mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-05-04 10:00:10 -05:00
Christian Richter
committed by
Michael Barz
Michael Barz
parent
c4101fa9e2
commit
915baa5b7b
+2
-2
@@ -88,14 +88,14 @@ func (s *svc) handlePathCopy(w http.ResponseWriter, r *http.Request, ns string)
|
||||
return
|
||||
}
|
||||
|
||||
if err := ValidateName(path.Base(src), s.nameValidators); err != nil {
|
||||
if err := ValidateName(filename(src), s.nameValidators); err != nil {
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
b, err := errors.Marshal(http.StatusBadRequest, "source failed naming rules", "")
|
||||
errors.HandleWebdavError(appctx.GetLogger(ctx), w, b, err)
|
||||
return
|
||||
}
|
||||
|
||||
if err := ValidateName(path.Base(dst), s.nameValidators); err != nil {
|
||||
if err := ValidateDestination(filename(dst), s.nameValidators); err != nil {
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
b, err := errors.Marshal(http.StatusBadRequest, "destination failed naming rules", "")
|
||||
errors.HandleWebdavError(appctx.GetLogger(ctx), w, b, err)
|
||||
|
||||
+2
-2
@@ -39,10 +39,10 @@ func (s *svc) handlePathMkcol(w http.ResponseWriter, r *http.Request, ns string)
|
||||
ctx, span := appctx.GetTracerProvider(r.Context()).Tracer(tracerName).Start(r.Context(), "mkcol")
|
||||
defer span.End()
|
||||
|
||||
fn := path.Join(ns, r.URL.Path)
|
||||
if err := ValidateName(path.Base(fn), s.nameValidators); err != nil {
|
||||
if err := ValidateName(filename(r.URL.Path), s.nameValidators); err != nil {
|
||||
return http.StatusBadRequest, err
|
||||
}
|
||||
fn := path.Join(ns, r.URL.Path)
|
||||
sublog := appctx.GetLogger(ctx).With().Str("path", fn).Logger()
|
||||
|
||||
client, err := s.gatewaySelector.Next()
|
||||
|
||||
+2
-2
@@ -60,14 +60,14 @@ func (s *svc) handlePathMove(w http.ResponseWriter, r *http.Request, ns string)
|
||||
return
|
||||
}
|
||||
|
||||
if err := ValidateName(path.Base(srcPath), s.nameValidators); err != nil {
|
||||
if err := ValidateName(filename(srcPath), s.nameValidators); err != nil {
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
b, err := errors.Marshal(http.StatusBadRequest, "source failed naming rules", "")
|
||||
errors.HandleWebdavError(appctx.GetLogger(ctx), w, b, err)
|
||||
return
|
||||
}
|
||||
|
||||
if err := ValidateName(path.Base(dstPath), s.nameValidators); err != nil {
|
||||
if err := ValidateDestination(filename(dstPath), s.nameValidators); err != nil {
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
b, err := errors.Marshal(http.StatusBadRequest, "destination naming rules", "")
|
||||
errors.HandleWebdavError(appctx.GetLogger(ctx), w, b, err)
|
||||
|
||||
+5
@@ -394,3 +394,8 @@ func (s *svc) referenceIsChildOf(ctx context.Context, selector pool.Selectable[g
|
||||
pp := path.Join(parentPathRes.Path, parent.Path) + "/"
|
||||
return strings.HasPrefix(cp, pp), nil
|
||||
}
|
||||
|
||||
// filename returns the base filename from a path and replaces any slashes with an empty string
|
||||
func filename(p string) string {
|
||||
return strings.Trim(path.Base(p), "/")
|
||||
}
|
||||
|
||||
+17
-10
@@ -113,8 +113,15 @@ func (s *svc) handlePathPut(w http.ResponseWriter, r *http.Request, ns string) {
|
||||
defer span.End()
|
||||
|
||||
fn := path.Join(ns, r.URL.Path)
|
||||
|
||||
sublog := appctx.GetLogger(ctx).With().Str("path", fn).Logger()
|
||||
|
||||
if err := ValidateName(filename(r.URL.Path), s.nameValidators); err != nil {
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
b, err := errors.Marshal(http.StatusBadRequest, err.Error(), "")
|
||||
errors.HandleWebdavError(&sublog, w, b, err)
|
||||
return
|
||||
}
|
||||
|
||||
space, status, err := spacelookup.LookUpStorageSpaceForPath(ctx, s.gatewaySelector, fn)
|
||||
if err != nil {
|
||||
sublog.Error().Err(err).Str("path", fn).Msg("failed to look up storage space")
|
||||
@@ -135,20 +142,13 @@ func (s *svc) handlePut(ctx context.Context, w http.ResponseWriter, r *http.Requ
|
||||
return
|
||||
}
|
||||
|
||||
length, err := getContentLength(w, r)
|
||||
length, err := getContentLength(r)
|
||||
if err != nil {
|
||||
log.Error().Err(err).Msg("error getting the content length")
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
if err := ValidateName(filepath.Base(ref.Path), s.nameValidators); err != nil {
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
b, err := errors.Marshal(http.StatusBadRequest, err.Error(), "")
|
||||
errors.HandleWebdavError(&log, w, b, err)
|
||||
return
|
||||
}
|
||||
|
||||
client, err := s.gatewaySelector.Next()
|
||||
if err != nil {
|
||||
log.Error().Err(err).Msg("error selecting next gateway client")
|
||||
@@ -411,6 +411,13 @@ func (s *svc) handleSpacesPut(w http.ResponseWriter, r *http.Request, spaceID st
|
||||
return
|
||||
}
|
||||
|
||||
if err := ValidateName(filename(ref.Path), s.nameValidators); err != nil {
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
b, err := errors.Marshal(http.StatusBadRequest, err.Error(), "")
|
||||
errors.HandleWebdavError(&sublog, w, b, err)
|
||||
return
|
||||
}
|
||||
|
||||
s.handlePut(ctx, w, r, &ref, sublog)
|
||||
}
|
||||
|
||||
@@ -432,7 +439,7 @@ func checkPreconditions(w http.ResponseWriter, r *http.Request, log zerolog.Logg
|
||||
return true
|
||||
}
|
||||
|
||||
func getContentLength(w http.ResponseWriter, r *http.Request) (int64, error) {
|
||||
func getContentLength(r *http.Request) (int64, error) {
|
||||
length, err := strconv.ParseInt(r.Header.Get(net.HeaderContentLength), 10, 64)
|
||||
if err != nil {
|
||||
// Fallback to Upload-Length
|
||||
|
||||
+11
-17
@@ -58,21 +58,15 @@ func (s *svc) handlePathTusPost(w http.ResponseWriter, r *http.Request, ns strin
|
||||
|
||||
// read filename from metadata
|
||||
meta := tusd.ParseMetadataHeader(r.Header.Get(net.HeaderUploadMetadata))
|
||||
if err := ValidateName(path.Base(meta["filename"]), s.nameValidators); err != nil {
|
||||
w.WriteHeader(http.StatusPreconditionFailed)
|
||||
return
|
||||
}
|
||||
|
||||
// append filename to current dir
|
||||
fn := path.Join(ns, r.URL.Path, meta["filename"])
|
||||
|
||||
sublog := appctx.GetLogger(ctx).With().Str("path", fn).Logger()
|
||||
// check tus headers?
|
||||
|
||||
ref := &provider.Reference{
|
||||
// FIXME ResourceId?
|
||||
Path: fn,
|
||||
// a path based request has no resource id, so we can only provide a path. The gateway has te figure out which provider is responsible
|
||||
Path: path.Join(ns, r.URL.Path, meta["filename"]),
|
||||
}
|
||||
|
||||
sublog := appctx.GetLogger(ctx).With().Str("path", r.URL.Path).Str("filename", meta["filename"]).Logger()
|
||||
|
||||
s.handleTusPost(ctx, w, r, meta, ref, sublog)
|
||||
}
|
||||
|
||||
@@ -82,12 +76,6 @@ func (s *svc) handleSpacesTusPost(w http.ResponseWriter, r *http.Request, spaceI
|
||||
|
||||
// read filename from metadata
|
||||
meta := tusd.ParseMetadataHeader(r.Header.Get(net.HeaderUploadMetadata))
|
||||
if err := ValidateName(path.Base(meta["filename"]), s.nameValidators); err != nil {
|
||||
w.WriteHeader(http.StatusPreconditionFailed)
|
||||
return
|
||||
}
|
||||
|
||||
sublog := appctx.GetLogger(ctx).With().Str("spaceid", spaceID).Str("path", r.URL.Path).Logger()
|
||||
|
||||
ref, err := spacelookup.MakeStorageSpaceReference(spaceID, path.Join(r.URL.Path, meta["filename"]))
|
||||
if err != nil {
|
||||
@@ -95,6 +83,8 @@ func (s *svc) handleSpacesTusPost(w http.ResponseWriter, r *http.Request, spaceI
|
||||
return
|
||||
}
|
||||
|
||||
sublog := appctx.GetLogger(ctx).With().Str("spaceid", spaceID).Str("path", r.URL.Path).Str("filename", meta["filename"]).Logger()
|
||||
|
||||
s.handleTusPost(ctx, w, r, meta, &ref, sublog)
|
||||
}
|
||||
|
||||
@@ -116,6 +106,10 @@ func (s *svc) handleTusPost(ctx context.Context, w http.ResponseWriter, r *http.
|
||||
w.WriteHeader(http.StatusPreconditionFailed)
|
||||
return
|
||||
}
|
||||
if err := ValidateName(filename(meta["filename"]), s.nameValidators); err != nil {
|
||||
w.WriteHeader(http.StatusPreconditionFailed)
|
||||
return
|
||||
}
|
||||
|
||||
// Test if the target is a secret filedrop
|
||||
var isSecretFileDrop bool
|
||||
|
||||
Generated
Vendored
+14
@@ -27,6 +27,11 @@ func ValidatorsFromConfig(c *config.Config) []Validator {
|
||||
|
||||
// ValidateName will validate a file or folder name, returning an error when it is not accepted
|
||||
func ValidateName(name string, validators []Validator) error {
|
||||
return ValidateDestination(name, append(validators, notReserved()))
|
||||
}
|
||||
|
||||
// ValidateDestination will validate a file or folder destination name (which can be . or ..), returning an error when it is not accepted
|
||||
func ValidateDestination(name string, validators []Validator) error {
|
||||
for _, v := range validators {
|
||||
if err := v(name); err != nil {
|
||||
return fmt.Errorf("name validation failed: %w", err)
|
||||
@@ -35,6 +40,15 @@ func ValidateName(name string, validators []Validator) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func notReserved() Validator {
|
||||
return func(s string) error {
|
||||
if s == ".." || s == "." {
|
||||
return errors.New(". and .. are reserved names")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func notEmpty() Validator {
|
||||
return func(s string) error {
|
||||
if strings.TrimSpace(s) == "" {
|
||||
|
||||
Reference in New Issue
Block a user