fix: vulnerability on the restore database endpoints

ellite · Dec 6, 2024 · 60f204d · 60f204d
1 parent 89f29c2
commit 60f204d
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 19 deletions.
diff --git a/endpoints/db/import.php b/endpoints/db/import.php
@@ -10,6 +10,18 @@
     ]));
 }
 
+function emptyRestoreFolder() {
+    $files = new RecursiveIteratorIterator(
+        new RecursiveDirectoryIterator('../../.tmp/restore', RecursiveDirectoryIterator::SKIP_DOTS),
+        RecursiveIteratorIterator::CHILD_FIRST
+    );
+
+    foreach ($files as $fileinfo) {
+        $removeFunction = ($fileinfo->isDir() ? 'rmdir' : 'unlink');
+        $removeFunction($fileinfo->getRealPath());
+    }
+}
+
 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     if (isset($_FILES['file'])) {
         $file = $_FILES['file'];
@@ -68,21 +80,15 @@
                     }
                 }
 
-                $files = new RecursiveIteratorIterator(
-                    new RecursiveDirectoryIterator('../../.tmp', RecursiveDirectoryIterator::SKIP_DOTS),
-                    RecursiveIteratorIterator::CHILD_FIRST
-                );
-
-                foreach ($files as $fileinfo) {
-                    $removeFunction = ($fileinfo->isDir() ? 'rmdir' : 'unlink');
-                    $removeFunction($fileinfo->getRealPath());
-                }
+                emptyRestoreFolder();
 
                 echo json_encode([
                     "success" => true,
                     "message" => translate("success", $i18n)
                 ]);
             } else {
+                emptyRestoreFolder();
+
                 die(json_encode([
                     "success" => false,
                     "message" => "wallos.db does not exist in the backup file"

diff --git a/endpoints/db/restore.php b/endpoints/db/restore.php
@@ -8,6 +8,25 @@
     ]));
 }
 
+if ($userId !== 1) {
+    die(json_encode([
+        "success" => false,
+        "message" => translate('error', $i18n)
+    ]));
+}
+
+function emptyRestoreFolder() {
+    $files = new RecursiveIteratorIterator(
+        new RecursiveDirectoryIterator('../../.tmp/restore', RecursiveDirectoryIterator::SKIP_DOTS),
+        RecursiveIteratorIterator::CHILD_FIRST
+    );
+
+    foreach ($files as $fileinfo) {
+        $removeFunction = ($fileinfo->isDir() ? 'rmdir' : 'unlink');
+        $removeFunction($fileinfo->getRealPath());
+    }
+}
+
 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     if (isset($_FILES['file'])) {
         $file = $_FILES['file'];
@@ -66,21 +85,15 @@
                     }
                 }
 
-                $files = new RecursiveIteratorIterator(
-                    new RecursiveDirectoryIterator('../../.tmp', RecursiveDirectoryIterator::SKIP_DOTS),
-                    RecursiveIteratorIterator::CHILD_FIRST
-                );
-
-                foreach ($files as $fileinfo) {
-                    $removeFunction = ($fileinfo->isDir() ? 'rmdir' : 'unlink');
-                    $removeFunction($fileinfo->getRealPath());
-                }
+                emptyRestoreFolder();
 
                 echo json_encode([
                     "success" => true,
                     "message" => translate("success", $i18n)
                 ]);
             } else {
+                emptyRestoreFolder();
+
                 die(json_encode([
                     "success" => false,
                     "message" => "wallos.db does not exist in the backup file"

diff --git a/includes/version.php b/includes/version.php
@@ -1,3 +1,3 @@
 <?php
-$version = "v2.38.2";
+$version = "v2.38.3";
 ?>
diff --git a/nginx.conf b/nginx.conf
@@ -47,6 +47,11 @@ http {
             deny all;
             return 403;
         }
+
+        location ~* \.tmp/.*\.php$ {
+            deny all;
+            return 403;
+        }
     }
 
     include /etc/nginx/conf.d/*.conf;