Prevent malicious code from causing a server UUID to be used that is not valid
This commit is contained in:
parent
b3922864f2
commit
6e5b14c466
|
@ -9,6 +9,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/apex/log"
|
"github.com/apex/log"
|
||||||
"github.com/gin-gonic/gin"
|
"github.com/gin-gonic/gin"
|
||||||
|
"github.com/google/uuid"
|
||||||
"github.com/juju/ratelimit"
|
"github.com/juju/ratelimit"
|
||||||
"github.com/mholt/archiver/v3"
|
"github.com/mholt/archiver/v3"
|
||||||
"github.com/mitchellh/colorstring"
|
"github.com/mitchellh/colorstring"
|
||||||
|
@ -288,6 +289,16 @@ func postTransfer(c *gin.Context) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
u, err := uuid.Parse(data.ServerID)
|
||||||
|
if err != nil {
|
||||||
|
WithError(c, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
// Force the server ID to be a valid UUID string at this point. If it is not an error
|
||||||
|
// is returned to the caller. This limits injection vulnerabilities that would cause
|
||||||
|
// the str.path() function to return a location not within the server archive directory.
|
||||||
|
data.ServerID = u.String()
|
||||||
|
|
||||||
data.log().Info("handling incoming server transfer request")
|
data.log().Info("handling incoming server transfer request")
|
||||||
go func(data *serverTransferRequest) {
|
go func(data *serverTransferRequest) {
|
||||||
hasError := true
|
hasError := true
|
||||||
|
|
Loading…
Reference in New Issue
Block a user