fix: uncontrolled data used in path expression

api/certificate/certificate.go

@@ -4,6 +4,7 @@ import (
 	"github.com/0xJacky/Nginx-UI/api"
 	"github.com/0xJacky/Nginx-UI/internal/cert"
 	"github.com/0xJacky/Nginx-UI/internal/cosy"
+	"github.com/0xJacky/Nginx-UI/internal/helper"
 	"github.com/0xJacky/Nginx-UI/internal/nginx"
 	"github.com/0xJacky/Nginx-UI/internal/notification"
 	"github.com/0xJacky/Nginx-UI/model"
@@ -25,7 +26,8 @@ type APICertificate struct {
 func Transformer(certModel *model.Cert) (certificate *APICertificate) {
 	var sslCertificationBytes, sslCertificationKeyBytes []byte
 	var certificateInfo *cert.Info
-	if certModel.SSLCertificatePath != "" {
+	if certModel.SSLCertificatePath != "" &&
+		helper.IsUnderDirectory(certModel.SSLCertificatePath, nginx.GetConfPath()) {
 		if _, err := os.Stat(certModel.SSLCertificatePath); err == nil {
 			sslCertificationBytes, _ = os.ReadFile(certModel.SSLCertificatePath)
 			if !cert.IsCertificate(string(sslCertificationBytes)) {
@@ -36,7 +38,8 @@ func Transformer(certModel *model.Cert) (certificate *APICertificate) {
 		certificateInfo, _ = cert.GetCertInfo(certModel.SSLCertificatePath)
 	}
 
-	if certModel.SSLCertificateKeyPath != "" {
+	if certModel.SSLCertificateKeyPath != "" &&
+		helper.IsUnderDirectory(certModel.SSLCertificateKeyPath, nginx.GetConfPath()) {
 		if _, err := os.Stat(certModel.SSLCertificateKeyPath); err == nil {
 			sslCertificationKeyBytes, _ = os.ReadFile(certModel.SSLCertificateKeyPath)
 			if !cert.IsPrivateKey(string(sslCertificationKeyBytes)) {

api/config/modify.go

@@ -47,7 +47,7 @@ func EditConfig(c *gin.Context) {
 		return
 	}
 
-	if _, err := os.Stat(path); os.IsNotExist(err) {
+	if !helper.FileExists(path) {
 		c.JSON(http.StatusNotFound, gin.H{
 			"message": "file not found",
 		})

app/src/version.json

@@ -1 +1 @@
-{"version":"2.0.0-beta.29","build_id":152,"total_build":356}
+{"version":"2.0.0-beta.29","build_id":154,"total_build":358,"status_hash":"4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945"}

internal/cert/cert_info.go

@@ -3,6 +3,8 @@ package cert
 import (
 	"crypto/x509"
 	"encoding/pem"
+	"github.com/0xJacky/Nginx-UI/internal/helper"
+	"github.com/0xJacky/Nginx-UI/internal/nginx"
 	"github.com/pkg/errors"
 	"os"
 	"time"
@@ -16,6 +18,10 @@ type Info struct {
 }
 
 func GetCertInfo(sslCertificatePath string) (info *Info, err error) {
+	if !helper.IsUnderDirectory(sslCertificatePath, nginx.GetConfPath()) {
+		err = errors.New("ssl certificate path is not under the nginx conf path")
+		return
+	}
 	certData, err := os.ReadFile(sslCertificatePath)
 	if err != nil {
 		err = errors.Wrap(err, "error read certificate")

internal/cert/payload.go

@@ -53,15 +53,15 @@ func (c *ConfigPayload) GetKeyType() certcrypto.KeyType {
 
 func (c *ConfigPayload) mkCertificateDir() (err error) {
 	dir := c.getCertificateDirPath()
-	if _, err = os.Stat(dir); os.IsNotExist(err) {
+	if !helper.FileExists(dir) {
 		err = os.MkdirAll(dir, 0755)
 		if err == nil {
 			return nil
 		}
 	}
 
-	// For windows, replace # with * (issue #403)
-	c.CertificateDir = strings.ReplaceAll(c.CertificateDir, "#", "*")
+	// For windows, replace * with # (issue #403)
+	c.CertificateDir = strings.ReplaceAll(c.CertificateDir, "*", "#")
 	if _, err = os.Stat(c.CertificateDir); os.IsNotExist(err) {
 		err = os.MkdirAll(c.CertificateDir, 0755)
 		if err == nil {

internal/chatbot/context.go

@@ -33,6 +33,11 @@ func (c *includeContext) extractIncludes(filename string) {
 		return
 	}
 
+	if !helper.IsUnderDirectory(filename, nginx.GetConfPath()) {
+		logger.Error("File is not under the nginx conf path: ", filename)
+		return
+	}
+
 	// Read the file content
 	content, err := os.ReadFile(filename)
 	if err != nil {

internal/helper/tar.go

@@ -7,6 +7,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 )
 
 func UnTar(dst, src string) (err error) {
@@ -37,6 +38,8 @@ func UnTar(dst, src string) (err error) {
 				return errors.Wrap(err, "unTar tr.Next() error")
 			case hdr == nil:
 				return
+			case strings.Contains(hdr.Name, ".."):
+				return
 			}
 
 			dstFileDir := filepath.Join(dst, hdr.Name)