修复文件越权访问

back/api/config.ts

@@ -1,4 +1,3 @@
-import { getFileContentByName, getLastModifyFilePath } from '../config/util';
 import { Router, Request, Response, NextFunction } from 'express';
 import { Container } from 'typedi';
 import { Logger } from 'winston';

back/api/log.ts

@@ -1,10 +1,9 @@
 import { Router, Request, Response, NextFunction } from 'express';
 import { Container } from 'typedi';
 import { Logger } from 'winston';
-import * as fs from 'fs';
 import config from '../config';
 import { getFileContentByName, readDirs, rmPath } from '../config/util';
-import { join } from 'path';
+import { join, resolve } from 'path';
 import { celebrate, Joi } from 'celebrate';
 const route = Router();
 const blacklist = ['.tmp'];
@@ -30,15 +29,19 @@ export default (app: Router) => {
     '/detail',
     async (req: Request, res: Response, next: NextFunction) => {
       try {
-        if (blacklist.includes(req.path)) {
+        const finalPath = resolve(
+          config.logPath,
+          (req.query.path as string) || '',
+          (req.query.file as string) || '',
+        );
+
+        if (
+          blacklist.includes(req.query.path as string) ||
+          !finalPath.startsWith(config.logPath)
+        ) {
           return res.send({ code: 403, message: '暂无权限' });
         }
-        const filePath = join(
-          config.logPath,
-          (req.query.path || '') as string,
-          req.query.file as string,
-        );
-        const content = await getFileContentByName(filePath);
+        const content = await getFileContentByName(finalPath);
         res.send({ code: 200, data: content });
       } catch (e) {
         return next(e);
@@ -50,15 +53,18 @@ export default (app: Router) => {
     '/:file',
     async (req: Request, res: Response, next: NextFunction) => {
       try {
-        if (blacklist.includes(req.path)) {
+        const finalPath = resolve(
+          config.logPath,
+          (req.query.path as string) || '',
+          (req.params.file as string) || '',
+        );
+        if (
+          blacklist.includes(req.path) ||
+          !finalPath.startsWith(config.logPath)
+        ) {
           return res.send({ code: 403, message: '暂无权限' });
         }
-        const filePath = join(
-          config.logPath,
-          (req.query.path || '') as string,
-          req.params.file,
-        );
-        const content = await getFileContentByName(filePath);
+        const content = await getFileContentByName(finalPath);
         res.send({ code: 200, data: content });
       } catch (e) {
         return next(e);

back/api/script.ts

@@ -1,11 +1,4 @@
-import {
-  fileExist,
-  getFileContentByName,
-  readDirs,
-  getLastModifyFilePath,
-  readDir,
-  rmPath,
-} from '../config/util';
+import { fileExist, readDirs, readDir, rmPath } from '../config/util';
 import { Router, Request, Response, NextFunction } from 'express';
 import { Container } from 'typedi';
 import { Logger } from 'winston';

back/config/serverEnv.ts

@@ -5,13 +5,13 @@ let pickedEnv: Record<string, string>;
 
 function getPickedEnv() {
   if (pickedEnv) return pickedEnv;
-  const picked = pick(process.env, ['QlBaseUrl', 'DeployEnv']);
+  const picked = pick(process.env, ['QlBaseUrl', 'DeployEnv', 'QL_DIR']);
   if (picked.QlBaseUrl) {
     if (!picked.QlBaseUrl.startsWith('/')) {
-      picked.QlBaseUrl = `/${picked.QlBaseUrl}`
+      picked.QlBaseUrl = `/${picked.QlBaseUrl}`;
     }
     if (!picked.QlBaseUrl.endsWith('/')) {
-      picked.QlBaseUrl = `${picked.QlBaseUrl}/`
+      picked.QlBaseUrl = `${picked.QlBaseUrl}/`;
     }
   }
   pickedEnv = picked as Record<string, string>;

back/services/config.ts

@@ -11,9 +11,21 @@ export default class ConfigService {
 
   public async getFile(filePath: string, res: Response) {
     let content = '';
-    if (config.blackFileList.includes(filePath) || !filePath) {
-      res.send({ code: 403, message: '文件无法访问' });
+    const avaliablePath = [config.rootPath, config.configPath].map((x) =>
+      path.resolve(x, filePath),
+    );
+
+    if (
+      config.blackFileList.includes(filePath) ||
+      avaliablePath.every(
+        (x) =>
+          !x.startsWith(config.scriptPath) && !x.startsWith(config.configPath),
+      ) ||
+      !filePath
+    ) {
+      return res.send({ code: 403, message: '文件无法访问' });
     }
+
     if (filePath.startsWith('sample/')) {
       const res = await got.get(
         `https://gitlab.com/whyour/qinglong/-/raw/master/${filePath}`,

back/services/script.ts

@@ -65,11 +65,13 @@ export default class ScriptService {
   }
 
   public async getFile(filePath: string, fileName: string) {
-    let _filePath = join(config.scriptPath, filePath, fileName);
-    if (filePath.startsWith(config.dataPath)) {
-      _filePath = join(filePath, fileName);
+    const finalPath = path.resolve(config.scriptPath, filePath, fileName);
+
+    if (!finalPath.startsWith(config.scriptPath)) {
+      return '';
     }
-    const content = await getFileContentByName(_filePath);
+
+    const content = await getFileContentByName(finalPath);
     return content;
   }
 }

src/utils/index.ts

@@ -313,8 +313,9 @@ export function getCommandScript(
     ['.js', '.ts', '.sh', '.py'].some((y) => x.endsWith(y)),
   );
   if (!scriptsPart) return;
-  if (scriptsPart.startsWith('/ql/data/scripts')) {
-    scriptsPart = scriptsPart.replace('/ql/data/scripts/', '');
+  const scriptDir = `${window.__ENV__QL_DIR}/data/scripts`;
+  if (scriptsPart.startsWith(scriptDir)) {
+    scriptsPart = scriptsPart.replace(scriptDir, '');
   }
 
   let p: string, s: string;

typings.d.ts

@@ -12,4 +12,5 @@ declare module '*.svg' {
 interface Window {
   __ENV__QlBaseUrl: string;
   __ENV__DeployEnv: string;
+  __ENV__QL_DIR: string;
 }