github_mirrors/puter
1
0
Fork 0
mirror of https://github.com/HeyPuter/puter.git synced 2025-02-03 07:48:46 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): verify dest_node uid matches signature

Browse Source
This commit is contained in:
KernelDeimos 2024-12-13 15:53:12 -05:00
parent e840544ee0
commit e208b99d21
2 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/backend/src/helpers.js
View File

@ -1511,7 +1511,7 @@ async function get_taskbar_items(user) {
return taskbar_items;
}
function validate_signature_auth(url, action) {
function validate_signature_auth(url, action, options = {}) {
const query = new URL(url).searchParams;
if(!query.get('uid'))
@ -1522,6 +1522,12 @@ function validate_signature_auth(url, action) {
throw {message: '`expires` is required for signature-based authentication.'}
else if(!query.get('signature'))
throw {message: '`signature` is required for signature-based authentication.'}
if ( options.uid ) {
if ( query.get('uid') !== options.uid ) {
throw {message: 'Authentication failed. `uid` does not match.'}
}
}
const expired = query.get('expires') && (query.get('expires') < Date.now() / 1000);

4
src/backend/src/routers/writeFile.js
View File

@ -96,7 +96,9 @@ module.exports = eggspress('/writeFile', {
return;
}
try{
validate_signature_auth(req.body.destination_write_url, 'write');
validate_signature_auth(req.body.destination_write_url, 'write', {
uid: req.body.destination_uid,
});
}catch(e){
res.status(403).send(e);
return;