MCorange/wings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prevent malicious code from causing a server UUID to be used that is not valid

Browse Source
This commit is contained in:
Dane Everitt 2020-12-25 15:01:43 -08:00
parent b3922864f2
commit 6e5b14c466
No known key found for this signature in database
GPG Key ID: EEA66103B3D71F53
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
router/router_transfer.go
View File

@ -9,6 +9,7 @@ import (
"fmt" "fmt"
"github.com/apex/log" "github.com/apex/log"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/google/uuid"
"github.com/juju/ratelimit" "github.com/juju/ratelimit"
"github.com/mholt/archiver/v3" "github.com/mholt/archiver/v3"
"github.com/mitchellh/colorstring" "github.com/mitchellh/colorstring"
@ -288,6 +289,16 @@ func postTransfer(c *gin.Context) {
return return
} }
u, err := uuid.Parse(data.ServerID)
if err != nil {
WithError(c, err)
return
}
// Force the server ID to be a valid UUID string at this point. If it is not an error
// is returned to the caller. This limits injection vulnerabilities that would cause
// the str.path() function to return a location not within the server archive directory.
data.ServerID = u.String()
data.log().Info("handling incoming server transfer request") data.log().Info("handling incoming server transfer request")
go func(data *serverTransferRequest) { go func(data *serverTransferRequest) {
hasError := true hasError := true