")
}
fp := path.Join(f.base.cfg.UploadDir, filename)
if _, err := os.Stat(fp); errors.Is(err, os.ErrNotExist) {
return c.HTML(404, "not found")
}
return c.File(path.Join(f.base.cfg.UploadDir, filename))
}

// Upload godoc
//
// @Tags File
Expand Down Expand Up @@ -99,7 +87,7 @@ func (f FileHandler) Upload(c echo.Context) error {
if err := CompressImage(f, img_filepath, thumb_filepath, 30); err != nil {
f.base.log.Error().Msgf("压缩图片异常:%s", err)
}

result = append(result, "/upload/"+img_filename)
}
return SuccessResp(c, result)
Expand Down
10 changes: 4 additions & 6 deletions backend/main_prod.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,15 +79,13 @@ func main() {
setupRouter(injector)

e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
Root: "public",
HTML5: true,
Root: "public", // because files are located in `web` directory in `webAssets` fs
IgnoreBase: false,
Browse: false,
Filesystem: http.FS(staticFiles),
Skipper: func(c echo.Context) bool {
if strings.HasPrefix(c.Request().URL.Path, "/swagger/") {
return true
}

return false
return strings.HasPrefix(c.Request().URL.Path, "/swagger/")
},
}))

Expand Down
27 changes: 18 additions & 9 deletions backend/router.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"github.com/kingwrcy/moments/handler"
"github.com/kingwrcy/moments/vo"
"github.com/labstack/echo/v4"
"github.com/labstack/echo/v4/middleware"
"github.com/samber/do/v2"
echoSwagger "github.com/swaggo/echo-swagger"
)
Expand All @@ -18,16 +19,16 @@ func setupRouter(injector do.Injector) {
e := do.MustInvoke[*echo.Echo](injector)
cfg := do.MustInvoke[*vo.AppConfig](injector)

api := e.Group("/api")
apiGroup := e.Group("/api")

userGroup := api.Group("/user")
userGroup := apiGroup.Group("/user")
userGroup.POST("/login", userHandler.Login)
userGroup.POST("/reg", userHandler.Reg)
userGroup.POST("/profile", userHandler.Profile)
userGroup.POST("/profile/:username", userHandler.ProfileForUser)
userGroup.POST("/saveProfile", userHandler.SaveProfile)

memoGroup := api.Group("/memo")
memoGroup := apiGroup.Group("/memo")
memoGroup.POST("/list", memoHandler.ListMemos)
memoGroup.POST("/save", memoHandler.SaveMemo)
memoGroup.POST("/remove", memoHandler.RemoveMemo)
Expand All @@ -39,21 +40,29 @@ func setupRouter(injector do.Injector) {
memoGroup.POST("/getDoubanBookInfo", memoHandler.GetDoubanBookInfo)
memoGroup.POST("/removeImage", memoHandler.RemoveImage)

commentGroup := api.Group("/comment")
commentGroup := apiGroup.Group("/comment")
commentGroup.POST("/add", commentHandler.AddComment)
commentGroup.POST("/remove", commentHandler.RemoveComment)

sycConfigGroup := api.Group("/sysConfig")
sycConfigGroup := apiGroup.Group("/sysConfig")
sycConfigGroup.POST("/save", sycConfigHandler.SaveConfig)
sycConfigGroup.POST("/get", sycConfigHandler.GetConfig)
sycConfigGroup.POST("/getFull", sycConfigHandler.GetFullConfig)

tagGroup := api.Group("/tag")
tagGroup := apiGroup.Group("/tag")
tagGroup.POST("/list", tagHandler.List)

e.GET("/upload/:filename", fileHandler.Get)
e.POST("/api/file/upload", fileHandler.Upload)
e.POST("/api/file/s3PreSigned", fileHandler.S3PreSigned)
fileGroup := apiGroup.Group("/file")
fileGroup.POST("/upload", fileHandler.Upload)
fileGroup.POST("/s3PreSigned", fileHandler.S3PreSigned)

uploadGroup := e.Group("/upload")
uploadGroup.Use(middleware.StaticWithConfig(middleware.StaticConfig{
Root: cfg.UploadDir,
HTML5: false,
IgnoreBase: true,
Browse: false,
}))

if cfg.EnableSwagger {
e.GET("/swagger/*", echoSwagger.WrapHandler)
Expand Down

0 comments on commit 22082ae

Please sign in to comment.