Fixed authorization controls on controller actions and added path sanitization preventing path traversal

0xLanks · 0xLanks · commit 035bc377694a · 2022-05-04T21:49:36.000-07:00
diff --git a/BlogEngine/BlogEngine.NET/AppCode/Api/FileManagerController.cs b/BlogEngine/BlogEngine.NET/AppCode/Api/FileManagerController.cs
@@ -1,4 +1,5 @@
-﻿using BlogEngine.Core.Data.Contracts;
+﻿using BlogEngine.Core;
+using BlogEngine.Core.Data.Contracts;
 using BlogEngine.Core.FileSystem;
 using BlogEngine.Core.Providers;
 using System;
@@ -24,6 +25,11 @@ public IEnumerable<FileInstance> Get(int take = 10, int skip = 0, string path =
     [HttpPut]
     public HttpResponseMessage ProcessChecked([FromBody]List<FileInstance> items)
     {
+        if (!Security.IsAdministrator)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
         if (items == null || items.Count == 0)
             throw new HttpResponseException(HttpStatusCode.ExpectationFailed);
 
@@ -36,10 +42,10 @@ public HttpResponseMessage ProcessChecked([FromBody]List<FileInstance> items)
                 if (item.IsChecked)
                 {
                     if(item.FileType == FileType.File || item.FileType == FileType.Image)
-                        BlogService.DeleteFile(item.FullPath);
+                        BlogService.DeleteFile(Extensions.SanitizePath(item.FullPath));
 
                     if (item.FileType == FileType.Directory)
-                        BlogService.DeleteDirectory(item.FullPath);
+                        BlogService.DeleteDirectory(Extensions.SanitizePath(item.FullPath));
                 }
             }
         }
@@ -49,7 +55,11 @@ public HttpResponseMessage ProcessChecked([FromBody]List<FileInstance> items)
     [HttpPut]
     public HttpResponseMessage AddFolder(FileInstance folder)
     {
-        BlogService.CreateDirectory(folder.FullPath + "/" + folder.Name);
+        if (!Security.IsAdministrator)
+        {
+            throw new UnauthorizedAccessException();
+        }
+        BlogService.CreateDirectory(Extensions.SanitizePath(folder.FullPath) + "/" + Extensions.SanitizePath(folder.Name));
         return Request.CreateResponse(HttpStatusCode.OK);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`		`-using BlogEngine.Core.Data.Contracts;`
	`1`	`+using BlogEngine.Core;`
	`2`	`+using BlogEngine.Core.Data.Contracts;`
`2`	`3`	`using BlogEngine.Core.FileSystem;`
`3`	`4`	`using BlogEngine.Core.Providers;`
`4`	`5`	`using System;`
`@@ -24,6 +25,11 @@ public IEnumerable<FileInstance> Get(int take = 10, int skip = 0, string path =`
`24`	`25`	`[HttpPut]`
`25`	`26`	`public HttpResponseMessage ProcessChecked([FromBody]List<FileInstance> items)`
`26`	`27`	`{`
	`28`	`+ if (!Security.IsAdministrator)`
	`29`	`+ {`
	`30`	`+ throw new UnauthorizedAccessException();`
	`31`	`+ }`
	`32`	`+`
`27`	`33`	`if (items == null \|\| items.Count == 0)`
`28`	`34`	`throw new HttpResponseException(HttpStatusCode.ExpectationFailed);`
`29`	`35`
`@@ -36,10 +42,10 @@ public HttpResponseMessage ProcessChecked([FromBody]List<FileInstance> items)`
`36`	`42`	`if (item.IsChecked)`
`37`	`43`	`{`
`38`	`44`	`if(item.FileType == FileType.File \|\| item.FileType == FileType.Image)`
`39`		`- BlogService.DeleteFile(item.FullPath);`
	`45`	`+ BlogService.DeleteFile(Extensions.SanitizePath(item.FullPath));`
`40`	`46`
`41`	`47`	`if (item.FileType == FileType.Directory)`
`42`		`- BlogService.DeleteDirectory(item.FullPath);`
	`48`	`+ BlogService.DeleteDirectory(Extensions.SanitizePath(item.FullPath));`
`43`	`49`	`}`
`44`	`50`	`}`
`45`	`51`	`}`
`@@ -49,7 +55,11 @@ public HttpResponseMessage ProcessChecked([FromBody]List<FileInstance> items)`
`49`	`55`	`[HttpPut]`
`50`	`56`	`public HttpResponseMessage AddFolder(FileInstance folder)`
`51`	`57`	`{`
`52`		`- BlogService.CreateDirectory(folder.FullPath + "/" + folder.Name);`
	`58`	`+ if (!Security.IsAdministrator)`
	`59`	`+ {`
	`60`	`+ throw new UnauthorizedAccessException();`
	`61`	`+ }`
	`62`	`+ BlogService.CreateDirectory(Extensions.SanitizePath(folder.FullPath) + "/" + Extensions.SanitizePath(folder.Name));`
`53`	`63`	`return Request.CreateResponse(HttpStatusCode.OK);`
`54`	`64`	`}`
`55`	`65`