Verifies if files and folders paths are inside of dev-app repository

With this patch, it start guaranteeing that the functions of the server will not run outside of the soletta-dev-app/repos folder. Signed-off-by: Bruno Bottazzini <bruno.bottazzini@intel.com>
solettaproject · Apr 19, 2016 · acb2879 · acb2879
1 parent 861c3b5
commit acb2879
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 39 deletions.
diff --git a/server/routes.js b/server/routes.js
@@ -176,7 +176,7 @@
     router.get('/api/file/write', function(req, res) {
         var file_path = req.query.file_path;
         var file_body = req.query.file_body;
-        if (!file_path || !file_body) {
+        if (!isInsideRepo(file_path) || !file_body) {
             res.status(400).send("Failed to get file path or its body");
         } else {
             var hidden_fbp = generateHiddenPath(file_path);
@@ -201,7 +201,7 @@
             var path = req.body.params.fbp_path;
             var code = req.body.params.code;
             var conf = req.body.params.conf;
-            if (!path || !code) {
+            if (!isInsideRepo(path) || !code) {
                 res.sendStatus(1);
             } else {
                 var child;
@@ -256,8 +256,8 @@
         var path = req.query.fbp_path;
         var code = req.query.code;
         var conf = req.query.conf;
-        if (!path || !code) {
-            res.send("Error: Empty should not being checked!");
+        if (!isInsideRepo(path) || !code) {
+            res.send("Error: FBP path or code is not valid");
         } else {
             var child;
             var error;
@@ -343,20 +343,6 @@
         }
     });
 
-    router.post('/api/git/repo/remove', function (req, res) {
-        var repository_path = req.body.params.repo_path;
-        if (!repository_path) {
-            res.status(400).send("Failed to get repository name or its path.");
-        }
-        execOnServer('rm -rf ' + repository_path, function(returns) {
-            if (returns.error === true) {
-                res.status(400).send("Failed to run command on server");
-            } else {
-                res.send(returns.message);
-            }
-        });
-    });
-
     router.post('/api/git/repo/commit', function (req, res) {
         var commit_message = req.body.params.commit_message;
         var branch = req.body.params.branch;
@@ -425,41 +411,53 @@
         if (!folder_path) {
             res.status(400).send("Failed to get folder path and its name");
         }
-        execOnServer('mkdir ' + folder_path, function(returns) {
-            if (returns.error === true) {
-                res.status(400).send("Failed to run command on server");
-            } else {
-                res.send(returns.message);
-            }
-        });
+        if (isInsideRepo(folder_path)) {
+            execOnServer('mkdir ' + folder_path, function(returns) {
+                if (returns.error === true) {
+                    res.status(400).send("Failed to run command on server");
+                } else {
+                    res.send(returns.message);
+                }
+            });
+        } else {
+            res.status(400).send("Error: folder path is not valid.");
+        }
     });
 
     router.post('/api/git/repo/create/file', function (req, res) {
         var file_path = req.body.params.file_path;
         if (!file_path) {
             res.status(400).send("Failed to get file path and its name");
         }
-        execOnServer('touch ' + file_path, function(returns) {
-            if (returns.error === true) {
-                res.status(400).send("Failed to run command on server");
-            } else {
-                res.send(returns.message);
-            }
-        });
+        if (isInsideRepo(file_path)) {
+            execOnServer('touch ' + file_path, function(returns) {
+                if (returns.error === true) {
+                    res.status(400).send("Failed to run command on server");
+                } else {
+                    res.send(returns.message);
+                }
+            });
+        } else {
+            res.status(400).send("Error: file path is not valid.");
+        }
     });
 
     router.post('/api/git/repo/delete/file', function (req, res) {
         var file_path = req.body.params.file_path;
         if (!file_path) {
             res.status(400).send("Failed to get file path and its name");
         } else {
-            execOnServer('rm -rf ' + file_path, function(returns) {
-                if (returns.error === true) {
-                    res.status(400).send("Failed to run command on server");
-                } else {
-                    res.send(returns.message);
-                }
-            });
+            if (isInsideRepo(file_path)) {
+                execOnServer('rm -rf ' + file_path, function(returns) {
+                    if (returns.error === true) {
+                        res.status(400).send("Failed to run command on server");
+                    } else {
+                        res.send(returns.message);
+                    }
+                });
+            } else {
+                res.status(400).send("Failed to run command on server");
+            }
         }
     });
 

diff --git a/server/tools.js b/server/tools.js
@@ -234,6 +234,19 @@ module.exports = function () {
         );
     };
 
+    this.isInsideRepo = function(repo_url) {
+        if (!repo_url) {
+            return false;
+        } else {
+            if ((repo_url.indexOf("soletta-dev-app") > -1) &&
+                 (repo_url.indexOf("repos") > -1)) {
+                return true;
+            } else {
+                return false;
+            }
+        }
+    }
+
     this.getServerName = function(repo_url) {
         var url_array = repo_url.split("/");
         var name = url_array.pop();