dennii/dbgate
1
0
Fork 0
mirror of https://github.com/DeNNiiInc/dbgate.git synced 2026-04-20 00:46:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

SYNC: security fixes

Browse Source
This commit is contained in:
SPRINX0\prochazka
2025-06-12 13:49:23 +02:00
committed by Diflow
parent 3f37b2b728
commit cf3f95c952
4 changed files with 71 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
packages/api/src/controllers/files.js
View File

@@ -12,6 +12,7 @@ const getMapExport = require('../utility/getMapExport');
const dbgateApi = require('../shell');
const { getLogger } = require('dbgate-tools');
const platformInfo = require('../utility/platformInfo');
const { checkSecureFilePaths, checkSecureDirectories } = require('../utility/security');
const logger = getLogger('files');
function serialize(format, data) {
@@ -26,25 +27,6 @@ function deserialize(format, text) {
throw new Error(`Invalid format: ${format}`);
}
function checkSecureFilePaths(...filePaths) {
for (const filePath of filePaths) {
if (filePath.includes('..') || filePath.includes('/') || filePath.includes('\\')) {
return false;
}
}
return true;
}
function checkSecureDirectories(...filePaths) {
for (const filePath of filePaths) {
const directory = path.dirname(filePath);
if (directory != filesdir() && directory != uploadsdir() && directory != archivedir() && directory != appdir()) {
return false;
}
}
return true;
}
module.exports = {
list_meta: true,
async list({ folder }, req) {

12
packages/api/src/controllers/runners.js
View File

@@ -19,6 +19,7 @@ const {
const { handleProcessCommunication } = require('../utility/processComm');
const processArgs = require('../utility/processArgs');
const platformInfo = require('../utility/platformInfo');
const { checkSecureDirectories, checkSecureDirectoriesInScript } = require('../utility/security');
const logger = getLogger('runners');
function extractPlugins(script) {
@@ -273,6 +274,12 @@ module.exports = {
const runid = crypto.randomUUID();
if (script.type == 'json') {
if (!platformInfo.isElectron) {
if (!checkSecureDirectoriesInScript(script)) {
return { errorMessage: 'Unallowed directories in script' };
}
}
const js = await jsonScriptToJavascript(script);
return this.startCore(runid, scriptTemplate(js, false));
}
@@ -317,6 +324,11 @@ module.exports = {
loadReader_meta: true,
async loadReader({ functionName, props }) {
if (!platformInfo.isElectron) {
if (props?.fileName && !checkSecureDirectories(props.fileName)) {
return { errorMessage: 'Unallowed file' };
}
}
const prefix = extractShellApiPlugins(functionName)
.map(packageName => `// @require ${packageName}\n`)
.join('');