Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[pull] main from pwndoc:main #10

Open
wants to merge 40 commits into
base: main
Choose a base branch
from
Open
Changes from 1 commit
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
0140c51
Create backup and restore functions
yeln4ts Aug 4, 2023
fdfce7c
Complete backup and restoration for all models + Frontend workflow
yeln4ts Jan 8, 2024
ac2e2da
Fix vuln update model backup
yeln4ts Jan 8, 2024
23f0d3a
Fix backup status comparison bug and improve backup and restore messages
yeln4ts Jan 8, 2024
388b4fa
Update backup / restore features and performance
yeln4ts Feb 7, 2024
4cac782
Fix upload progress
yeln4ts Feb 7, 2024
4818831
Remove bypass permission for init restore
yeln4ts Feb 7, 2024
543dcea
Fix upload size issue
yeln4ts Feb 7, 2024
74aac24
Add disk free check when restoring
yeln4ts Feb 7, 2024
d7f9547
Fix extractFiles function for directories handle
yeln4ts Feb 8, 2024
58c5be6
Handle arbitrary filenames for backup
yeln4ts Feb 8, 2024
ed4c2f3
Throttle audit restore queries to handle overload
yeln4ts Feb 8, 2024
270e7ed
Added validation of the extension
MaxNad Dec 9, 2024
1d4219c
Merge commit from fork
MaxNad Dec 10, 2024
52c9ef2
Prevent prototype access for select fitler
MaxNad Dec 10, 2024
e4aa243
Added a global error handler
MaxNad Dec 10, 2024
8041b60
Fixed test runner
MaxNad Dec 10, 2024
d62fcf9
Added prototype validation for translate function
MaxNad Dec 11, 2024
7ed91b2
Merge commit from fork
MaxNad Dec 11, 2024
0fdcf4b
Updated backend dependencies
MaxNad Dec 11, 2024
d266167
Fix Merge conflicts
yeln4ts Dec 16, 2024
6f64d99
Merge branch 'main' into backup
yeln4ts Dec 16, 2024
d9aa4ef
Removed 'auto-close' behavior
Tibso Dec 19, 2024
9107f61
Fix restore OOM and update settings UI
yeln4ts Dec 19, 2024
c55f3a2
Add memory limits in docker-compose files to prevent OOM
yeln4ts Dec 19, 2024
af175a5
Remove old test backup
yeln4ts Dec 19, 2024
a4586bf
Add backup directory create if not exist
yeln4ts Dec 19, 2024
dc5f25b
Fix bug in clients restore
yeln4ts Dec 20, 2024
cf7bf34
Update tests due to changes in api
yeln4ts Dec 20, 2024
abadec8
Add backup / restore tests
yeln4ts Dec 20, 2024
c1eac4c
Add docker-compose override example for modifying memory resources
yeln4ts Dec 20, 2024
beebef6
Fix code issues
yeln4ts Jan 3, 2025
6a45406
Add backup upload tests
yeln4ts Jan 3, 2025
7a250e6
Remove unused import
yeln4ts Jan 3, 2025
bba13ad
Merge pull request #561 from pwndoc/backup
yeln4ts Jan 3, 2025
068fead
Fix issue in backup images aggregation
yeln4ts Jan 3, 2025
7c84391
Merge branch 'pwndoc:main' into main
Tibso Jan 11, 2025
fe6fbd3
Merge pull request #560 from Tibso/main
MaxNad Jan 11, 2025
5be5583
Added sameSite strict to cookies
MaxNad Jan 14, 2025
14acb70
Merge commit from fork
MaxNad Jan 14, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Added validation of the extension
MaxNad committed Dec 9, 2024
commit 270e7ed2b99dac4acf92b5cf5cb14eb9056bb6a8
6 changes: 6 additions & 0 deletions backend/src/routes/template.js
Original file line number Diff line number Diff line change
@@ -46,6 +46,12 @@ module.exports = function(app) {
return;
}

// Fix for GHSA-2mqc-gg7h-76p6
if (req.body.ext && !utils.validFilename(req.body.ext)) {
Response.BadParameters(res, 'Bad name format');
return;
}

var template = {};
// Optional parameters
if (req.body.name) template.name = req.body.name;
38 changes: 38 additions & 0 deletions backend/tests/template.test.js
Original file line number Diff line number Diff line change
@@ -122,6 +122,44 @@ module.exports = function(request, app) {
expect(response.status).toBe(404)
})

it('Update template with invalid filename (Avoid security regression)', async () => {
var template = { name: "Template Updated../../../../src/config/config.json" }

var response = await request(app).put(`/api/templates/${template1Id}`)
.set('Cookie', [
`token=JWT ${userToken}`
])
.send(template)
expect(response.status).toBe(422)
})

it('Update template with invalid file extension (Avoid security regression)', async () => {
var template = {
name: "Template Updated",
ext: "../src/config/config.json"
}

var response = await request(app).put(`/api/templates/${template1Id}`)
.set('Cookie', [
`token=JWT ${userToken}`
])
.send(template)
expect(response.status).toBe(422)
})

it('Update template with invalid file extension - No file name (Avoid security regression)', async () => {
var template = {
ext: "../src/config/config.json"
}

var response = await request(app).put(`/api/templates/${template1Id}`)
.set('Cookie', [
`token=JWT ${userToken}`
])
.send(template)
expect(response.status).toBe(422)
})

it('Delete template', async () => {
var response = await request(app).delete(`/api/templates/${template2Id}`)
.set('Cookie', [