add validation to files uploading to avoid client side pushing arbitrary data (#1057)

This commit is contained in:
Markos Gogoulos 2024-09-20 13:01:33 +03:00 committed by GitHub
parent 1adee8c156
commit 986c7d1074
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -1,4 +1,7 @@
import re
import shutil import shutil
import os
import uuid
from io import StringIO from io import StringIO
from os.path import join from os.path import join
@ -7,16 +10,31 @@ from django.conf import settings
from . import utils from . import utils
def is_valid_uuid_format(uuid_string):
pattern = re.compile(r'^[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89ab][a-f0-9]{3}-[a-f0-9]{12}$', re.IGNORECASE)
return bool(pattern.match(uuid_string))
class BaseFineUploader(object): class BaseFineUploader(object):
def __init__(self, data, *args, **kwargs): def __init__(self, data, *args, **kwargs):
self.data = data self.data = data
self.total_filesize = data.get("qqtotalfilesize")
self.filename = data.get("qqfilename") self.filename = data.get("qqfilename")
self.uuid = data.get("qquuid") self.uuid = data.get("qquuid")
if not is_valid_uuid_format(self.uuid):
# something nasty client side could be happening here
# generate new uuid to ensure this is uuid
# not sure if this will work with the chunked uploads though
self.uuid = uuid.uuid4()
self.filename = os.path.basename(self.filename)
# avoid possibility of passing a fake path here
self.file = data.get("qqfile") self.file = data.get("qqfile")
self.storage_class = settings.FILE_STORAGE self.storage_class = settings.FILE_STORAGE
self.real_path = None self.real_path = None
@property @property
def finished(self): def finished(self):
return self.real_path is not None return self.real_path is not None
@ -50,7 +68,11 @@ class ChunkedFineUploader(BaseFineUploader):
self.total_parts = data.get("qqtotalparts") self.total_parts = data.get("qqtotalparts")
if not isinstance(self.total_parts, int): if not isinstance(self.total_parts, int):
self.total_parts = 1 self.total_parts = 1
self.part_index = data.get("qqpartindex") qqpartindex = data.get("qqpartindex")
if not isinstance(qqpartindex, int):
# something nasty client side could be happening here
qqpartindex = 0
self.part_index = qqpartindex
@property @property
def chunks_path(self): def chunks_path(self):
@ -75,6 +97,7 @@ class ChunkedFineUploader(BaseFineUploader):
def combine_chunks(self): def combine_chunks(self):
# implement the same behaviour. # implement the same behaviour.
self.real_path = self.storage.save(self._full_file_path, StringIO()) self.real_path = self.storage.save(self._full_file_path, StringIO())
with self.storage.open(self.real_path, "wb") as final_file: with self.storage.open(self.real_path, "wb") as final_file:
for i in range(self.total_parts): for i in range(self.total_parts):
part = join(self.chunks_path, str(i)) part = join(self.chunks_path, str(i))