7x31
/
ChatGPT-Next-Web
mirror of https://github.com/Yidadaa/ChatGPT-Next-Web.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4353 from H0llyW00dzZ/cherry-pick-webdav 

[Cherry Pick] Fix Webdav Syncing Issues
This commit is contained in:
fred-bf 2024-03-21 18:56:26 +08:00 committed by GitHub
parent 3ba984d09e c0c54e5709
commit ebbd870150
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 24 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
app/api/webdav/[...path]/route.ts
View File

@ -12,17 +12,28 @@ async function handle(
const requestUrl = new URL(req.url); const requestUrl = new URL(req.url);
let endpoint = requestUrl.searchParams.get("endpoint"); let endpoint = requestUrl.searchParams.get("endpoint");
if (!endpoint?.endsWith("/")) {
endpoint += "/"; // Validate the endpoint to prevent potential SSRF attacks
if (!endpoint || !endpoint.startsWith("/")) {
return NextResponse.json(
{
error: true,
msg: "Invalid endpoint",
},
{
status: 400,
},
);
} }
const endpointPath = params.path.join("/"); const endpointPath = params.path.join("/");
const targetPath = `${endpoint}/${endpointPath}`;
// only allow MKCOL, GET, PUT // only allow MKCOL, GET, PUT
if (req.method !== "MKCOL" && req.method !== "GET" && req.method !== "PUT") { if (req.method !== "MKCOL" && req.method !== "GET" && req.method !== "PUT") {
return NextResponse.json( return NextResponse.json(
{ {
error: true, error: true,
msg: "you are not allowed to request " + params.path.join("/"), msg: "you are not allowed to request " + targetPath,
}, },
{ {
status: 403, status: 403,
@ -32,13 +43,13 @@ async function handle(
// for MKCOL request, only allow request ${folder} // for MKCOL request, only allow request ${folder}
if ( if (
req.method == "MKCOL" && req.method === "MKCOL" &&
!new URL(endpointPath).pathname.endsWith(folder) !targetPath.endsWith(folder)
) { ) {
return NextResponse.json( return NextResponse.json(
{ {
error: true, error: true,
msg: "you are not allowed to request " + params.path.join("/"), msg: "you are not allowed to request " + targetPath,
}, },
{ {
status: 403, status: 403,
@ -48,13 +59,13 @@ async function handle(
// for GET request, only allow request ending with fileName // for GET request, only allow request ending with fileName
if ( if (
req.method == "GET" && req.method === "GET" &&
!new URL(endpointPath).pathname.endsWith(fileName) !targetPath.endsWith(fileName)
) { ) {
return NextResponse.json( return NextResponse.json(
{ {
error: true, error: true,
msg: "you are not allowed to request " + params.path.join("/"), msg: "you are not allowed to request " + targetPath,
}, },
{ {
status: 403, status: 403,
@ -64,13 +75,13 @@ async function handle(
// for PUT request, only allow request ending with fileName // for PUT request, only allow request ending with fileName
if ( if (
req.method == "PUT" && req.method === "PUT" &&
!new URL(endpointPath).pathname.endsWith(fileName) !targetPath.endsWith(fileName)
) { ) {
return NextResponse.json( return NextResponse.json(
{ {
error: true, error: true,
msg: "you are not allowed to request " + params.path.join("/"), msg: "you are not allowed to request " + targetPath,
}, },
{ {
status: 403, status: 403,
@ -78,7 +89,7 @@ async function handle(
); );
} }
const targetUrl = `${endpoint + endpointPath}`; const targetUrl = `${endpoint}/${endpointPath}`;
const method = req.method; const method = req.method;
const shouldNotHaveBody = ["get", "head"].includes( const shouldNotHaveBody = ["get", "head"].includes(