Union/ProjectLighthouse
1
0
Fork 0
mirror of https://github.com/LBPUnion/ProjectLighthouse.git synced 2025-05-16 06:32:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Prevent directory traversal attacks

Browse source
This commit is contained in:
Slendy 2022-09-22 17:11:17 -05:00
parent b26d96bacd
commit 2cf2e6622a
No known key found for this signature in database
GPG key ID: 7288D68361B91428
3 changed files with 20 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

6
ProjectLighthouse.Servers.GameServer/Controllers/Resources/ResourcesController.cs
View file

@ -56,6 +56,12 @@ public class ResourcesController : ControllerBase
string path = FileHelper.GetResourcePath(hash); string path = FileHelper.GetResourcePath(hash);
string fullPath = Path.GetFullPath(path);
string basePath = Path.GetFullPath(FileHelper.ResourcePath);
// Prevent directory traversal attacks
if (!fullPath.StartsWith(basePath)) return this.BadRequest();
if (FileHelper.ResourceExists(hash)) return this.File(IOFile.OpenRead(path), "application/octet-stream"); if (FileHelper.ResourceExists(hash)) return this.File(IOFile.OpenRead(path), "application/octet-stream");
return this.NotFound(); return this.NotFound();

19
ProjectLighthouse.Servers.Website/Controllers/ResourcesController.cs
View file

@ -11,18 +11,19 @@ public class ResourcesController : ControllerBase
[HttpGet("/gameAssets/{hash}")] [HttpGet("/gameAssets/{hash}")]
public IActionResult GetGameImage(string hash) public IActionResult GetGameImage(string hash)
{ {
string path = Path.Combine("png", $"{hash}.png"); string path = FileHelper.GetImagePath($"{hash}.png");
if (IOFile.Exists(path)) string fullPath = Path.GetFullPath(path);
{ string basePath = Path.GetFullPath(FileHelper.ImagePath);
return this.File(IOFile.OpenRead(path), "image/png");
} // Prevent directory traversal attacks
if (!fullPath.StartsWith(basePath)) return this.BadRequest();
if (IOFile.Exists(path)) return this.File(IOFile.OpenRead(path), "image/png");
LbpFile? file = LbpFile.FromHash(hash); LbpFile? file = LbpFile.FromHash(hash);
if (file != null && FileHelper.LbpFileToPNG(file)) if (file != null && FileHelper.LbpFileToPNG(file)) return this.File(IOFile.OpenRead(path), "image/png");
{
return this.File(IOFile.OpenRead(path), "image/png");
}
return this.NotFound(); return this.NotFound();
} }
} }

4
ProjectLighthouse/Files/FileHelper.cs
View file

@ -24,8 +24,12 @@ public static class FileHelper
{ {
public static readonly string ResourcePath = Path.Combine(Environment.CurrentDirectory, "r"); public static readonly string ResourcePath = Path.Combine(Environment.CurrentDirectory, "r");
public static readonly string ImagePath = Path.Combine(Environment.CurrentDirectory, "png");
public static string GetResourcePath(string hash) => Path.Combine(ResourcePath, hash); public static string GetResourcePath(string hash) => Path.Combine(ResourcePath, hash);
public static string GetImagePath(string hash) => Path.Combine(ImagePath, hash);
public static bool AreDependenciesSafe(LbpFile file) public static bool AreDependenciesSafe(LbpFile file)
{ {
// recursively check if dependencies are safe // recursively check if dependencies are safe