From c0c54e57098b41210b098aec7f4d3561fd6f8c62 Mon Sep 17 00:00:00 2001 From: H0llyW00dzZ Date: Wed, 20 Mar 2024 01:37:38 +0700 Subject: [PATCH 1/3] Fix Webdav Syncing Issues - [+] feat(route.ts): add endpoint validation and improve error handling - [+] refactor(route.ts): use targetPath for request validation and error messages - [+] fix(route.ts): correct targetUrl formation --- app/api/webdav/[...path]/route.ts | 37 ++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/app/api/webdav/[...path]/route.ts b/app/api/webdav/[...path]/route.ts index c60ca18bb..81ede0fd8 100644 --- a/app/api/webdav/[...path]/route.ts +++ b/app/api/webdav/[...path]/route.ts @@ -12,17 +12,28 @@ async function handle( const requestUrl = new URL(req.url); let endpoint = requestUrl.searchParams.get("endpoint"); - if (!endpoint?.endsWith("/")) { - endpoint += "/"; + + // Validate the endpoint to prevent potential SSRF attacks + if (!endpoint || !endpoint.startsWith("/")) { + return NextResponse.json( + { + error: true, + msg: "Invalid endpoint", + }, + { + status: 400, + }, + ); } const endpointPath = params.path.join("/"); + const targetPath = `${endpoint}/${endpointPath}`; // only allow MKCOL, GET, PUT if (req.method !== "MKCOL" && req.method !== "GET" && req.method !== "PUT") { return NextResponse.json( { error: true, - msg: "you are not allowed to request " + params.path.join("/"), + msg: "you are not allowed to request " + targetPath, }, { status: 403, @@ -32,13 +43,13 @@ async function handle( // for MKCOL request, only allow request ${folder} if ( - req.method == "MKCOL" && - !new URL(endpointPath).pathname.endsWith(folder) + req.method === "MKCOL" && + !targetPath.endsWith(folder) ) { return NextResponse.json( { error: true, - msg: "you are not allowed to request " + params.path.join("/"), + msg: "you are not allowed to request " + targetPath, }, { status: 403, @@ -48,13 +59,13 @@ async function handle( // for GET request, only allow request ending with fileName if ( - req.method == "GET" && - !new URL(endpointPath).pathname.endsWith(fileName) + req.method === "GET" && + !targetPath.endsWith(fileName) ) { return NextResponse.json( { error: true, - msg: "you are not allowed to request " + params.path.join("/"), + msg: "you are not allowed to request " + targetPath, }, { status: 403, @@ -64,13 +75,13 @@ async function handle( // for PUT request, only allow request ending with fileName if ( - req.method == "PUT" && - !new URL(endpointPath).pathname.endsWith(fileName) + req.method === "PUT" && + !targetPath.endsWith(fileName) ) { return NextResponse.json( { error: true, - msg: "you are not allowed to request " + params.path.join("/"), + msg: "you are not allowed to request " + targetPath, }, { status: 403, @@ -78,7 +89,7 @@ async function handle( ); } - const targetUrl = `${endpoint + endpointPath}`; + const targetUrl = `${endpoint}/${endpointPath}`; const method = req.method; const shouldNotHaveBody = ["get", "head"].includes( From 223c6980d0473b385d1d1f3cf8889a00c7f3c9e1 Mon Sep 17 00:00:00 2001 From: sijinhui Date: Fri, 22 Mar 2024 16:40:19 +0800 Subject: [PATCH 2/3] =?UTF-8?q?=E6=B5=8B=E8=AF=95=E5=A2=9E=E5=8A=A0?= =?UTF-8?q?=E9=82=AE=E4=BB=B6=E8=AE=A4=E8=AF=81-debug-3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/auth.ts | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/auth.ts b/lib/auth.ts index ef0e690d2..469fe42cd 100644 --- a/lib/auth.ts +++ b/lib/auth.ts @@ -76,11 +76,11 @@ export const authOptions: NextAuthOptions = { } }) ], - pages: { - signIn: `/login`, - // verifyRequest: `/login`, - error: "/login", // Error code passed in query string as ?error= - }, + // pages: { + // signIn: `/login`, + // // verifyRequest: `/login`, + // error: "/login", // Error code passed in query string as ?error= + // }, adapter: PrismaAdapter(prisma), session: { strategy: "jwt", maxAge: 3 * 24 * 60 * 60 }, cookies: { From 5dd6f713c575aa7a5ae50518c996fa650ef73e1f Mon Sep 17 00:00:00 2001 From: sijinhui Date: Fri, 22 Mar 2024 16:53:37 +0800 Subject: [PATCH 3/3] =?UTF-8?q?=E6=B5=8B=E8=AF=95=E5=A2=9E=E5=8A=A0?= =?UTF-8?q?=E9=82=AE=E4=BB=B6=E8=AE=A4=E8=AF=81-=E4=BF=AE=E5=A4=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docker-compose.yml | 5 +++++ lib/auth.ts | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index aef331559..670f75cbd 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -39,6 +39,11 @@ services: - NEXTAUTH_SECRET=$NEXTAUTH_SECRET - AUTH_GITHUB_ID=$AUTH_GITHUB_ID - AUTH_GITHUB_SECRET=$AUTH_GITHUB_SECRET + - EMAIL_SERVER_HOST=$EMAIL_SERVER_HOST + - EMAIL_SERVER_PORT=$EMAIL_SERVER_PORT + - EMAIL_SERVER_USER=$EMAIL_SERVER_USER + - EMAIL_SERVER_PASSWORD=$EMAIL_SERVER_PASSWORD + - EMAIL_FROM=$EMAIL_FROM - SECURE_COOKIES=$SECURE_COOKIES volumes: - /etc/localtime:/etc/localtime diff --git a/lib/auth.ts b/lib/auth.ts index 469fe42cd..d82856797 100644 --- a/lib/auth.ts +++ b/lib/auth.ts @@ -10,8 +10,8 @@ const SECURE_COOKIES:boolean = !!process.env.SECURE_COOKIES; export const authOptions: NextAuthOptions = { - debug: true, - // debug: !SECURE_COOKIES, + // debug: true, + debug: !SECURE_COOKIES, useSecureCookies: SECURE_COOKIES, secret: process.env.NEXTAUTH_SECRET, providers: [