test(files): add permission tests for basic file operations, with some security fixes

2022-02-21 17:38:20 +08:00 · 2022-02-21 17:38:20 +08:00 · cff87bdddd
commit cff87bdddd
parent 980bceb090
4 changed files with 462 additions and 71 deletions
--- a/src/handlers/fileshdr/handlers.go
+++ b/src/handlers/fileshdr/handlers.go
@ -24,7 +24,7 @@ import (
 	"github.com/ihexxa/quickshare/src/worker/localworker"
 )

-var (
+const (
 	// queries
 	FilePathQuery = "fp"
 	ListDirQuery  = "dp"
@ -104,7 +104,7 @@ func (h *FileHandlers) canAccess(userName, role, op, sharedPath string) bool {
 	parts := strings.Split(sharedPath, "/")
 	if len(parts) < 2 { // the path must be longer than <userName>/files
 		return false
-	} else if parts[0] == userName {
+	} else if parts[0] == userName && userName != "" && parts[1] != "" {
 		return true
 	}

@ -143,6 +143,12 @@ func (h *FileHandlers) Create(c *gin.Context) {
 		return
 	}

+	fsFilePath, err := h.getFSFilePath(userID, req.Path)
+	if err != nil {
+		c.JSON(q.ErrResp(c, 500, err))
+		return
+	}
+
 	if req.FileSize == 0 {
 		err = h.deps.FS().MkdirAll(filepath.Dir(req.Path))
 		if err != nil {
@ -152,12 +158,6 @@ func (h *FileHandlers) Create(c *gin.Context) {

 		// TODO: limit the number of files with 0 byte

-		fsFilePath, err := h.getFSFilePath(userID, req.Path)
-		if err != nil {
-			c.JSON(q.ErrResp(c, 500, err))
-			return
-		}
-
 		err = h.deps.FS().Create(fsFilePath)
 		if err != nil {
 			if os.IsExist(err) {
@ -512,6 +512,7 @@ func (h *FileHandlers) getFSFilePath(userID, fsFilePath string) (string, error)

 	// this file exists
 	maxDetect := 1024
+	fsFilePath = filepath.Clean(fsFilePath)
 	for i := 1; i < maxDetect; i++ {
 		dir := path.Dir(fsFilePath)
 		nameAndExt := path.Base(fsFilePath)
@ -1041,11 +1042,10 @@ func (h *FileHandlers) GetSharingDir(c *gin.Context) {

 func (h *FileHandlers) GetStreamReader(userID uint64, fd io.Reader) (io.ReadCloser, error) {
 	pr, pw := io.Pipe()
-	chunkSize := 100 * 1024 // notice: it can not be greater than limiter's token count

 	go func() {
 		for {
-			ok, err := h.deps.Limiter().CanRead(userID, chunkSize)
+			ok, err := h.deps.Limiter().CanRead(userID, q.DownloadChunkSize)
 			if err != nil {
 				pw.CloseWithError(err)
 				break
@ -1054,7 +1054,7 @@ func (h *FileHandlers) GetStreamReader(userID uint64, fd io.Reader) (io.ReadClos
 				continue
 			}

-			_, err = io.CopyN(pw, fd, int64(chunkSize))
+			_, err = io.CopyN(pw, fd, int64(q.DownloadChunkSize))
 			if err != nil {
 				if err != io.EOF {
 					pw.CloseWithError(err)
--- a/src/handlers/multiusers/handlers.go
+++ b/src/handlers/multiusers/handlers.go
@ -156,6 +156,9 @@ func (h *MultiUsersSvc) Init(adminName, adminPwd string) (string, error) {
 	spaceLimit := int64(h.cfg.IntOr("Users.SpaceLimit", 100*1024*1024))
 	uploadSpeedLimit := h.cfg.IntOr("Users.UploadSpeedLimit", 100*1024)
 	downloadSpeedLimit := h.cfg.IntOr("Users.DownloadSpeedLimit", 100*1024)
+	if downloadSpeedLimit < q.DownloadChunkSize {
+		return "", fmt.Errorf("download speed limit can not be lower than chunk size: %d", q.DownloadChunkSize)
+	}
 	if ok {
 		userCfgs, ok := usersInterface.([]*userstore.UserCfg)
 		if !ok {
@ -166,7 +169,6 @@ func (h *MultiUsersSvc) Init(adminName, adminPwd string) (string, error) {
 			// TODO: check if the folders already exists
 			fsRootFolder := q.FsRootPath(userCfg.Name, "/")
 			if err = h.deps.FS().MkdirAll(fsRootFolder); err != nil {
-
 				return "", err
 			}
 			uploadFolder := q.UploadFolder(userCfg.Name)
@ -276,7 +278,7 @@ func (h *MultiUsersSvc) IsAuthed(c *gin.Context) {
 	// token alreay verified in the authn middleware
 	role := c.MustGet(q.RoleParam).(string)
 	if role == userstore.VisitorRole {
-		c.JSON(q.ErrResp(c, 401, q.ErrUnauthorized))
+		c.JSON(q.ErrResp(c, 403, q.ErrUnauthorized))
 		return
 	}
 	c.JSON(q.Resp(200))
@ -299,7 +301,7 @@ func (h *MultiUsersSvc) SetPwd(c *gin.Context) {

 	claims, err := h.getUserInfo(c)
 	if err != nil {
-		c.JSON(q.ErrResp(c, 401, err))
+		c.JSON(q.ErrResp(c, 403, err))
 		return
 	}

@ -350,7 +352,7 @@ func (h *MultiUsersSvc) ForceSetPwd(c *gin.Context) {

 	claims, err := h.getUserInfo(c)
 	if err != nil {
-		c.JSON(q.ErrResp(c, 401, err))
+		c.JSON(q.ErrResp(c, 403, err))
 		return
 	}
 	if claims[q.RoleParam] != userstore.AdminRole {
@ -472,7 +474,7 @@ func (h *MultiUsersSvc) DelUser(c *gin.Context) {

 	claims, err := h.getUserInfo(c)
 	if err != nil {
-		c.JSON(q.ErrResp(c, 401, err))
+		c.JSON(q.ErrResp(c, 403, err))
 		return
 	}
 	if claims[q.UserIDParam] == userIDStr {
@ -645,7 +647,7 @@ type SelfResp struct {
 func (h *MultiUsersSvc) Self(c *gin.Context) {
 	claims, err := h.getUserInfo(c)
 	if err != nil {
-		c.JSON(q.ErrResp(c, 401, err))
+		c.JSON(q.ErrResp(c, 403, err))
 		return
 	}

@ -679,6 +681,12 @@ func (h *MultiUsersSvc) SetUser(c *gin.Context) {
 		return
 	}

+	role := c.MustGet(q.RoleParam).(string)
+	if role != userstore.AdminRole {
+		c.JSON(q.ErrResp(c, 403, errors.New("Forbidden")))
+		return
+	}
+
 	err := h.deps.Users().SetInfo(req.ID, &userstore.User{
 		Role:  req.Role,
 		Quota: req.Quota,
--- a/src/handlers/util.go
+++ b/src/handlers/util.go
@ -27,6 +27,10 @@ var (
 	TokenCookie    = "tk"
 	LastID         = "lid"

+	// DownloadChunkSize can not be greater than limiter's token count
+	// downloadSpeedLimit can not be lower than DownloadChunkSize
+	DownloadChunkSize = 100 * 1024
+
 	ErrAccessDenied = errors.New("access denied")
 	ErrUnauthorized = errors.New("unauthorized")
 )