Prevent malicious code from causing a server UUID to be used that is not valid

This commit is contained in:
Dane Everitt 2020-12-25 15:01:43 -08:00
parent b3922864f2
commit 6e5b14c466
No known key found for this signature in database
GPG Key ID: EEA66103B3D71F53

View File

@ -9,6 +9,7 @@ import (
"fmt"
"github.com/apex/log"
"github.com/gin-gonic/gin"
"github.com/google/uuid"
"github.com/juju/ratelimit"
"github.com/mholt/archiver/v3"
"github.com/mitchellh/colorstring"
@ -288,6 +289,16 @@ func postTransfer(c *gin.Context) {
return
}
u, err := uuid.Parse(data.ServerID)
if err != nil {
WithError(c, err)
return
}
// Force the server ID to be a valid UUID string at this point. If it is not an error
// is returned to the caller. This limits injection vulnerabilities that would cause
// the str.path() function to return a location not within the server archive directory.
data.ServerID = u.String()
data.log().Info("handling incoming server transfer request")
go func(data *serverTransferRequest) {
hasError := true