From 4927cbea0021993e1d727f47906695304e6f85c0 Mon Sep 17 00:00:00 2001 From: zzjc1234 <2359047351@qq.com> Date: Wed, 17 Jan 2024 14:28:42 +0800 Subject: [PATCH 1/5] fix: fail to upload figure --- canvas_app.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/canvas_app.py b/canvas_app.py index 08efd22..dd41d9c 100755 --- a/canvas_app.py +++ b/canvas_app.py @@ -37,13 +37,14 @@ # INFO: Safety check for file def check_file(filename): base_path = "/public/res/" + base_path_win = "\\public\\res\\" fullPath = path.normpath(path.join(base_path, filename)) if ( not "." in filename or not filename.rsplit(".", 1)[1].lower() in ALLOWED_EXTENSION ): return "Illegal" - if not fullPath.startswith(base_path): + if not fullPath.startswith(base_path) and not fullPath.startswith(base_path_win): return "Illegal" else: return filename From 46918414711d0bdc2e01436fb69191ec982d7d93 Mon Sep 17 00:00:00 2001 From: zzjc1234 <2359047351@qq.com> Date: Thu, 18 Jan 2024 12:26:05 +0800 Subject: [PATCH 2/5] fix: enhance security check --- canvas_app.py | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/canvas_app.py b/canvas_app.py index dd41d9c..f8d7152 100755 --- a/canvas_app.py +++ b/canvas_app.py @@ -36,6 +36,7 @@ # INFO: Safety check for file def check_file(filename): + flag=True base_path = "/public/res/" base_path_win = "\\public\\res\\" fullPath = path.normpath(path.join(base_path, filename)) @@ -43,11 +44,13 @@ def check_file(filename): not "." in filename or not filename.rsplit(".", 1)[1].lower() in ALLOWED_EXTENSION ): - return "Illegal" + flag=False + return (flag, filename) if not fullPath.startswith(base_path) and not fullPath.startswith(base_path_win): - return "Illegal" + flag=False + return (flag, filename) else: - return filename + return (flag, filename) """ @@ -437,8 +440,8 @@ async def update_position(position: Position): async def upload_file(file: UploadFile): if not path.exists("./public/res"): mkdir("./public/res") - tmp = check_file(file.filename) - if tmp == "Illegal": + flag, file.filename = check_file(file.filename) + if flag == False: return JSONResponse(status_code=404, content={"message": "Illegal file name"}) with open(f"./public/res/{file.filename}", "wb") as out_file: out_file.write(file.file.read()) @@ -452,8 +455,8 @@ async def upload_file(file: UploadFile): description="Delete file in public/res.", ) async def delete_file(name: str): - tmp = check_file(name) - if tmp == "Illegal": + flag, name = check_file(name) + if flag == False: return JSONResponse(status_code=404, content={"message": "Illegal file name"}) if path.exists(f"./public/res/{name}"): remove(f"./public/res/{name}") @@ -483,6 +486,9 @@ async def get_file_list(): description="Get file in public/res.", ) async def get_file(name: str): + flag, name = check_file(name) + if flag == False: + return JSONResponse(status_code=404, content={"message": "Illegal file name"}) if path.exists(f"./public/res/{name}"): return FileResponse(f"./public/res/{name}") else: @@ -509,3 +515,4 @@ async def open_url(data: URL): except Exception as e: logging.warning(e) return JSONResponse(status_code=400, content={"message": "Failed to open"}) + From df8f472d355242c87a8cbec1b3cb5704e708b31e Mon Sep 17 00:00:00 2001 From: zzjc1234 <2359047351@qq.com> Date: Thu, 18 Jan 2024 12:54:58 +0800 Subject: [PATCH 3/5] fix: enhance security check --- canvas_app.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/canvas_app.py b/canvas_app.py index f8d7152..0d564ee 100755 --- a/canvas_app.py +++ b/canvas_app.py @@ -36,7 +36,7 @@ # INFO: Safety check for file def check_file(filename): - flag=True + flag = True base_path = "/public/res/" base_path_win = "\\public\\res\\" fullPath = path.normpath(path.join(base_path, filename)) @@ -44,10 +44,10 @@ def check_file(filename): not "." in filename or not filename.rsplit(".", 1)[1].lower() in ALLOWED_EXTENSION ): - flag=False + flag = False return (flag, filename) if not fullPath.startswith(base_path) and not fullPath.startswith(base_path_win): - flag=False + flag = False return (flag, filename) else: return (flag, filename) @@ -515,4 +515,3 @@ async def open_url(data: URL): except Exception as e: logging.warning(e) return JSONResponse(status_code=400, content={"message": "Failed to open"}) - From 99e9c5920f008bc1c6a6431bdc61d5df9969592b Mon Sep 17 00:00:00 2001 From: linsyking Date: Sun, 4 Feb 2024 10:45:49 -0500 Subject: [PATCH 4/5] chore: disable codeql security check From 2d7240f7ade565dd4a66dd415b9a4ed0adbbcfad Mon Sep 17 00:00:00 2001 From: linsyking Date: Sun, 4 Feb 2024 10:50:04 -0500 Subject: [PATCH 5/5] chore: update codeql version --- .github/workflows/codeql.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7fa10d9..7426e15 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -44,11 +44,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -61,7 +61,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -74,6 +74,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 with: category: '/language:${{matrix.language}}'