Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix security vulnerability issue regarding site/* access
  • Loading branch information
robinshine committed May 30, 2022
1 parent f1e9768 commit 8aa94e0
Show file tree
Hide file tree
Showing 43 changed files with 78 additions and 44 deletions.
2 changes: 1 addition & 1 deletion pom.xml
Expand Up @@ -9,7 +9,7 @@
<version>1.0.5</version>
</parent>
<artifactId>server</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
<packaging>pom</packaging>
<build>
<finalName>${project.groupId}.${project.artifactId}-${project.version}</finalName>
Expand Down
2 changes: 1 addition & 1 deletion server-core/pom.xml
Expand Up @@ -7,7 +7,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<build>
<plugins>
Expand Down
Expand Up @@ -487,17 +487,48 @@ protected void updateProgramFiles(File upgradeDir) {
FileUtils.deleteFile(new File(upgradeDir, "boot/system.classpath"));

cleanAndCopy(Bootstrap.getLibDir(), new File(upgradeDir, "lib"));

for (File file: new File(Bootstrap.getSiteDir(), "avatars").listFiles()) {

FileUtils.createDir(new File(upgradeDir, "site/assets"));
if (new File(upgradeDir, "site/robots.txt").exists()) {
try {
FileUtils.copyFile(
new File(upgradeDir, "site/robots.txt"),
new File(upgradeDir, "site/assets/robots.txt"));
FileUtils.deleteFile(new File(upgradeDir, "site/robots.txt"));
} catch (IOException e) {
throw new RuntimeException(e);
}
}
if (new File(upgradeDir, "site/logo.png").exists()) {
try {
FileUtils.copyFile(
new File(upgradeDir, "site/logo.png"),
new File(upgradeDir, "site/assets/logo.png"));
FileUtils.deleteFile(new File(upgradeDir, "site/logo.png"));
} catch (IOException e) {
throw new RuntimeException(e);
}
}
if (new File(upgradeDir, "site/avatars").exists()) {
try {
FileUtils.copyDirectory(
new File(upgradeDir, "site/avatars"),
new File(upgradeDir, "site/assets/avatars"));
FileUtils.deleteDir(new File(upgradeDir, "site/avatars"));
} catch (IOException e) {
throw new RuntimeException(e);
}
}
for (File file: new File(Bootstrap.getSiteDir(), "assets/avatars").listFiles()) {
if (file.isFile()) {
try {
FileUtils.copyFileToDirectory(file, new File(upgradeDir, "site/avatars"));
FileUtils.copyFileToDirectory(file, new File(upgradeDir, "site/assets/avatars"));
} catch (IOException e) {
throw new RuntimeException(e);
}
}
}
File uploadedDir = new File(upgradeDir, "site/avatars/uploaded");
File uploadedDir = new File(upgradeDir, "site/assets/avatars/uploaded");
File userUploadsDir = new File(uploadedDir, "users");
if (uploadedDir.exists() && !userUploadsDir.exists()) {
FileUtils.createDir(userUploadsDir);
Expand Down
Expand Up @@ -93,7 +93,7 @@ private String generateAvatar(String primaryName, String secondaryName) {
if (StringUtils.isBlank(secondaryName))
secondaryName = primaryName;

File avatarFile = new File(Bootstrap.getSiteDir(), "avatars/generated/" + encoded + ".png");
File avatarFile = new File(Bootstrap.getSiteDir(), "assets/avatars/generated/" + encoded + ".png");
if (!avatarFile.exists()) {
Lock avatarLock = LockUtils.getLock("generated-avatar:" + encoded);
avatarLock.lock();
Expand Down Expand Up @@ -129,7 +129,7 @@ private String getLetter(String name) {

@Override
public File getUploaded(User user) {
return new File(Bootstrap.getSiteDir(), "avatars/uploaded/users/" + user.getId() + ".jpg");
return new File(Bootstrap.getSiteDir(), "assets/avatars/uploaded/users/" + user.getId() + ".jpg");
}

@Sessional
Expand Down Expand Up @@ -170,7 +170,7 @@ public void useAvatar(Project project, String avatarData) {

@Override
public File getUploaded(Long projectId) {
return new File(Bootstrap.getSiteDir(), "avatars/uploaded/projects/" + projectId + ".jpg");
return new File(Bootstrap.getSiteDir(), "assets/avatars/uploaded/projects/" + projectId + ".jpg");
}

@Override
Expand Down
Expand Up @@ -18,7 +18,7 @@ public BrandLogoPanel(String id) {
}

private File getCustomLogoFile() {
return new File(Bootstrap.getSiteDir(), "logo.png");
return new File(Bootstrap.getSiteDir(), "assets/logo.png");
}

@Override
Expand Down
Expand Up @@ -33,7 +33,7 @@ public BrandingSettingPage(PageParameters params) {
}

private File getLogoFile() {
return new File(Bootstrap.getSiteDir(), "logo.png");
return new File(Bootstrap.getSiteDir(), "assets/logo.png");
}

@Override
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/pom.xml
Expand Up @@ -6,7 +6,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<dependencies>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-archetype/pom.xml
Expand Up @@ -6,7 +6,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<build>
<resources>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-authenticator-ldap/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.authenticator.ldap.LdapModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-buildspec-gradle/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.buildspec.gradle.GradleModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-buildspec-maven/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.buildspec.maven.MavenModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-buildspec-node/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.buildspec.node.NodePluginModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-executor-kubernetes/pom.xml
Expand Up @@ -6,7 +6,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.executor.kubernetes.KubernetesModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-executor-remotedocker/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<dependencies>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-executor-remoteshell/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<dependencies>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-executor-serverdocker/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.executor.serverdocker.ServerDockerModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-executor-servershell/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.executor.servershell.ServerShellModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-import-bitbucketcloud/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.imports.bitbucketcloud.BitbucketPluginModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-import-gitea/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.imports.gitea.GiteaPluginModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-import-github/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.imports.github.GitHubPluginModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-import-gitlab/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.imports.gitlab.GitLabPluginModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-import-jiracloud/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.imports.jiracloud.JiraPluginModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-import-youtrack/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.imports.youtrack.YouTrackPluginModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-report-checkstyle/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<dependencies>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-report-clover/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<dependencies>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-report-coverage/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.report.coverage.CoverageReportModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-report-cpd/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<dependencies>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-report-jacoco/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<dependencies>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-report-jest/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<dependencies>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-report-junit/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<dependencies>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-report-markdown/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.report.markdown.MarkdownReportModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-report-pmd/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<dependencies>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-report-problem/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.report.problem.ProblemReportModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-report-spotbugs/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<dependencies>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-report-unittest/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.report.unittest.UnitTestReportModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-sso-discord/pom.xml
Expand Up @@ -5,7 +5,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<properties>
<moduleClass>io.onedev.server.plugin.sso.discord.DiscordModule</moduleClass>
Expand Down
2 changes: 1 addition & 1 deletion server-plugin/server-plugin-sso-openid/pom.xml
Expand Up @@ -6,7 +6,7 @@
<parent>
<groupId>io.onedev</groupId>
<artifactId>server-plugin</artifactId>
<version>7.2.9</version>
<version>7.3.0</version>
</parent>
<dependencies>
<dependency>
Expand Down

0 comments on commit 8aa94e0

Please sign in to comment.