Merge remote-tracking branch 'upstream/main'

2025-11-13 12:43:42 +08:00 · 2024-03-26 18:00:04 +08:00
parent bd1a8dcc3a 1049006cf9
commit ab0d7743de
7 changed files with 91 additions and 103 deletions
--- a/app/api/webdav/[...path]/route.ts
+++ b/app/api/webdav/[...path]/route.ts
@@ -12,17 +12,28 @@ async function handle(

  const requestUrl = new URL(req.url);
  let endpoint = requestUrl.searchParams.get("endpoint");
-  if (!endpoint?.endsWith("/")) {
-    endpoint += "/";
+
+  // Validate the endpoint to prevent potential SSRF attacks
+  if (!endpoint || !endpoint.startsWith("/")) {
+    return NextResponse.json(
+      {
+        error: true,
+        msg: "Invalid endpoint",
+      },
+      {
+        status: 400,
+      },
+    );
  }
  const endpointPath = params.path.join("/");
+  const targetPath = `${endpoint}/${endpointPath}`;

  // only allow MKCOL, GET, PUT
  if (req.method !== "MKCOL" && req.method !== "GET" && req.method !== "PUT") {
    return NextResponse.json(
      {
        error: true,
-        msg: "you are not allowed to request " + params.path.join("/"),
+        msg: "you are not allowed to request " + targetPath,
      },
      {
        status: 403,
@@ -31,14 +42,11 @@ async function handle(
  }

  // for MKCOL request, only allow request ${folder}
-  if (
-    req.method == "MKCOL" &&
-    !new URL(endpointPath).pathname.endsWith(folder)
-  ) {
+  if (req.method === "MKCOL" && !targetPath.endsWith(folder)) {
    return NextResponse.json(
      {
        error: true,
-        msg: "you are not allowed to request " + params.path.join("/"),
+        msg: "you are not allowed to request " + targetPath,
      },
      {
        status: 403,
@@ -47,14 +55,11 @@ async function handle(
  }

  // for GET request, only allow request ending with fileName
-  if (
-    req.method == "GET" &&
-    !new URL(endpointPath).pathname.endsWith(fileName)
-  ) {
+  if (req.method === "GET" && !targetPath.endsWith(fileName)) {
    return NextResponse.json(
      {
        error: true,
-        msg: "you are not allowed to request " + params.path.join("/"),
+        msg: "you are not allowed to request " + targetPath,
      },
      {
        status: 403,
@@ -63,14 +68,11 @@ async function handle(
  }

  //   for PUT request, only allow request ending with fileName
-  if (
-    req.method == "PUT" &&
-    !new URL(endpointPath).pathname.endsWith(fileName)
-  ) {
+  if (req.method === "PUT" && !targetPath.endsWith(fileName)) {
    return NextResponse.json(
      {
        error: true,
-        msg: "you are not allowed to request " + params.path.join("/"),
+        msg: "you are not allowed to request " + targetPath,
      },
      {
        status: 403,
@@ -78,7 +80,7 @@ async function handle(
    );
  }

-  const targetUrl = `${endpoint + endpointPath}`;
+  const targetUrl = `${endpoint}/${endpointPath}`;

  const method = req.method;
  const shouldNotHaveBody = ["get", "head"].includes(
@@ -90,6 +92,7 @@ async function handle(
      authorization: req.headers.get("authorization") ?? "",
    },
    body: shouldNotHaveBody ? null : req.body,
+    redirect: "manual",
    method,
    // @ts-ignore
    duplex: "half",