jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

guard against two level subdir moves

Browse Source 
this has never worked since the -wholename check only works for
one level deep
This commit is contained in:
Girish Ramakrishnan
2022-06-08 12:24:11 -07:00
parent 8cf0922401
commit 037f4195da
2 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/apps.js
View File

@@ -481,7 +481,8 @@ function validateEnv(env) {
return null;
}
async function checkStorage(volumeId, prefix) {
async function checkStorage(app, volumeId, prefix) {
assert.strictEqual(typeof app, 'object');
assert.strictEqual(typeof volumeId, 'string');
assert.strictEqual(typeof prefix, 'string');
@@ -495,10 +496,14 @@ async function checkStorage(volumeId, prefix) {
if (prefix.endsWith('/')) throw new BoxError(BoxError.BAD_FIELD, `prefix "${prefix}" contains trailing slash`);
if (prefix !== '' && path.normalize(prefix) !== prefix) throw new BoxError(BoxError.BAD_FIELD, `prefix "${prefix}" is not a normalized path`);
const storageDir = path.join(volume.hostPath, prefix);
const [error] = await safe(shell.promises.sudo('checkStorage', [ CHECKVOLUME_CMD, storageDir ], {}));
if (error && error.code === 2) throw new BoxError(BoxError.BAD_FIELD, `Target directory ${storageDir} is not empty`);
if (error && error.code === 3) throw new BoxError(BoxError.BAD_FIELD, `Target directory ${storageDir} does not support chown`);
const sourceDir = await getStorageDir(app);
const targetDir = path.join(volume.hostPath, prefix);
const rel = path.relative(sourceDir, targetDir);
if (!rel.startsWith('../') && rel.split('/').length > 1) throw new BoxError(BoxError.BAD_FIELD, 'Only one level subdirectory moves are supported');
const [error] = await safe(shell.promises.sudo('checkStorage', [ CHECKVOLUME_CMD, targetDir ], {}));
if (error && error.code === 2) throw new BoxError(BoxError.BAD_FIELD, `Target directory ${targetDir} is not empty`);
if (error && error.code === 3) throw new BoxError(BoxError.BAD_FIELD, `Target directory ${targetDir} does not support chown`);
return null;
}
@@ -1808,7 +1813,7 @@ async function setStorage(app, volumeId, volumePrefix, auditSource) {
if (error) throw error;
if (volumeId) {
await checkStorage(volumeId, volumePrefix);
await checkStorage(app, volumeId, volumePrefix);
} else {
volumeId = volumePrefix = null;
}