From 8c411e610d702daf9e7505c1500163c481f7ed69 Mon Sep 17 00:00:00 2001 From: zhoupengcheng Date: Wed, 1 Nov 2023 17:45:05 +0800 Subject: [PATCH] 0002-define-fix-privilege-escalation.patch --- modules/server/profile/profile.go | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/modules/server/profile/profile.go b/modules/server/profile/profile.go index 5cdaa9a..cbf48b9 100644 --- a/modules/server/profile/profile.go +++ b/modules/server/profile/profile.go @@ -1277,8 +1277,32 @@ func (s *ProfileServer) Define(ctx context.Context, message *PB.DefineMessage) ( applicationName := message.GetApplicationName() scenarioName := message.GetScenarioName() content := string(message.GetContent()) - profileName := serviceType + "-" + applicationName + "-" + scenarioName + detectRule := `[./].*` + detectPathchar := regexp.MustCompile(detectRule) + + if detectPathchar.MatchString(serviceType) { + return &PB.Ack{}, fmt.Errorf("serviceType:%s cannot contain special path characters '/' or '.' ", serviceType) + } + if !utils.IsInputStringValid(serviceType) { + return &PB.Ack{}, fmt.Errorf("input:%s is invalid", serviceType) + } + + if detectPathchar.MatchString(applicationName) { + return &PB.Ack{}, fmt.Errorf("applicationName:%s cannot contain special path characters '/' or '.' ", applicationName) + } + if !utils.IsInputStringValid(applicationName) { + return &PB.Ack{}, fmt.Errorf("input:%s is invalid", applicationName) + } + + if detectPathchar.MatchString(scenarioName) { + return &PB.Ack{}, fmt.Errorf("scenarioName:%s cannot contain special path characters '/' or '.' ", scenarioName) + } + if !utils.IsInputStringValid(scenarioName) { + return &PB.Ack{}, fmt.Errorf("input:%s is invalid", scenarioName) + } + + profileName := serviceType + "-" + applicationName + "-" + scenarioName workloadTypeExist, err := sqlstore.ExistWorkloadType(profileName) if err != nil { return &PB.Ack{}, err -- 2.33.0