fix: graphql server path injection

Signed-off-by: Jaeyeon Park <[email protected]>
litmuschaos · Oct 5, 2024 · d920302 · d920302
1 parent 101557c
commit d920302
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 22 deletions.
diff --git a/chaoscenter/graphql/server/pkg/chaoshub/handler/handler.go b/chaoscenter/graphql/server/pkg/chaoshub/handler/handler.go
@@ -155,13 +155,13 @@ func IsFileExisting(path string) (bool, error) {
 
 // DownloadRemoteHub is used to download a remote hub from the url provided by the user
 func DownloadRemoteHub(hubDetails model.CreateRemoteChaosHub, projectID string) error {
-	dirPath := DefaultPath + projectID
+	dirPath := DefaultPath + sanitize.PathName(projectID)
 	err := os.MkdirAll(dirPath, 0755)
 	if err != nil {
 		return err
 	}
 	//create the destination directory where the hub will be downloaded
-	hubPath := dirPath + "/" + hubDetails.Name + ".zip"
+	hubPath := dirPath + "/" + sanitize.PathName(hubDetails.Name) + ".zip"
 	destDir, err := os.Create(hubPath)
 	if err != nil {
 		log.Error(err)
@@ -278,7 +278,7 @@ func CopyZipItems(file *zip.File, extractPath string, chartsPath string) error {
 
 // SyncRemoteRepo is used to sync the remote ChaosHub
 func SyncRemoteRepo(hubData model.CloningInput, projectID string) error {
-	hubPath := DefaultPath + projectID + "/" + hubData.Name
+	hubPath := DefaultPath + sanitize.PathName(projectID) + "/" + sanitize.PathName(hubData.Name)
 	err := os.RemoveAll(hubPath)
 	if err != nil {
 		return err
@@ -320,16 +320,21 @@ func ChaosHubIconHandler() gin.HandlerFunc {
 			responseStatusCode int
 		)
 
+		projectID := sanitize.PathName(c.Param("projectId"))
+		hubName := sanitize.PathName(c.Param("hubName"))
+		chartName := sanitize.PathName(c.Param("chartName"))
+		iconName := sanitize.PathName(c.Param("iconName"))
+
 		if strings.ToLower(c.Param("chartName")) == "predefined" {
-			img, err = os.Open(utils.Config.CustomChaosHubPath + c.Param("projectId") + "/" + c.Param("hubName") + "/experiments/icons/" + c.Param("iconName"))
+			img, err = os.Open(utils.Config.CustomChaosHubPath + projectID + "/" + hubName + "/experiments/icons/" + iconName)
 			responseStatusCode = http.StatusOK
 			if err != nil {
 				responseStatusCode = http.StatusInternalServerError
 				log.WithError(err).Error("icon cannot be fetched")
 				fmt.Fprint(c.Writer, "icon cannot be fetched, err : "+err.Error())
 			}
 		} else {
-			img, err = os.Open(utils.Config.CustomChaosHubPath + c.Param("projectId") + "/" + c.Param("hubName") + "/faults/" + c.Param("chartName") + "/icons/" + c.Param("iconName"))
+			img, err = os.Open(utils.Config.CustomChaosHubPath + projectID + "/" + hubName + "/faults/" + chartName + "/icons/" + iconName)
 			responseStatusCode = http.StatusOK
 			if err != nil {
 				responseStatusCode = http.StatusInternalServerError
@@ -354,16 +359,20 @@ func DefaultChaosHubIconHandler() gin.HandlerFunc {
 			responseStatusCode int
 		)
 
+		hubName := sanitize.PathName(c.Param("hubName"))
+		chartName := sanitize.PathName(c.Param("chartName"))
+		iconName := sanitize.PathName(c.Param("iconName"))
+
 		if strings.ToLower(c.Param("chartName")) == "predefined" {
-			img, err = os.Open(utils.Config.DefaultChaosHubPath + c.Param("hubName") + "/experiments/icons/" + c.Param("iconName"))
+			img, err = os.Open(utils.Config.DefaultChaosHubPath + hubName + "/experiments/icons/" + iconName)
 			responseStatusCode = http.StatusOK
 			if err != nil {
 				responseStatusCode = http.StatusInternalServerError
 				log.WithError(err).Error("icon cannot be fetched")
 				fmt.Fprint(c.Writer, "icon cannot be fetched, err : "+err.Error())
 			}
 		} else {
-			img, err = os.Open(utils.Config.DefaultChaosHubPath + c.Param("hubName") + "/faults/" + c.Param("chartName") + "/icons/" + c.Param("iconName"))
+			img, err = os.Open(utils.Config.DefaultChaosHubPath + hubName + "/faults/" + chartName + "/icons/" + iconName)
 			responseStatusCode = http.StatusOK
 			if err != nil {
 				responseStatusCode = http.StatusInternalServerError

diff --git a/chaoscenter/graphql/server/pkg/chaoshub/ops/gitops.go b/chaoscenter/graphql/server/pkg/chaoshub/ops/gitops.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/litmuschaos/litmus/chaoscenter/graphql/server/graph/model"
+	"github.com/mrz1836/go-sanitize"
 
 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/plumbing"
@@ -44,9 +45,9 @@ func GetClonePath(c ChaosHubConfig) string {
 
 	var repoPath string
 	if c.IsDefault {
-		repoPath = "/tmp/default/" + c.HubName
+		repoPath = "/tmp/default/" + sanitize.PathName(c.HubName)
 	} else {
-		repoPath = DefaultPath + c.ProjectID + "/" + c.HubName
+		repoPath = DefaultPath + sanitize.PathName(c.ProjectID) + "/" + sanitize.PathName(c.HubName)
 	}
 	return repoPath
 }

diff --git a/chaoscenter/graphql/server/pkg/chaoshub/service.go b/chaoscenter/graphql/server/pkg/chaoshub/service.go
@@ -17,6 +17,7 @@ import (
 	"github.com/litmuschaos/litmus/chaoscenter/graphql/server/pkg/database/mongodb"
 	dbSchemaChaosHub "github.com/litmuschaos/litmus/chaoscenter/graphql/server/pkg/database/mongodb/chaos_hub"
 	"github.com/litmuschaos/litmus/chaoscenter/graphql/server/utils"
+	"github.com/mrz1836/go-sanitize"
 	log "github.com/sirupsen/logrus"
 	"go.mongodb.org/mongo-driver/bson"
 	"go.mongodb.org/mongo-driver/mongo"
@@ -329,7 +330,7 @@ func (c *chaosHubService) UpdateChaosHub(ctx context.Context, chaosHub model.Upd
 	if err != nil {
 		return nil, err
 	}
-	clonePath := DefaultPath + prevChaosHub.ProjectID + "/" + prevChaosHub.Name
+	clonePath := DefaultPath + sanitize.PathName(prevChaosHub.ProjectID) + "/" + sanitize.PathName(prevChaosHub.Name)
 	if prevChaosHub.HubType == string(model.HubTypeRemote) {
 		if prevChaosHub.Name != chaosHub.Name || prevChaosHub.RepoURL != chaosHub.RepoURL || prevChaosHub.RemoteHub != chaosHub.RemoteHub {
 			remoteHub := model.CreateRemoteChaosHub{
@@ -439,7 +440,7 @@ func (c *chaosHubService) DeleteChaosHub(ctx context.Context, hubID string, proj
 		log.Error(err)
 		return false, err
 	}
-	clonePath := DefaultPath + projectID + "/" + chaosHub.Name
+	clonePath := DefaultPath + sanitize.PathName(projectID) + "/" + sanitize.PathName(chaosHub.Name)
 	err = os.RemoveAll(clonePath)
 	if err != nil {
 		log.Error(err)
@@ -735,9 +736,9 @@ func (c *chaosHubService) ListPredefinedExperiments(ctx context.Context, hubID s
 
 	var hubPath string
 	if hub.IsDefault {
-		hubPath = "/tmp/default/" + hub.Name + "/experiments/"
+		hubPath = "/tmp/default/" + sanitize.PathName(hub.Name) + "/experiments/"
 	} else {
-		hubPath = DefaultPath + projectID + "/" + hub.Name + "/experiments/"
+		hubPath = DefaultPath + sanitize.PathName(projectID) + "/" + sanitize.PathName(hub.Name) + "/experiments/"
 	}
 	var predefinedWorkflows []*model.PredefinedExperimentList
 	files, err := os.ReadDir(hubPath)
@@ -794,9 +795,9 @@ func (c *chaosHubService) GetPredefinedExperiment(ctx context.Context, hubID str
 	}
 	var hubPath string
 	if hub.IsDefault {
-		hubPath = "/tmp/default/" + hub.Name + "/experiments/"
+		hubPath = "/tmp/default/" + sanitize.PathName(hub.Name) + "/experiments/"
 	} else {
-		hubPath = DefaultPath + projectID + "/" + hub.Name + "/experiments/"
+		hubPath = DefaultPath + sanitize.PathName(projectID) + "/" + sanitize.PathName(hub.Name) + "/experiments/"
 	}
 	var predefinedWorkflows []*model.PredefinedExperimentList
 
@@ -814,7 +815,7 @@ func (c *chaosHubService) getPredefinedExperimentDetails(experimentsPath string,
 	var (
 		csvManifest        = ""
 		workflowManifest   = ""
-		path               = experimentsPath + experiment + "/" + experiment + ".chartserviceversion.yaml"
+		path               = experimentsPath + sanitize.PathName(experiment) + "/" + sanitize.PathName(experiment) + ".chartserviceversion.yaml"
 		isExist            = true
 		preDefinedWorkflow = &model.PredefinedExperimentList{}
 	)

diff --git a/chaoscenter/graphql/server/pkg/gitops/gitops.go b/chaoscenter/graphql/server/pkg/gitops/gitops.go
@@ -22,6 +22,7 @@ import (
 	"github.com/litmuschaos/litmus/chaoscenter/graphql/server/graph/model"
 	"github.com/litmuschaos/litmus/chaoscenter/graphql/server/pkg/authorization"
 	"github.com/litmuschaos/litmus/chaoscenter/graphql/server/pkg/database/mongodb/gitops"
+	"github.com/mrz1836/go-sanitize"
 	log "github.com/sirupsen/logrus"
 	ssh2 "golang.org/x/crypto/ssh"
 )
@@ -82,7 +83,7 @@ func GetGitOpsConfig(repoData gitops.GitConfigDB) GitConfig {
 		RepositoryURL: repoData.RepositoryURL,
 		RemoteName:    "origin",
 		Branch:        repoData.Branch,
-		LocalPath:     DefaultPath + repoData.ProjectID,
+		LocalPath:     DefaultPath + sanitize.PathName(repoData.ProjectID),
 		LatestCommit:  repoData.LatestCommit,
 		UserName:      repoData.UserName,
 		Password:      repoData.Password,
@@ -96,7 +97,7 @@ func GetGitOpsConfig(repoData gitops.GitConfigDB) GitConfig {
 
 // setupGitRepo helps clones and sets up the repo for GitOps
 func (c GitConfig) setupGitRepo(user GitUser) error {
-	projectPath := c.LocalPath + "/" + ProjectDataPath + "/" + c.ProjectID
+	projectPath := c.LocalPath + "/" + ProjectDataPath + "/" + sanitize.PathName(c.ProjectID)
 
 	// clone repo
 	_, err := c.GitClone()

diff --git a/chaoscenter/graphql/server/pkg/gitops/service.go b/chaoscenter/graphql/server/pkg/gitops/service.go
@@ -21,6 +21,7 @@ import (
 	"github.com/litmuschaos/litmus/chaoscenter/graphql/server/pkg/database/mongodb/chaos_infrastructure"
 	"github.com/litmuschaos/litmus/chaoscenter/graphql/server/pkg/database/mongodb/gitops"
 	"github.com/litmuschaos/litmus/chaoscenter/graphql/server/pkg/grpc"
+	"github.com/mrz1836/go-sanitize"
 	log "github.com/sirupsen/logrus"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
@@ -154,7 +155,7 @@ func (g *gitOpsService) DisableGitOpsHandler(ctx context.Context, projectID stri
 		return false, errors.New("Failed to delete git config from DB : " + err.Error())
 	}
 
-	err = os.RemoveAll(DefaultPath + projectID)
+	err = os.RemoveAll(DefaultPath + sanitize.PathName(projectID))
 	if err != nil {
 		return false, errors.New("Failed to delete git repo from disk : " + err.Error())
 	}
@@ -183,7 +184,7 @@ func (g *gitOpsService) UpdateGitOpsDetailsHandler(ctx context.Context, projectI
 
 	gitConfig := GetGitOpsConfig(gitDB)
 	originalPath := gitConfig.LocalPath
-	gitConfig.LocalPath = tempPath + gitConfig.ProjectID
+	gitConfig.LocalPath = tempPath + sanitize.PathName(gitConfig.ProjectID)
 	commit, err := SetupGitOps(GitUserFromContext(ctx), gitConfig)
 	if err != nil {
 		return false, errors.New("Failed to setup GitOps : " + err.Error())
@@ -319,7 +320,7 @@ func (g *gitOpsService) DeleteExperimentFromGit(ctx context.Context, projectID s
 		return errors.New("Sync Error | " + err.Error())
 	}
 
-	experimentPath := ProjectDataPath + "/" + gitConfig.ProjectID + "/" + experiment.ExperimentName + ".yaml"
+	experimentPath := ProjectDataPath + "/" + sanitize.PathName(gitConfig.ProjectID) + "/" + sanitize.PathName(experiment.ExperimentName) + ".yaml"
 	exists, err := PathExists(gitConfig.LocalPath + "/" + experimentPath)
 	if err != nil {
 		return errors.New("Cannot delete experiment from git : " + err.Error())
@@ -457,7 +458,7 @@ func (g *gitOpsService) SyncDBToGit(ctx context.Context, config GitConfig) error
 			continue
 		}
 		// check if file was deleted or not
-		exists, err := PathExists(config.LocalPath + "/" + file)
+		exists, err := PathExists(config.LocalPath + "/" + sanitize.PathName(file))
 		if err != nil {
 			return errors.New("Error checking file in local repo : " + file + " | " + err.Error())
 		}