beenull/raspap-webgui-mirror
1
0
Fork 0
mirror of https://github.com/RaspAP/raspap-webgui.git synced 2024-11-22 07:30:23 +00:00
Code Issues Projects Releases Packages Wiki Activity

Sanitize path to prevent directory traversal

Browse source
This commit is contained in:
billz 2024-03-08 11:15:31 +01:00
parent ef7b67a445
commit 2cdf6ef53e
2 changed files with 10 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -5,4 +5,3 @@ yarn-error.log
includes/config.php includes/config.php
rootCA.pem rootCA.pem
vendor vendor
.env

12
api/modules/wireguard.py
View file

@ -1,5 +1,6 @@
import subprocess import subprocess
import re import re
import os
def configs(): def configs():
#ignore symlinks, because wg0.conf is in production the main config, but in insiders it is a symlink #ignore symlinks, because wg0.conf is in production the main config, but in insiders it is a symlink
@ -24,13 +25,16 @@ def client_config_list(client_config):
if not re.match(pattern, client_config): if not re.match(pattern, client_config):
raise ValueError("Invalid client_config") raise ValueError("Invalid client_config")
config_path = f"/etc/wireguard/{client_config}" # sanitize path to prevent directory traversal
try: client_config = os.path.basename(client_config)
config_path = os.path.join("/etc/wireguard/", client_config)
if not os.path.exists(config_path):
raise FileNotFoundError("Client configuration file not found")
with open(config_path, 'r') as f: with open(config_path, 'r') as f:
output = f.read().strip() output = f.read().strip()
return output.split('\n') return output.split('\n')
except FileNotFoundError:
raise FileNotFoundError("Client configuration file not found")
#TODO: where is the logfile?? #TODO: where is the logfile??
#TODO: is service connected? #TODO: is service connected?