Mirrored_Repos/crafty-4
1
0
Fork 0
mirror of https://gitlab.com/crafty-controller/crafty-4.git synced 2024-08-30 18:23:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'refactor/in-file' into 'dev'

Browse Source 
Replace "in_file" helper method

See merge request crafty-controller/crafty-4!605
This commit is contained in:
Iain Powrie 2023-07-18 20:31:59 +00:00
commit d3f9314139
6 changed files with 34 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -7,6 +7,8 @@ TBD
- Fix text/formatting issue on server config page ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/602))
- Bump required version of PyYAML to 6.0.1 ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/609))
- Fix enable/disable schedule toggles on schedule list ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/606))
### Refactor
- Replace "in_file" helper method ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/605))
### Tweaks
- Add public status link to login ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/608))
### Lang

22
app/classes/shared/helpers.py
View File

@ -507,9 +507,9 @@ class Helpers:
return mounts
def is_subdir(self, server_path, root_dir):
server_path = os.path.realpath(server_path)
root_dir = os.path.realpath(root_dir)
def is_subdir(self, child_path, parent_path):
server_path = os.path.realpath(child_path)
root_dir = os.path.realpath(parent_path)
if self.is_os_windows():
try:
@ -1244,22 +1244,6 @@ class Helpers:
return temp_dir
return False
@staticmethod
def in_path(parent_path, child_path):
# Smooth out relative path names, note: if you are concerned about
# symbolic links, you should use os.path.realpath too
parent_path = os.path.abspath(parent_path)
child_path = os.path.abspath(child_path)
# Compare the common path of the parent and child path with the
# common path of just the parent path. Using the commonpath method
# on just the parent path will regularise the path name in the same way
# as the comparison that deals with both paths, removing any trailing
# path separator
return os.path.commonpath([parent_path]) == os.path.commonpath(
[parent_path, child_path]
)
@staticmethod
def download_file(executable_url, jar_path):
try:

8
app/classes/web/ajax_handler.py
View File

@ -656,12 +656,12 @@ class AjaxHandler(BaseHandler):
server_info = self.controller.servers.get_server_data_by_id(server_id)
if not (
Helpers.in_path(
Helpers.get_os_understandable_path(server_info["path"]), file_path
self.helper.is_subdir(
file_path, Helpers.get_os_understandable_path(server_info["path"])
)
or Helpers.in_path(
Helpers.get_os_understandable_path(server_info["backup_path"]),
or self.helper.is_subdir(
file_path,
Helpers.get_os_understandable_path(server_info["backup_path"]),
)
) or not Helpers.check_file_exists(os.path.abspath(file_path)):
logger.warning(f"Invalid path in del_backup ajax call ({file_path})")

90
app/classes/web/file_handler.py
View File

@ -57,11 +57,11 @@ class FileHandler(BaseHandler):
return
server_id = bleach.clean(server_id)
if not Helpers.in_path(
if not self.helper.is_subdir(
file_path,
Helpers.get_os_understandable_path(
self.controller.servers.get_server_data_by_id(server_id)["path"]
),
file_path,
) or not Helpers.check_file_exists(os.path.abspath(file_path)):
logger.warning(
f"Invalid path in get_file file file ajax call ({file_path})"
@ -163,11 +163,11 @@ class FileHandler(BaseHandler):
return
server_id = bleach.clean(server_id)
if not Helpers.in_path(
if not self.helper.is_subdir(
file_path,
Helpers.get_os_understandable_path(
self.controller.servers.get_server_data_by_id(server_id)["path"]
),
file_path,
) or Helpers.check_file_exists(os.path.abspath(file_path)):
logger.warning(
f"Invalid path in create_file file ajax call ({file_path})"
@ -196,11 +196,11 @@ class FileHandler(BaseHandler):
return
server_id = bleach.clean(server_id)
if not Helpers.in_path(
if not self.helper.is_subdir(
dir_path,
Helpers.get_os_understandable_path(
self.controller.servers.get_server_data_by_id(server_id)["path"]
),
dir_path,
) or Helpers.check_path_exists(os.path.abspath(dir_path)):
logger.warning(
f"Invalid path in create_dir file ajax call ({dir_path})"
@ -263,12 +263,12 @@ class FileHandler(BaseHandler):
server_info = self.controller.servers.get_server_data_by_id(server_id)
if not (
Helpers.in_path(
Helpers.get_os_understandable_path(server_info["path"]), file_path
self.helper.is_subdir(
file_path, Helpers.get_os_understandable_path(server_info["path"])
)
or Helpers.in_path(
Helpers.get_os_understandable_path(server_info["backup_path"]),
or self.helper.is_subdir(
file_path,
Helpers.get_os_understandable_path(server_info["backup_path"]),
)
) or not Helpers.check_file_exists(os.path.abspath(file_path)):
logger.warning(f"Invalid path in del_file file ajax call ({file_path})")
@ -296,8 +296,8 @@ class FileHandler(BaseHandler):
server_id = bleach.clean(server_id)
server_info = self.controller.servers.get_server_data_by_id(server_id)
if not Helpers.in_path(
Helpers.get_os_understandable_path(server_info["path"]), dir_path
if not self.helper.is_subdir(
dir_path, Helpers.get_os_understandable_path(server_info["path"])
) or not Helpers.check_path_exists(os.path.abspath(dir_path)):
logger.warning(f"Invalid path in del_file file ajax call ({dir_path})")
Console.warning(f"Invalid path in del_file file ajax call ({dir_path})")
@ -348,11 +348,11 @@ class FileHandler(BaseHandler):
return
server_id = bleach.clean(server_id)
if not Helpers.in_path(
if not self.helper.is_subdir(
file_path,
Helpers.get_os_understandable_path(
self.controller.servers.get_server_data_by_id(server_id)["path"]
),
file_path,
) or not Helpers.check_file_exists(os.path.abspath(file_path)):
logger.warning(
f"Invalid path in save_file file ajax call ({file_path})"
@ -366,60 +366,6 @@ class FileHandler(BaseHandler):
with open(file_path, "w", encoding="utf-8") as file_object:
file_object.write(file_contents)
elif page == "rename_file":
if not permissions["Files"] in user_perms:
if not superuser:
self.redirect("/panel/error?error=Unauthorized access to Files")
return
item_path = Helpers.get_os_understandable_path(
self.get_body_argument("item_path", default=None, strip=True)
)
new_item_name = self.get_body_argument(
"new_item_name", default=None, strip=True
)
if not self.check_server_id(server_id, "rename_file"):
return
server_id = bleach.clean(server_id)
if item_path is None or new_item_name is None:
logger.warning("Invalid path(s) in rename_file file ajax call")
Console.warning("Invalid path(s) in rename_file file ajax call")
return
if not Helpers.in_path(
Helpers.get_os_understandable_path(
self.controller.servers.get_server_data_by_id(server_id)["path"]
),
item_path,
) or not Helpers.check_path_exists(os.path.abspath(item_path)):
logger.warning(
f"Invalid old name path in rename_file file ajax call ({server_id})"
)
Console.warning(
f"Invalid old name path in rename_file file ajax call ({server_id})"
)
return
new_item_path = os.path.join(os.path.split(item_path)[0], new_item_name)
if not Helpers.in_path(
Helpers.get_os_understandable_path(
self.controller.servers.get_server_data_by_id(server_id)["path"]
),
new_item_path,
) or Helpers.check_path_exists(os.path.abspath(new_item_path)):
logger.warning(
f"Invalid new name path in rename_file file ajax call ({server_id})"
)
Console.warning(
f"Invalid new name path in rename_file file ajax call ({server_id})"
)
return
# RENAME
os.rename(item_path, new_item_path)
@tornado.web.authenticated
def patch(self, page):
api_key, _, exec_user = self.current_user
@ -462,11 +408,11 @@ class FileHandler(BaseHandler):
Console.warning("Invalid path(s) in rename_file file ajax call")
return
if not Helpers.in_path(
if not self.helper.is_subdir(
item_path,
Helpers.get_os_understandable_path(
self.controller.servers.get_server_data_by_id(server_id)["path"]
),
item_path,
) or not Helpers.check_path_exists(os.path.abspath(item_path)):
logger.warning(
f"Invalid old name path in rename_file file ajax call ({server_id})"
@ -478,11 +424,11 @@ class FileHandler(BaseHandler):
new_item_path = os.path.join(os.path.split(item_path)[0], new_item_name)
if not Helpers.in_path(
if not self.helper.is_subdir(
new_item_path,
Helpers.get_os_understandable_path(
self.controller.servers.get_server_data_by_id(server_id)["path"]
),
new_item_path,
) or Helpers.check_path_exists(os.path.abspath(new_item_path)):
logger.warning(
f"Invalid new name path in rename_file file ajax call ({server_id})"

9
app/classes/web/panel_handler.py
View File

@ -808,9 +808,9 @@ class PanelHandler(BaseHandler):
Helpers.get_os_understandable_path(server_info["backup_path"]), file
)
)
if not Helpers.in_path(
Helpers.get_os_understandable_path(server_info["backup_path"]),
if not self.helper.is_subdir(
backup_file,
Helpers.get_os_understandable_path(server_info["backup_path"]),
) or not os.path.isfile(backup_file):
self.redirect("/panel/error?error=Invalid path detected")
return
@ -1463,8 +1463,9 @@ class PanelHandler(BaseHandler):
server_info = self.controller.servers.get_server_data_by_id(server_id)
if not Helpers.in_path(
Helpers.get_os_understandable_path(server_info["path"]), file
if not self.helper.is_subdir(
file,
Helpers.get_os_understandable_path(server_info["path"]),
) or not os.path.isfile(file):
self.redirect("/panel/error?error=Invalid path detected")
return

4
app/classes/web/upload_handler.py
View File

@ -278,11 +278,11 @@ class UploadHandler(BaseHandler):
filename = self.request.headers.get("X-FileName", None)
full_path = os.path.join(path, filename)
if not Helpers.in_path(
if not self.helper.is_subdir(
full_path,
Helpers.get_os_understandable_path(
self.controller.servers.get_server_data_by_id(server_id)["path"]
),
full_path,
):
logger.warning(
f"User {user_id} tried to upload a file to {server_id} "