TDvorak/Excalidraw
1
0
Fork 0
mirror of https://github.com/Dvorinka/excalidraw-full.git synced 2026-06-03 13:52:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

security fix

Browse Source
This commit is contained in:
Yuzhong Zhang
2025-07-08 21:30:32 +08:00
parent 707b7283f6
commit ff8e64cccb
2 changed files with 40 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
stores/aws/store.go
+23 -6
View File
@@ -79,8 +79,16 @@ func (s *s3Store) Create(ctx context.Context, document *core.Document) (string,
}
// CanvasStore implementation for user-owned canvases
func (s *s3Store) getCanvasKey(userID, canvasID string) string {
return path.Join(userID, canvasID)
func (s *s3Store) getCanvasKey(userID, canvasID string) (string, error) {
// Sanitize canvasID to prevent path traversal attacks.
// It should be a simple name, not a path.
if path.Base(canvasID) != canvasID {
return "", fmt.Errorf("invalid canvas id: must not be a path")
}
if canvasID == "" || canvasID == "." || canvasID == ".." {
return "", fmt.Errorf("invalid canvas id: must not be empty or a dot directory")
}
return path.Join(userID, canvasID), nil
}
func (s *s3Store) List(ctx context.Context, userID string) ([]*core.Canvas, error) {
@@ -125,7 +133,10 @@ func (s *s3Store) List(ctx context.Context, userID string) ([]*core.Canvas, erro
}
func (s *s3Store) Get(ctx context.Context, userID, id string) (*core.Canvas, error) {
key := s.getCanvasKey(userID, id)
key, err := s.getCanvasKey(userID, id)
if err != nil {
return nil, err
}
resp, err := s.s3Client.GetObject(ctx, &s3.GetObjectInput{
Bucket: aws.String(s.bucket),
Key: aws.String(key),
@@ -154,7 +165,10 @@ func (s *s3Store) Get(ctx context.Context, userID, id string) (*core.Canvas, err
}
func (s *s3Store) Save(ctx context.Context, canvas *core.Canvas) error {
key := s.getCanvasKey(canvas.UserID, canvas.ID)
key, err := s.getCanvasKey(canvas.UserID, canvas.ID)
if err != nil {
return err
}
// Preserve CreatedAt on update
if canvas.CreatedAt.IsZero() {
@@ -184,8 +198,11 @@ func (s *s3Store) Save(ctx context.Context, canvas *core.Canvas) error {
}
func (s *s3Store) Delete(ctx context.Context, userID, id string) error {
key := s.getCanvasKey(userID, id)
_, err := s.s3Client.DeleteObject(ctx, &s3.DeleteObjectInput{
key, err := s.getCanvasKey(userID, id)
if err != nil {
return err
}
_, err = s.s3Client.DeleteObject(ctx, &s3.DeleteObjectInput{
Bucket: aws.String(s.bucket),
Key: aws.String(key),
})
stores/filesystem/store.go
+17 -1
View File
@@ -9,6 +9,7 @@ import (
"log"
"os"
"path/filepath"
"strings"
"time"
"github.com/oklog/ulid/v2"
@@ -127,7 +128,22 @@ func (s *fsStore) Get(ctx context.Context, userID, id string) (*core.Canvas, err
filePath := filepath.Join(userPath, id)
log := logrus.WithFields(logrus.Fields{"user_id": userID, "canvas_id": id, "path": filePath})
data, err := os.ReadFile(filePath)
// 关键修复:验证路径合法性
absUserPath, err := filepath.Abs(userPath)
if err != nil {
return nil, err // or handle error appropriately
}
absFilePath, err := filepath.Abs(filePath)
if err != nil {
return nil, err // or handle error appropriately
}
if !strings.HasPrefix(absFilePath, absUserPath) {
return nil, fmt.Errorf("invalid path: access denied")
}
// 修复结束
data, err := os.ReadFile(absFilePath) // 使用清理过的路径
if err != nil {
if os.IsNotExist(err) {
log.Warn("Canvas file not found")