Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix the issue that uploaded file can be stored anywhere OneDev has write
permissions over
  • Loading branch information
robinshine committed Nov 20, 2020
1 parent 7c15bf7 commit 0c06015
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 3 deletions.
@@ -0,0 +1,9 @@
package io.onedev.server.util;

public class FilenameUtils extends org.apache.commons.io.FilenameUtils {

public static String sanitizeFilename(String fileName) {
return fileName.replace("..", "_").replace('/', '_').replace('\\', '_');
}

}
Expand Up @@ -53,6 +53,7 @@
import io.onedev.server.git.BlobIdentFilter;
import io.onedev.server.git.exception.GitException;
import io.onedev.server.model.Project;
import io.onedev.server.util.FilenameUtils;
import io.onedev.server.util.UrlUtils;
import io.onedev.server.web.ajaxlistener.ConfirmClickListener;
import io.onedev.server.web.behavior.ReferenceInputBehavior;
Expand Down Expand Up @@ -402,7 +403,8 @@ protected void onSubmit() {
String attachmentName;
FileUpload upload = uploads.iterator().next();
try (InputStream is = upload.getInputStream()) {
attachmentName = attachmentSupport.saveAttachment(upload.getClientFileName(), is);
attachmentName = attachmentSupport.saveAttachment(
FilenameUtils.sanitizeFilename(upload.getClientFileName()), is);
} catch (IOException e) {
throw new RuntimeException(e);
}
Expand Down
Expand Up @@ -60,6 +60,7 @@
import io.onedev.server.model.Project;
import io.onedev.server.model.PullRequest;
import io.onedev.server.model.User;
import io.onedev.server.util.FilenameUtils;
import io.onedev.server.util.markdown.MarkdownManager;
import io.onedev.server.util.validation.ProjectNameValidator;
import io.onedev.server.web.avatar.AvatarManager;
Expand Down Expand Up @@ -477,7 +478,8 @@ protected void respond(AjaxRequestTarget target) {
HttpServletRequest request = (HttpServletRequest) RequestCycle.get().getRequest().getContainerRequest();
HttpServletResponse response = (HttpServletResponse) RequestCycle.get().getResponse().getContainerResponse();
try {
String fileName = URLDecoder.decode(request.getHeader("File-Name"), StandardCharsets.UTF_8.name());
String fileName = FilenameUtils.sanitizeFilename(
URLDecoder.decode(request.getHeader("File-Name"), StandardCharsets.UTF_8.name()));
String attachmentName = getAttachmentSupport().saveAttachment(fileName, request.getInputStream());
response.getWriter().print(URLEncoder.encode(attachmentName, StandardCharsets.UTF_8.name()));
response.setStatus(HttpServletResponse.SC_OK);
Expand Down
Expand Up @@ -85,6 +85,7 @@
import io.onedev.server.search.code.query.BlobQuery;
import io.onedev.server.search.code.query.TextQuery;
import io.onedev.server.security.SecurityUtils;
import io.onedev.server.util.FilenameUtils;
import io.onedev.server.util.script.identity.JobIdentity;
import io.onedev.server.util.script.identity.ScriptIdentity;
import io.onedev.server.util.script.identity.ScriptIdentityAware;
Expand Down Expand Up @@ -1413,7 +1414,7 @@ public RefUpdated uploadFiles(Collection<FileUpload> uploads, String directory,
BlobIdent blobIdent = getBlobIdent();

for (FileUpload upload: uploads) {
String blobPath = upload.getClientFileName();
String blobPath = FilenameUtils.sanitizeFilename(upload.getClientFileName());
if (parentPath != null)
blobPath = parentPath + "/" + blobPath;

Expand Down

0 comments on commit 0c06015

Please sign in to comment.