perf: 对文件名做了过滤。防止路径注入漏洞

onlyLTY · Jan 31, 2024 · a92924f · a92924f
1 parent 3f95bee
commit a92924f
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/internal/logic/container/delrestorelogic.go b/internal/logic/container/delrestorelogic.go
@@ -3,6 +3,7 @@ package container
 import (
 	"context"
 	"os"
+	"regexp"
 
 	"github.com/onlyLTY/dockerCopilot/UGREEN/internal/svc"
 	"github.com/onlyLTY/dockerCopilot/UGREEN/internal/types"
@@ -26,7 +27,7 @@ func NewDelRestoreLogic(ctx context.Context, svcCtx *svc.ServiceContext) *DelRes
 
 func (l *DelRestoreLogic) DelRestore(req *types.ContainerRestoreReq) (resp *types.Resp, err error) {
 	resp = &types.Resp{}
-	fileName := req.Filename
+	fileName := CleanFilename(req.Filename)
 	basePath := os.Getenv("BACKUP_DIR") // 从环境变量中获取备份目录
 	if basePath == "" {
 		basePath = "/data/backups" // 如果环境变量未设置，使用默认值
@@ -44,3 +45,8 @@ func (l *DelRestoreLogic) DelRestore(req *types.ContainerRestoreReq) (resp *type
 	resp.Data = map[string]interface{}{}
 	return resp, nil
 }
+
+func CleanFilename(filename string) string {
+	reg := regexp.MustCompile("[^a-zA-Z0-9-]+")
+	return reg.ReplaceAllString(filename, "")
+}
diff --git a/internal/logic/container/restorelogic.go b/internal/logic/container/restorelogic.go
@@ -28,14 +28,15 @@ func NewRestoreLogic(ctx context.Context, svcCtx *svc.ServiceContext) *RestoreLo
 func (l *RestoreLogic) Restore(req *types.ContainerRestoreReq) (resp *types.Resp, err error) {
 	resp = &types.Resp{}
 	taskID := uuid.New().String()
+	fileName := CleanFilename(req.Filename)
 	go func() {
 		// Catch any panic and log the error
 		defer func() {
 			if r := recover(); r != nil {
 				l.Errorf("Recovered from panic in restoreContainer: %v", r)
 			}
 		}()
-		err := utiles.RestoreContainer(l.svcCtx, req.Filename, taskID)
+		err := utiles.RestoreContainer(l.svcCtx, fileName, taskID)
 		if err != nil {
 			l.Errorf("Error in restoreContainer: %v", err)
 		}

diff --git a/internal/utiles/restorecontainer.go b/internal/utiles/restorecontainer.go
@@ -34,7 +34,7 @@ func RestoreContainer(ctx *svc.ServiceContext, filename string, taskID string) e
 	if err != nil {
 		logx.Error("Failed to read file: %s", err)
 		oldProgress.Percentage = 0
-		oldProgress.Message = "读取文件失败或者未找到文件"
+		oldProgress.Message = "读取文件失败或者未找到文件。请确认文件名仅由大小写字母、数字和短横线组成"
 		oldProgress.DetailMsg = err.Error()
 		oldProgress.IsDone = true
 		ctx.UpdateProgress(taskID, oldProgress)