Check for server dir on server_upload

2024-08-30 18:23:09 +00:00 · 2024-05-27 15:19:23 -04:00 · 2024-05-27 15:19:23 -04:00 · 9b7ddbfe1e
commit 9b7ddbfe1e
parent 3b7a463184
1 changed files with 20 additions and 1 deletions
--- a/app/classes/web/routes/api/crafty/upload/index.py
+++ b/app/classes/web/routes/api/crafty/upload/index.py
@ -36,6 +36,7 @@ class ApiFilesUploadHandler(BaseApiHandler):
                return self.finish_json(
                    400, {"status": "error", "error": "NOT_AUTHORIZED"}
                )
+
            u_type = "server_upload"
        elif auth_data[4]["superuser"] and upload_type == "background":
            u_type = "admin_config"
@ -89,11 +90,29 @@ class ApiFilesUploadHandler(BaseApiHandler):
            self.upload_dir = self.request.headers.get("location", None)
        self.temp_dir = os.path.join(self.controller.project_root, "temp", self.file_id)

+        if u_type == "server_upload":
+            full_path = os.path.join(self.upload_dir, self.filename)
+
+            if not self.helper.is_subdir(
+                full_path,
+                Helpers.get_os_understandable_path(
+                    self.controller.servers.get_server_data_by_id(server_id)["path"]
+                ),
+            ):
+                return self.finish_json(
+                    400,
+                    {
+                        "status": "error",
+                        "error": "NOT AUTHORIZED",
+                        "data": {"message": "Traversal detected"},
+                    },
+                )
+
        _total, _used, free = shutil.disk_usage(self.upload_dir)

        # Check to see if we have enough space
        if free <= file_size:
-            self.finish_json(
+            return self.finish_json(
                507,
                {
                    "status": "error",