修复安全漏洞

2021-03-11 12:19:36 +08:00 · 2021-03-11 12:19:36 +08:00 · ba5bff1b38
commit ba5bff1b38
parent e5f5b2b7de
3 changed files with 32 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -36,6 +36,8 @@ test/test

 ## 快速安装

+> 本项目未进行严格的安全性测试，不建议部署安装在公网环境。
+
 - [使用docker安装](docs/install-docker.md)
 - [原生安装](docs/install-naive.md)
 - [FAQ](docs/faq.md)
--- a/pkg/api/account.go
+++ b/pkg/api/account.go
@ -177,7 +177,10 @@ func LogoutEndpoint(c echo.Context) error {
 	token := GetToken(c)
 	cacheKey := BuildCacheKeyByToken(token)
 	global.Cache.Delete(cacheKey)
-	model.Logout(token)
+	err := model.Logout(token)
+	if err != nil {
+		return err
+	}
 	return Success(c, nil)
 }

--- a/pkg/api/session.go
+++ b/pkg/api/session.go
@ -271,6 +271,12 @@ func SessionUploadEndpoint(c echo.Context) error {
 		}
 		return Success(c, nil)
 	} else if "rdp" == session.Protocol {
+
+		if strings.Contains(remoteFile, "../") {
+			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
+		}
+
 		drivePath, err := model.GetDrivePath()
 		if err != nil {
 			return err
@ -324,11 +330,14 @@ func SessionDownloadEndpoint(c echo.Context) error {

 		return c.Stream(http.StatusOK, echo.MIMEOctetStream, bytes.NewReader(buff.Bytes()))
 	} else if "rdp" == session.Protocol {
+		if strings.Contains(remoteFile, "../") {
+			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
+		}
 		drivePath, err := model.GetDrivePath()
 		if err != nil {
 			return err
 		}
-
 		return c.Attachment(path.Join(drivePath, remoteFile), filenameWithSuffix)
 	}

@ -403,6 +412,10 @@ func SessionLsEndpoint(c echo.Context) error {

 		return Success(c, files)
 	} else if "rdp" == session.Protocol {
+		if strings.Contains(remoteDir, "../") {
+			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
+		}
 		drivePath, err := model.GetDrivePath()
 		if err != nil {
 			return err
@ -450,6 +463,10 @@ func SessionMkDirEndpoint(c echo.Context) error {
 		}
 		return Success(c, nil)
 	} else if "rdp" == session.Protocol {
+		if strings.Contains(remoteDir, "../") {
+			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
+		}
 		drivePath, err := model.GetDrivePath()
 		if err != nil {
 			return err
@ -507,6 +524,10 @@ func SessionRmEndpoint(c echo.Context) error {

 		return Success(c, nil)
 	} else if "rdp" == session.Protocol {
+		if strings.Contains(key, "../") {
+			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
+		}
 		drivePath, err := model.GetDrivePath()
 		if err != nil {
 			return err
@ -544,6 +565,10 @@ func SessionRenameEndpoint(c echo.Context) error {

 		return Success(c, nil)
 	} else if "rdp" == session.Protocol {
+		if strings.Contains(oldName, "../") {
+			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
+		}
 		drivePath, err := model.GetDrivePath()
 		if err != nil {
 			return err