sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-16 07:16:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

[misc] add path traversal and file size protections (#5755)

Browse Source
This commit is contained in:
Pascal Fischer
2026-04-01 14:23:24 +02:00
committed by GitHub
parent f5c41e3018
commit cd8c686339
2 changed files with 127 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
upload-server/server/local_test.go
View File

@@ -63,3 +63,90 @@ func Test_LocalHandlePutRequest(t *testing.T) {
require.NoError(t, err)
require.Equal(t, fileContent, createdFileContent)
}
func Test_LocalHandlePutRequest_PathTraversal(t *testing.T) {
mockDir := t.TempDir()
mockURL := "http://localhost:8080"
t.Setenv("SERVER_URL", mockURL)
t.Setenv("STORE_DIR", mockDir)
mux := http.NewServeMux()
err := configureLocalHandlers(mux)
require.NoError(t, err)
fileContent := []byte("malicious content")
req := httptest.NewRequest(http.MethodPut, putURLPath+"/uploads/%2e%2e%2f%2e%2e%2fetc%2fpasswd", bytes.NewReader(fileContent))
rec := httptest.NewRecorder()
mux.ServeHTTP(rec, req)
require.Equal(t, http.StatusBadRequest, rec.Code)
_, err = os.Stat(filepath.Join(mockDir, "..", "..", "etc", "passwd"))
require.True(t, os.IsNotExist(err), "traversal file should not exist")
}
func Test_LocalHandlePutRequest_DirTraversal(t *testing.T) {
mockDir := t.TempDir()
t.Setenv("SERVER_URL", "http://localhost:8080")
t.Setenv("STORE_DIR", mockDir)
l := &local{url: "http://localhost:8080", dir: mockDir}
body := bytes.NewReader([]byte("bad"))
req := httptest.NewRequest(http.MethodPut, putURLPath+"/x/evil.txt", body)
req.SetPathValue("dir", "../../../tmp")
req.SetPathValue("file", "evil.txt")
rec := httptest.NewRecorder()
l.handlePutRequest(rec, req)
require.Equal(t, http.StatusBadRequest, rec.Code)
_, err := os.Stat(filepath.Join("/tmp", "evil.txt"))
require.True(t, os.IsNotExist(err), "traversal file should not exist outside store dir")
}
func Test_LocalHandlePutRequest_DuplicateFile(t *testing.T) {
mockDir := t.TempDir()
t.Setenv("SERVER_URL", "http://localhost:8080")
t.Setenv("STORE_DIR", mockDir)
mux := http.NewServeMux()
err := configureLocalHandlers(mux)
require.NoError(t, err)
req := httptest.NewRequest(http.MethodPut, putURLPath+"/dir/dup.txt", bytes.NewReader([]byte("first")))
rec := httptest.NewRecorder()
mux.ServeHTTP(rec, req)
require.Equal(t, http.StatusOK, rec.Code)
req = httptest.NewRequest(http.MethodPut, putURLPath+"/dir/dup.txt", bytes.NewReader([]byte("second")))
rec = httptest.NewRecorder()
mux.ServeHTTP(rec, req)
require.Equal(t, http.StatusConflict, rec.Code)
content, err := os.ReadFile(filepath.Join(mockDir, "dir", "dup.txt"))
require.NoError(t, err)
require.Equal(t, []byte("first"), content)
}
func Test_LocalHandlePutRequest_BodyTooLarge(t *testing.T) {
mockDir := t.TempDir()
t.Setenv("SERVER_URL", "http://localhost:8080")
t.Setenv("STORE_DIR", mockDir)
mux := http.NewServeMux()
err := configureLocalHandlers(mux)
require.NoError(t, err)
largeBody := make([]byte, maxUploadSize+1)
req := httptest.NewRequest(http.MethodPut, putURLPath+"/dir/big.txt", bytes.NewReader(largeBody))
rec := httptest.NewRecorder()
mux.ServeHTTP(rec, req)
require.Equal(t, http.StatusRequestEntityTooLarge, rec.Code)
_, err = os.Stat(filepath.Join(mockDir, "dir", "big.txt"))
require.True(t, os.IsNotExist(err))
}