Fix remote code execution

refer #294
ananthakumaran · Oct 20, 2024 · 3d610c2 · 3d610c2
1 parent 8430ad8
commit 3d610c2
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 5 deletions.
diff --git a/internal/server/editor.go b/internal/server/editor.go
@@ -10,6 +10,7 @@ import (
 	"github.com/ananthakumaran/paisa/internal/config"
 	"github.com/ananthakumaran/paisa/internal/ledger"
 	"github.com/ananthakumaran/paisa/internal/model/posting"
+	"github.com/ananthakumaran/paisa/internal/utils"
 	"github.com/bmatcuk/doublestar/v4"
 	"github.com/gin-gonic/gin"
 	"github.com/samber/lo"
@@ -77,8 +78,13 @@ func SaveFile(db *gorm.DB, file LedgerFile) gin.H {
 	path := config.GetJournalPath()
 	dir := filepath.Dir(path)
 
-	filePath := filepath.Join(dir, file.Name)
-	backupPath := filepath.Join(dir, file.Name+".backup."+time.Now().Format("2006-01-02-15-04-05.000"))
+	filePath, err := utils.BuildSubPath(dir, file.Name)
+	if err != nil {
+		log.Warn(err)
+		return gin.H{"errors": errors, "saved": false, "message": "Invalid file name"}
+	}
+
+	backupPath := filePath + ".backup." + time.Now().Format("2006-01-02-15-04-05.000")
 
 	err = os.MkdirAll(filepath.Dir(filePath), 0700)
 	if err != nil {

diff --git a/internal/server/server.go b/internal/server/server.go
@@ -410,7 +410,7 @@ func TokenAuthMiddleware() gin.HandlerFunc {
 
 	return func(c *gin.Context) {
 		userAccounts := config.GetConfig().UserAccounts
-		if len(userAccounts) == 0 || !strings.HasPrefix(c.Request.RequestURI, "/api") {
+		if len(userAccounts) == 0 || !strings.HasPrefix(c.Request.URL.Path, "/api") {
 			c.Next()
 			return
 		}

diff --git a/internal/server/sheet.go b/internal/server/sheet.go
@@ -10,6 +10,7 @@ import (
 	"github.com/ananthakumaran/paisa/internal/config"
 	"github.com/ananthakumaran/paisa/internal/query"
 	"github.com/ananthakumaran/paisa/internal/service"
+	"github.com/ananthakumaran/paisa/internal/utils"
 	"github.com/bmatcuk/doublestar/v4"
 	"github.com/gin-gonic/gin"
 	"github.com/samber/lo"
@@ -66,9 +67,15 @@ func SaveSheetFile(db *gorm.DB, file SheetFile) gin.H {
 	dir := config.GetSheetDir()
 
 	filePath := filepath.Join(dir, file.Name)
-	backupPath := filepath.Join(dir, file.Name+".backup."+time.Now().Format("2006-01-02-15-04-05.000"))
+	filePath, err := utils.BuildSubPath(dir, file.Name)
+	if err != nil {
+		log.Warn(err)
+		return gin.H{"saved": false, "message": "Invalid file name"}
+	}
+
+	backupPath := filePath + ".backup." + time.Now().Format("2006-01-02-15-04-05.000")
 
-	err := os.MkdirAll(filepath.Dir(filePath), 0700)
+	err = os.MkdirAll(filepath.Dir(filePath), 0700)
 	if err != nil {
 		log.Warn(err)
 		return gin.H{"saved": false, "message": "Failed to create directory"}

diff --git a/internal/utils/utils.go b/internal/utils/utils.go
@@ -3,8 +3,10 @@ package utils
 import (
 	"crypto/sha256"
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"os"
+	"path/filepath"
 	"sort"
 	"strings"
 	"time"
@@ -294,3 +296,19 @@ func Sha256(str string) string {
 	h.Write([]byte(str))
 	return hex.EncodeToString(h.Sum(nil))
 }
+
+func BuildSubPath(baseDirectory string, path string) (string, error) {
+	baseDirectory = filepath.Clean(baseDirectory)
+	fullpath := filepath.Clean(filepath.Join(baseDirectory, filepath.Clean(path)))
+
+	relpath, err := filepath.Rel(baseDirectory, fullpath)
+	if err != nil {
+		return "", err
+	}
+
+	if strings.Contains(relpath, "..") {
+		return "", errors.New("Not allowed to refer path outside the base directory")
+	}
+
+	return fullpath, nil
+}