security issue - CVE-2023-29401

Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment function References gin-gonic/gin#3555 gin-gonic/gin#3556 https://pkg.go.dev/vuln/GO-2023-1737
2025-04-19 21:42:24 +00:00 · 2023-05-15 15:59:27 +03:30 · 2023-05-15 15:59:27 +03:30 · 1dc5452f1d
commit 1dc5452f1d
parent a0daf2fae2
1 changed files with 19 additions and 1 deletions
--- a/web/controller/server.go
+++ b/web/controller/server.go
@ -1,6 +1,9 @@
 package controller

 import (
+	"fmt"
+	"net/http"
+	"regexp"
 	"time"
 	"x-ui/web/global"
 	"x-ui/web/service"
@ -8,6 +11,8 @@ import (
 	"github.com/gin-gonic/gin"
 )

+var filenameRegex = regexp.MustCompile(`^[a-zA-Z0-9_\-.]+$`)
+
 type ServerController struct {
 	BaseController

@ -136,14 +141,27 @@ func (a *ServerController) getDb(c *gin.Context) {
 		jsonMsg(c, "get Database", err)
 		return
 	}
+
+	filename := "x-ui.db"
+
+	if !isValidFilename(filename) {
+		c.AbortWithError(http.StatusBadRequest, fmt.Errorf("invalid filename"))
+		return
+	}
+
 	// Set the headers for the response
 	c.Header("Content-Type", "application/octet-stream")
-	c.Header("Content-Disposition", "attachment; filename=x-ui.db")
+	c.Header("Content-Disposition", "attachment; filename="+filename)

 	// Write the file contents to the response
 	c.Writer.Write(db)
 }

+func isValidFilename(filename string) bool {
+	// Validate that the filename only contains allowed characters
+	return filenameRegex.MatchString(filename)
+}
+
 func (a *ServerController) importDB(c *gin.Context) {
 	// Get the file from the request body
 	file, _, err := c.Request.FormFile("db")