Merge pull request #58 from alan16742/master

fix: Block malicious upload attempts
vcheckzen · Oct 11, 2024 · 1530871 · 1530871
2 parents cc1ee2c + 2801ec7
commit 1530871
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/back-end-cf/index.js b/back-end-cf/index.js
@@ -62,14 +62,15 @@ async function handleRequest(request) {
     return Response.redirect(url, 302);
   } else if (requestUrl.searchParams.get('upload')) {
     requestPath = requestUrl.searchParams.get('upload');
-    const uploadAllow = await fetchFiles(requestPath, '.upload');
+    const upload = await fetchFiles(requestPath, '.upload');
+    const uploadSecret = await fetchFiles(requestPath, PASSWD_FILENAME, null, true) || '';
     const fileList = await request.json();
-    const pwAttack = fileList['files'].some(
+    const uploadAttack = fileList['files'].some(
       (file) =>
         file.remotePath.split('/').pop().toLowerCase() ===
         PASSWD_FILENAME.toLowerCase()
-    );
-    if (uploadAllow && !pwAttack) {
+    ) || fileList['secret'] !== uploadSecret;
+    if (upload && !uploadAttack) {
       const uploadLinks = await uploadFiles(fileList);
       return new Response(uploadLinks, {
         headers: returnHeaders,

diff --git a/front-end/index.html b/front-end/index.html
@@ -1077,6 +1077,7 @@
                 input.placeholder = '密码错误';
               } else {
                 window.fileCache.set(newFiles.parent, newFiles);
+                window.fileCache.set(`${newFiles.parent}/.upload`, passwd);
                 fetchFileList(newFiles.parent);
               }
             }
@@ -1716,7 +1717,7 @@
           sendRequest(
             window.api.method,
             window.api.url + '?upload=' + odPath,
-            JSON.stringify({ files: currentPage }),
+            JSON.stringify({ secret: window.fileCache.get(`${odPath}/.upload`) || '', files: currentPage }),
             window.api.headers,
             (response) => {
               const uploadLinks = JSON.parse(response).files;