Fix Webdav Syncing Issues
- [+] feat(route.ts): add endpoint validation and improve error handling - [+] refactor(route.ts): use targetPath for request validation and error messages - [+] fix(route.ts): correct targetUrl formation
This commit is contained in:
H0llyW00dzZ
parent
3ba984d09e
commit
c0c54e5709
|
|
@ -12,17 +12,28 @@ async function handle(
|
|||
|
||||
const requestUrl = new URL(req.url);
|
||||
let endpoint = requestUrl.searchParams.get("endpoint");
|
||||
if (!endpoint?.endsWith("/")) {
|
||||
endpoint += "/";
|
||||
|
||||
// Validate the endpoint to prevent potential SSRF attacks
|
||||
if (!endpoint || !endpoint.startsWith("/")) {
|
||||
return NextResponse.json(
|
||||
{
|
||||
error: true,
|
||||
msg: "Invalid endpoint",
|
||||
},
|
||||
{
|
||||
status: 400,
|
||||
},
|
||||
);
|
||||
}
|
||||
const endpointPath = params.path.join("/");
|
||||
const targetPath = `${endpoint}/${endpointPath}`;
|
||||
|
||||
// only allow MKCOL, GET, PUT
|
||||
if (req.method !== "MKCOL" && req.method !== "GET" && req.method !== "PUT") {
|
||||
return NextResponse.json(
|
||||
{
|
||||
error: true,
|
||||
msg: "you are not allowed to request " + params.path.join("/"),
|
||||
msg: "you are not allowed to request " + targetPath,
|
||||
},
|
||||
{
|
||||
status: 403,
|
||||
|
|
@ -32,13 +43,13 @@ async function handle(
|
|||
|
||||
// for MKCOL request, only allow request ${folder}
|
||||
if (
|
||||
req.method == "MKCOL" &&
|
||||
!new URL(endpointPath).pathname.endsWith(folder)
|
||||
req.method === "MKCOL" &&
|
||||
!targetPath.endsWith(folder)
|
||||
) {
|
||||
return NextResponse.json(
|
||||
{
|
||||
error: true,
|
||||
msg: "you are not allowed to request " + params.path.join("/"),
|
||||
msg: "you are not allowed to request " + targetPath,
|
||||
},
|
||||
{
|
||||
status: 403,
|
||||
|
|
@ -48,13 +59,13 @@ async function handle(
|
|||
|
||||
// for GET request, only allow request ending with fileName
|
||||
if (
|
||||
req.method == "GET" &&
|
||||
!new URL(endpointPath).pathname.endsWith(fileName)
|
||||
req.method === "GET" &&
|
||||
!targetPath.endsWith(fileName)
|
||||
) {
|
||||
return NextResponse.json(
|
||||
{
|
||||
error: true,
|
||||
msg: "you are not allowed to request " + params.path.join("/"),
|
||||
msg: "you are not allowed to request " + targetPath,
|
||||
},
|
||||
{
|
||||
status: 403,
|
||||
|
|
@ -64,13 +75,13 @@ async function handle(
|
|||
|
||||
// for PUT request, only allow request ending with fileName
|
||||
if (
|
||||
req.method == "PUT" &&
|
||||
!new URL(endpointPath).pathname.endsWith(fileName)
|
||||
req.method === "PUT" &&
|
||||
!targetPath.endsWith(fileName)
|
||||
) {
|
||||
return NextResponse.json(
|
||||
{
|
||||
error: true,
|
||||
msg: "you are not allowed to request " + params.path.join("/"),
|
||||
msg: "you are not allowed to request " + targetPath,
|
||||
},
|
||||
{
|
||||
status: 403,
|
||||
|
|
@ -78,7 +89,7 @@ async function handle(
|
|||
);
|
||||
}
|
||||
|
||||
const targetUrl = `${endpoint + endpointPath}`;
|
||||
const targetUrl = `${endpoint}/${endpointPath}`;
|
||||
|
||||
const method = req.method;
|
||||
const shouldNotHaveBody = ["get", "head"].includes(
|
||||
|
|
|
|||
Loading…
Reference in New Issue