-
Notifications
You must be signed in to change notification settings - Fork 510
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: block arbitrary file index #2497
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bzp2010
requested review from
juzhiyuan,
nic-6443,
starsz,
Baoyuantop,
LiteSun,
nic-chen and
guoqqqi
July 6, 2022 07:16
Codecov Report
@@ Coverage Diff @@
## master #2497 +/- ##
==========================================
+ Coverage 68.52% 72.00% +3.47%
==========================================
Files 133 61 -72
Lines 3498 3975 +477
Branches 860 0 -860
==========================================
+ Hits 2397 2862 +465
+ Misses 1101 819 -282
- Partials 0 294 +294
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report at Codecov.
|
nic-chen
approved these changes
Jul 6, 2022
Baoyuantop
approved these changes
Jul 6, 2022
SkyeYoung
approved these changes
Jul 6, 2022
guoqqqi
approved these changes
Jul 6, 2022
bzp2010
added a commit
to bzp2010/apisix-dashboard
that referenced
this pull request
Jul 13, 2022
(cherry picked from commit bfc9c31)
hongbinhsu
pushed a commit
to fitphp/apix-dashboard
that referenced
this pull request
Sep 10, 2022
* upstream/master: (23 commits) feat: Add config struct of OpenID-Connect Login (apache#2597) feat: set serverUrlMap with env, update cypress, update stylelint (apache#2583) chore: fix function name typo (apache#2599) fix: page refresh causes deletion exception (apache#2593) feat: support show all enable plugin list tab (apache#2585) fix: drawer components delete plugin not working (apache#2573) feat: add batch delete function for route (apache#2502) test: reduce fe ci time (apache#2557) doc(csp): add correct csp rule (apache#2548) doc: add a notice about the compatibility of Ingress and Dashboard (apache#2552) fix: add judgement for last_report_time (apache#2551) fix: cli test invalid etcd (apache#2544) feat: fix actions version to root version (apache#2521) fix: duplicate ID (apache#2501) fix: block arbitrary file index (apache#2497) docs: update deploy-with-docker.md (apache#2472) feat: translating Turkish for new features (apache#2487) docs: add new import and export docs to sidebar (apache#2485) docs: add data loader and new OpenAPI 3 loader (apache#2484) feat: support data loader in frontend (apache#2480) ... # Conflicts: # api/internal/route.go # web/config/defaultSettings.ts # web/yarn.lock
bzp2010
added a commit
to bzp2010/apisix-dashboard
that referenced
this pull request
Oct 31, 2022
(cherry picked from commit bfc9c31)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please answer these questions before submitting a pull request, or your PR will get closed.
Why submit this pull request?
What changes will this PR take into?
The current middleware configuration may cause the caller to check if a file exists on the server by constructing a special URL, so new middleware is added to block requests with unusual characters in the URL.
Please note that this is not a serious problem, the current code prevents arbitrary file reading issues and no one can get access to the files on your server or write to any files.
Checklist: