evan/next-terminal
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

修复安全漏洞

Browse Source
This commit is contained in:
dushixiang 2021-03-11 12:19:36 +08:00
parent e5f5b2b7de
commit ba5bff1b38
3 changed files with 32 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -36,6 +36,8 @@ test/test
## 快速安装 ## 快速安装
> 本项目未进行严格的安全性测试,不建议部署安装在公网环境。
- [使用docker安装](docs/install-docker.md) - [使用docker安装](docs/install-docker.md)
- [原生安装](docs/install-naive.md) - [原生安装](docs/install-naive.md)
- [FAQ](docs/faq.md) - [FAQ](docs/faq.md)

5
pkg/api/account.go
View File

@ -177,7 +177,10 @@ func LogoutEndpoint(c echo.Context) error {
token := GetToken(c) token := GetToken(c)
cacheKey := BuildCacheKeyByToken(token) cacheKey := BuildCacheKeyByToken(token)
global.Cache.Delete(cacheKey) global.Cache.Delete(cacheKey)
model.Logout(token) err := model.Logout(token)
if err != nil {
return err
}
return Success(c, nil) return Success(c, nil)
} }

27
pkg/api/session.go
View File

@ -271,6 +271,12 @@ func SessionUploadEndpoint(c echo.Context) error {
} }
return Success(c, nil) return Success(c, nil)
} else if "rdp" == session.Protocol { } else if "rdp" == session.Protocol {
if strings.Contains(remoteFile, "../") {
logrus.Warnf("IP %v 尝试进行攻击请ban掉此IP", c.RealIP())
return Fail(c, -1, ":) 您的IP已被记录请去向管理员自首。")
}
drivePath, err := model.GetDrivePath() drivePath, err := model.GetDrivePath()
if err != nil { if err != nil {
return err return err
@ -324,11 +330,14 @@ func SessionDownloadEndpoint(c echo.Context) error {
return c.Stream(http.StatusOK, echo.MIMEOctetStream, bytes.NewReader(buff.Bytes())) return c.Stream(http.StatusOK, echo.MIMEOctetStream, bytes.NewReader(buff.Bytes()))
} else if "rdp" == session.Protocol { } else if "rdp" == session.Protocol {
if strings.Contains(remoteFile, "../") {
logrus.Warnf("IP %v 尝试进行攻击请ban掉此IP", c.RealIP())
return Fail(c, -1, ":) 您的IP已被记录请去向管理员自首。")
}
drivePath, err := model.GetDrivePath() drivePath, err := model.GetDrivePath()
if err != nil { if err != nil {
return err return err
} }
return c.Attachment(path.Join(drivePath, remoteFile), filenameWithSuffix) return c.Attachment(path.Join(drivePath, remoteFile), filenameWithSuffix)
} }
@ -403,6 +412,10 @@ func SessionLsEndpoint(c echo.Context) error {
return Success(c, files) return Success(c, files)
} else if "rdp" == session.Protocol { } else if "rdp" == session.Protocol {
if strings.Contains(remoteDir, "../") {
logrus.Warnf("IP %v 尝试进行攻击请ban掉此IP", c.RealIP())
return Fail(c, -1, ":) 您的IP已被记录请去向管理员自首。")
}
drivePath, err := model.GetDrivePath() drivePath, err := model.GetDrivePath()
if err != nil { if err != nil {
return err return err
@ -450,6 +463,10 @@ func SessionMkDirEndpoint(c echo.Context) error {
} }
return Success(c, nil) return Success(c, nil)
} else if "rdp" == session.Protocol { } else if "rdp" == session.Protocol {
if strings.Contains(remoteDir, "../") {
logrus.Warnf("IP %v 尝试进行攻击请ban掉此IP", c.RealIP())
return Fail(c, -1, ":) 您的IP已被记录请去向管理员自首。")
}
drivePath, err := model.GetDrivePath() drivePath, err := model.GetDrivePath()
if err != nil { if err != nil {
return err return err
@ -507,6 +524,10 @@ func SessionRmEndpoint(c echo.Context) error {
return Success(c, nil) return Success(c, nil)
} else if "rdp" == session.Protocol { } else if "rdp" == session.Protocol {
if strings.Contains(key, "../") {
logrus.Warnf("IP %v 尝试进行攻击请ban掉此IP", c.RealIP())
return Fail(c, -1, ":) 您的IP已被记录请去向管理员自首。")
}
drivePath, err := model.GetDrivePath() drivePath, err := model.GetDrivePath()
if err != nil { if err != nil {
return err return err
@ -544,6 +565,10 @@ func SessionRenameEndpoint(c echo.Context) error {
return Success(c, nil) return Success(c, nil)
} else if "rdp" == session.Protocol { } else if "rdp" == session.Protocol {
if strings.Contains(oldName, "../") {
logrus.Warnf("IP %v 尝试进行攻击请ban掉此IP", c.RealIP())
return Fail(c, -1, ":) 您的IP已被记录请去向管理员自首。")
}
drivePath, err := model.GetDrivePath() drivePath, err := model.GetDrivePath()
if err != nil { if err != nil {
return err return err