fix: 修复 celery 等日志文件的访问漏洞 (#5469)

Co-authored-by: N xinwen <coderWen@126.com>

fix: 修复 celery 等日志文件的访问漏洞 (#5469)
Co-authored-by: N xinwen <coderWen@126.com>
0842553f · fit2bot · GitHub · 5fae9194 · 0842553f · 0842553f
隐藏空白更改
内联并排

Showing with 10 addition and 2 deletion

apps/ops/utils.py apps/ops/utils.py +7 -1

apps/ops/ws.py apps/ops/ws.py +1 -1

data/caution.txt data/caution.txt +2 -0

未找到文件。
--- a/apps/ops/utils.py
+++ b/apps/ops/utils.py
 # ~*~ coding: utf-8 ~*~
 import os
+import uuid

 from django.utils.translation import ugettext_lazy as _

 from common.utils import get_logger, get_object_or_none
 from common.tasks import send_mail_async
 from orgs.utils import org_aware_func
+from jumpserver.const import PROJECT_DIR

 from .models import Task, AdHoc

@@ -79,8 +81,12 @@ def send_server_performance_mail(path, usage, usages):

 def get_task_log_path(base_path, task_id, level=2):
    task_id = str(task_id)
+    try:
+        uuid.UUID(task_id)
+    except:
+        return os.path.join(PROJECT_DIR, 'data', 'caution.txt')
+
    rel_path = os.path.join(*task_id[:level], task_id + '.log')
    path = os.path.join(base_path, rel_path)
    os.makedirs(os.path.dirname(path), exist_ok=True)
    return path
-
--- a/apps/ops/ws.py
+++ b/apps/ops/ws.py
@@ -22,7 +22,7 @@ class TaskLogWebsocket(JsonWebsocketConsumer):

    def connect(self):
        user = self.scope["user"]
-        if user.is_authenticated and user.is_org_admin:
+        if user.is_authenticated:
            self.accept()
        else:
            self.close()

--- a/data/caution.txt
+++ b/data/caution.txt
+[1;31m 你想偷看啥 ！！！
+[1;31m What are you trying to peek at !!!
\ No newline at end of file