tcjlj/nezha
1
0
Fork 0
mirror of https://github.com/nezhahq/nezha.git synced 2025-01-22 12:48:14 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity

Revert "Fix code scanning alert no. 23: Uncontrolled data used in path expression (#486)"

Browse Source 
This reverts commit c2b3d19a51.
This commit is contained in:
naiba 2024-11-28 20:38:02 +08:00
parent c2b3d19a51
commit ab4d896efc
1 changed files with 8 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
cmd/dashboard/controller/controller.go
View File

@ -213,33 +213,20 @@ func fallbackToFrontend(c *gin.Context) {
c.JSON(http.StatusOK, newErrorResponse(errors.New("404 Not Found")))
return
}
const safeDirAdmin = "./admin-dist"
const safeDirUser = "user-dist"
if strings.HasPrefix(c.Request.URL.Path, "/dashboard") {
stripPath := strings.TrimPrefix(c.Request.URL.Path, "/dashboard")
localFilePath := filepath.Join(safeDirAdmin, stripPath)
absPath, err := filepath.Abs(localFilePath)
if err != nil || !strings.HasPrefix(absPath, safeDirAdmin) {
c.JSON(http.StatusBadRequest, newErrorResponse(errors.New("Invalid file path")))
localFilePath := filepath.Join("./admin-dist", stripPath)
if _, err := os.Stat(localFilePath); err == nil {
c.File(localFilePath)
return
}
if _, err := os.Stat(absPath); err == nil {
c.File(absPath)
return
}
c.File(filepath.Join(safeDirAdmin, "index.html"))
c.File("admin-dist/index.html")
return
}
localFilePath := filepath.Join(safeDirUser, c.Request.URL.Path)
absPath, err := filepath.Abs(localFilePath)
if err != nil || !strings.HasPrefix(absPath, safeDirUser) {
c.JSON(http.StatusBadRequest, newErrorResponse(errors.New("Invalid file path")))
localFilePath := filepath.Join("user-dist", c.Request.URL.Path)
if _, err := os.Stat(localFilePath); err == nil {
c.File(localFilePath)
return
}
if _, err := os.Stat(absPath); err == nil {
c.File(absPath)
return
}
c.File(filepath.Join(safeDirUser, "index.html"))
c.File("user-dist/index.html")
}