Tightening security in APIs

rxtur · rxtur · commit 3e2ae11f6be8 · 2019-05-10T23:59:29.000-05:00
diff --git a/src/Core/Api/AssetsController.cs b/src/Core/Api/AssetsController.cs
@@ -7,6 +7,7 @@
 using System.Collections.Generic;
 using System.Threading.Tasks;
 using System.Linq;
+using Microsoft.AspNetCore.Authorization;
 
 namespace Core.Api
 {
@@ -40,20 +41,20 @@ public async Task<AssetsModel> Get(int page = 1, string filter = "", string sear
             {
                 if (filter == "filterImages")
                 {
-                    items = await _store.Find(a => a.AssetType == AssetType.Image, pager);
+                    items = await _store.Find(a => a.AssetType == AssetType.Image, pager, "", !User.Identity.IsAuthenticated);
                 }
                 else if (filter == "filterAttachments")
                 {
-                    items = await _store.Find(a => a.AssetType == AssetType.Attachment, pager);
+                    items = await _store.Find(a => a.AssetType == AssetType.Attachment, pager, "", !User.Identity.IsAuthenticated);
                 }
                 else
                 {
-                    items = await _store.Find(null, pager);
+                    items = await _store.Find(null, pager, "", !User.Identity.IsAuthenticated);
                 }
             }
             else
             {
-                items = await _store.Find(a => a.Title.Contains(search), pager);
+                items = await _store.Find(a => a.Title.Contains(search), pager, "", !User.Identity.IsAuthenticated);
             }
 
             if (page < 1 || page > pager.LastPage)
@@ -110,11 +111,12 @@ public async Task<AssetItem> Pick(string type, string asset, string post)
         }
 
         /// <summary>
-        /// Upload file(s) to user data store
+        /// Upload file(s) to user data store, authentication required
         /// </summary>
         /// <param name="files">Selected files</param>
         /// <returns>Success or internal error</returns>
         [HttpPost("upload")]
+        [Authorize]
         public async Task<IActionResult> Upload(ICollection<IFormFile> files)
         {
             try
@@ -137,6 +139,7 @@ public async Task<IActionResult> Upload(ICollection<IFormFile> files)
         /// <param name="url">Relative URL of the file to remove</param>
         /// <returns></returns>
         [HttpDelete("remove")]
+        [Authorize]
         public IActionResult Remove(string url)
         {
             try
diff --git a/src/Core/CoreAPI.xml b/src/Core/CoreAPI.xml
diff --git a/src/Core/Extensions/StringExtensions.cs b/src/Core/Extensions/StringExtensions.cs
@@ -212,6 +212,22 @@ static string RemoveExtraHyphen(string text)
             return text;
         }
 
+        public static string SanitizePath(this string str)
+        {
+            if (str.Contains("..") || str.Contains("//"))
+                throw new ApplicationException("Invalid directory path");
+
+            return str;
+        }
+
+        public static string SanitizeFileName(this string str)
+        {
+            if (str.Contains("..") || str.Contains("//") || str.Count(x => x == '.') > 1)
+                throw new ApplicationException("Invalid file name");
+
+            return str;
+        }
+
         #endregion
     }
 }
diff --git a/src/Core/Services/StorageService.cs b/src/Core/Services/StorageService.cs
@@ -32,7 +32,7 @@ public interface IStorageService
 
         string GetHtmlTemplate(string template);
 
-        Task<IEnumerable<AssetItem>> Find(Func<AssetItem, bool> predicate, Pager pager, string path = "");
+        Task<IEnumerable<AssetItem>> Find(Func<AssetItem, bool> predicate, Pager pager, string path = "", bool sanitize = false);
 
         Task Reset();
     }
@@ -254,7 +254,7 @@ public async Task<AssetItem> UploadFromWeb(Uri requestUri, string root, string p
             }
         }
 
-        public async Task<IEnumerable<AssetItem>> Find(Func<AssetItem, bool> predicate, Pager pager, string path = "")
+        public async Task<IEnumerable<AssetItem>> Find(Func<AssetItem, bool> predicate, Pager pager, string path = "", bool sanitize = false)
         {
             var skip = pager.CurrentPage * pager.ItemsPerPage - pager.ItemsPerPage;
             var files = GetAssets(path);
@@ -267,6 +267,14 @@ public async Task<IEnumerable<AssetItem>> Find(Func<AssetItem, bool> predicate,
 
             var page = items.Skip(skip).Take(pager.ItemsPerPage).ToList();
 
+            if (sanitize)
+            {
+                foreach (var p in page)
+                {
+                    p.Path = "";
+                }
+            }
+
             return await Task.FromResult(page);
         }
 
@@ -331,6 +339,8 @@ public async Task Reset()
 
         void VerifyPath(string path)
         {
+            path = path.SanitizePath();
+
             if (!string.IsNullOrEmpty(path))
             {
                 var dir = Path.Combine(Location, path);
@@ -373,7 +383,7 @@ string GetFileName(string fileName)
                 Random rnd = new Random();
                 fileName = fileName.Replace("mceclip0", rnd.Next(100000, 999999).ToString());
             }
-            return fileName;
+            return fileName.SanitizeFileName();
         }
 
         string GetUrl(string path, string root)
@@ -444,7 +454,7 @@ string TitleFromUri(Uri uri)
 
             title = title.Replace(" ", "-");
 
-            return title.Replace("/", "");
+            return title.Replace("/", "").SanitizeFileName();
         }
 
         List<AssetItem> MapFilesToAssets(IList<string> assets)

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@`
`7`	`7`	`using System.Collections.Generic;`
`8`	`8`	`using System.Threading.Tasks;`
`9`	`9`	`using System.Linq;`
	`10`	`+using Microsoft.AspNetCore.Authorization;`
`10`	`11`
`11`	`12`	`namespace Core.Api`
`12`	`13`	`{`
`@@ -40,20 +41,20 @@ public async Task<AssetsModel> Get(int page = 1, string filter = "", string sear`
`40`	`41`	`{`
`41`	`42`	`if (filter == "filterImages")`
`42`	`43`	`{`
`43`		`- items = await _store.Find(a => a.AssetType == AssetType.Image, pager);`
	`44`	`+ items = await _store.Find(a => a.AssetType == AssetType.Image, pager, "", !User.Identity.IsAuthenticated);`
`44`	`45`	`}`
`45`	`46`	`else if (filter == "filterAttachments")`
`46`	`47`	`{`
`47`		`- items = await _store.Find(a => a.AssetType == AssetType.Attachment, pager);`
	`48`	`+ items = await _store.Find(a => a.AssetType == AssetType.Attachment, pager, "", !User.Identity.IsAuthenticated);`
`48`	`49`	`}`
`49`	`50`	`else`
`50`	`51`	`{`
`51`		`- items = await _store.Find(null, pager);`
	`52`	`+ items = await _store.Find(null, pager, "", !User.Identity.IsAuthenticated);`
`52`	`53`	`}`
`53`	`54`	`}`
`54`	`55`	`else`
`55`	`56`	`{`
`56`		`- items = await _store.Find(a => a.Title.Contains(search), pager);`
	`57`	`+ items = await _store.Find(a => a.Title.Contains(search), pager, "", !User.Identity.IsAuthenticated);`
`57`	`58`	`}`
`58`	`59`
`59`	`60`	`if (page < 1 \|\| page > pager.LastPage)`
`@@ -110,11 +111,12 @@ public async Task<AssetItem> Pick(string type, string asset, string post)`
`110`	`111`	`}`
`111`	`112`
`112`	`113`	`/// <summary>`
`113`		`- /// Upload file(s) to user data store`
	`114`	`+ /// Upload file(s) to user data store, authentication required`
`114`	`115`	`/// </summary>`
`115`	`116`	`/// <param name="files">Selected files</param>`
`116`	`117`	`/// <returns>Success or internal error</returns>`
`117`	`118`	`[HttpPost("upload")]`
	`119`	`+ [Authorize]`
`118`	`120`	`public async Task<IActionResult> Upload(ICollection<IFormFile> files)`
`119`	`121`	`{`
`120`	`122`	`try`
`@@ -137,6 +139,7 @@ public async Task<IActionResult> Upload(ICollection<IFormFile> files)`
`137`	`139`	`/// <param name="url">Relative URL of the file to remove</param>`
`138`	`140`	`/// <returns></returns>`
`139`	`141`	`[HttpDelete("remove")]`
	`142`	`+ [Authorize]`
`140`	`143`	`public IActionResult Remove(string url)`
`141`	`144`	`{`
`142`	`145`	`try`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ public interface IStorageService`
`32`	`32`
`33`	`33`	`string GetHtmlTemplate(string template);`
`34`	`34`
`35`		`- Task<IEnumerable<AssetItem>> Find(Func<AssetItem, bool> predicate, Pager pager, string path = "");`
	`35`	`+ Task<IEnumerable<AssetItem>> Find(Func<AssetItem, bool> predicate, Pager pager, string path = "", bool sanitize = false);`
`36`	`36`
`37`	`37`	`Task Reset();`
`38`	`38`	`}`
`@@ -254,7 +254,7 @@ public async Task<AssetItem> UploadFromWeb(Uri requestUri, string root, string p`
`254`	`254`	`}`
`255`	`255`	`}`
`256`	`256`
`257`		`- public async Task<IEnumerable<AssetItem>> Find(Func<AssetItem, bool> predicate, Pager pager, string path = "")`
	`257`	`+ public async Task<IEnumerable<AssetItem>> Find(Func<AssetItem, bool> predicate, Pager pager, string path = "", bool sanitize = false)`
`258`	`258`	`{`
`259`	`259`	`var skip = pager.CurrentPage * pager.ItemsPerPage - pager.ItemsPerPage;`
`260`	`260`	`var files = GetAssets(path);`
`@@ -267,6 +267,14 @@ public async Task<IEnumerable<AssetItem>> Find(Func<AssetItem, bool> predicate,`
`267`	`267`
`268`	`268`	`var page = items.Skip(skip).Take(pager.ItemsPerPage).ToList();`
`269`	`269`
	`270`	`+ if (sanitize)`
	`271`	`+ {`
	`272`	`+ foreach (var p in page)`
	`273`	`+ {`
	`274`	`+ p.Path = "";`
	`275`	`+ }`
	`276`	`+ }`
	`277`	`+`
`270`	`278`	`return await Task.FromResult(page);`
`271`	`279`	`}`
`272`	`280`
`@@ -331,6 +339,8 @@ public async Task Reset()`
`331`	`339`
`332`	`340`	`void VerifyPath(string path)`
`333`	`341`	`{`
	`342`	`+ path = path.SanitizePath();`
	`343`	`+`
`334`	`344`	`if (!string.IsNullOrEmpty(path))`
`335`	`345`	`{`
`336`	`346`	`var dir = Path.Combine(Location, path);`
`@@ -373,7 +383,7 @@ string GetFileName(string fileName)`
`373`	`383`	`Random rnd = new Random();`
`374`	`384`	`fileName = fileName.Replace("mceclip0", rnd.Next(100000, 999999).ToString());`
`375`	`385`	`}`
`376`		`- return fileName;`
	`386`	`+ return fileName.SanitizeFileName();`
`377`	`387`	`}`
`378`	`388`
`379`	`389`	`string GetUrl(string path, string root)`
`@@ -444,7 +454,7 @@ string TitleFromUri(Uri uri)`
`444`	`454`
`445`	`455`	`title = title.Replace(" ", "-");`
`446`	`456`
`447`		`- return title.Replace("/", "");`
	`457`	`+ return title.Replace("/", "").SanitizeFileName();`
`448`	`458`	`}`
`449`	`459`
`450`	`460`	`List<AssetItem> MapFilesToAssets(IList<string> assets)`