Prevent malicious code from causing a server UUID to be used that is not valid
This commit is contained in:
parent
b3922864f2
commit
6e5b14c466
|
@ -9,6 +9,7 @@ import (
|
|||
"fmt"
|
||||
"github.com/apex/log"
|
||||
"github.com/gin-gonic/gin"
|
||||
"github.com/google/uuid"
|
||||
"github.com/juju/ratelimit"
|
||||
"github.com/mholt/archiver/v3"
|
||||
"github.com/mitchellh/colorstring"
|
||||
|
@ -288,6 +289,16 @@ func postTransfer(c *gin.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
u, err := uuid.Parse(data.ServerID)
|
||||
if err != nil {
|
||||
WithError(c, err)
|
||||
return
|
||||
}
|
||||
// Force the server ID to be a valid UUID string at this point. If it is not an error
|
||||
// is returned to the caller. This limits injection vulnerabilities that would cause
|
||||
// the str.path() function to return a location not within the server archive directory.
|
||||
data.ServerID = u.String()
|
||||
|
||||
data.log().Info("handling incoming server transfer request")
|
||||
go func(data *serverTransferRequest) {
|
||||
hasError := true
|
||||
|
|
Loading…
Reference in New Issue
Block a user