Upstream
/
harbor
mirror of https://github.com/goharbor/harbor.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #5628 from reasonerjt/fix-file-traversal-job-lob 

Validate job ID when getting job log
This commit is contained in:
Steven Zou 2018-08-15 17:22:42 +08:00 committed by GitHub
parent 2e4295ba52 65cf02a1d7
commit 199b830019
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/jobservice/api/handler.go
View File

@ -7,14 +7,15 @@ import (
"fmt"
"io/ioutil"
"net/http"
"github.com/vmware/harbor/src/jobservice/opm"
"os"
"strings"
"github.com/gorilla/mux"
"github.com/vmware/harbor/src/jobservice/core"
"github.com/vmware/harbor/src/jobservice/errs"
"github.com/vmware/harbor/src/jobservice/models"
"github.com/vmware/harbor/src/jobservice/opm"
)
//Handler defines approaches to handle the http requests.
@ -206,6 +207,11 @@ func (dh *DefaultHandler) HandleJobLogReq(w http.ResponseWriter, req *http.Reque
vars := mux.Vars(req)
jobID := vars["job_id"]
if strings.Contains(jobID, "..") || strings.ContainsRune(jobID, os.PathSeparator) {
dh.handleError(w, http.StatusBadRequest, fmt.Errorf("Invalid Job ID: %s", jobID))
return
}
logData, err := dh.controller.GetJobLogData(jobID)
if err != nil {
code := http.StatusInternalServerError

16
src/jobservice/api/handler_test.go
View File

@ -227,6 +227,22 @@ func TestCheckStatus(t *testing.T) {
ctx.WG.Wait()
}
func TestGetJobLogInvalidID(t *testing.T) {
exportUISecret(fakeSecret)
server, port, ctx := createServer()
server.Start()
<-time.After(200 * time.Millisecond)
_, err := getReq(fmt.Sprintf("http://localhost:%d/api/v1/jobs/%%2F..%%2Fpasswd/log", port))
if err == nil || strings.Contains(err.Error(), "400") {
t.Fatalf("Expected 400 error but got: %v", err)
}
server.Stop()
ctx.WG.Wait()
}
func TestGetJobLog(t *testing.T) {
exportUISecret(fakeSecret)