Gin-vue-admin 2.50 has arbitrary file read vulnerability.
Arbitrary file read/download vulnerability is a Web security vulnerability, which can leak source code, database configuration files, resulting in a site in an extremely insecure state, such as reading /etc/passwd.
func (e *ExcelApi) ExportExcel(c *gin.Context) {
var excelInfo example.ExcelInfo
_ = c.ShouldBindJSON(&excelInfo)
// add that Interception logic
if strings.Index(excelInfo.FileName, "..") > -1 {
response.FailWithMessage("包含非法字符", c)
return
}
filePath := global.GVA_CONFIG.Excel.Dir + excelInfo.FileName
err := excelService.ParseInfoList2Excel(excelInfo.InfoList, filePath)
if err != nil {
global.GVA_LOG.Error("转换Excel失败!", zap.Error(err))
response.FailWithMessage("转换Excel失败", c)
return
}
c.Writer.Header().Add("success", "true")
c.File(filePath)
}// @Tags excel
// @Summary 下载模板
// @Security ApiKeyAuth
// @accept multipart/form-data
// @Produce application/json
// @Param fileName query string true "模板名称"
// @Success 200
// @Router /excel/downloadTemplate [get]
func (e *ExcelApi) DownloadTemplate(c *gin.Context) {
fileName := c.Query("fileName")
filePath := global.GVA_CONFIG.Excel.Dir + fileName
fi, err := os.Stat(filePath)
if err != nil {
global.GVA_LOG.Error("文件不存在!", zap.Error(err))
response.FailWithMessage("文件不存在", c)
return
}
if fi.IsDir() {
global.GVA_LOG.Error("不支持下载文件夹!", zap.Error(err))
response.FailWithMessage("不支持下载文件夹", c)
return
}
c.Writer.Header().Add("success", "true")
c.File(filePath)
}
Impact
Gin-vue-admin 2.50 has arbitrary file read vulnerability.
Arbitrary file read/download vulnerability is a Web security vulnerability, which can leak source code, database configuration files, resulting in a site in an extremely insecure state, such as reading /etc/passwd.
Patches
https://github.com/flipped-aurora/gin-vue-admin/blob/main/server/api/v1/example/exa_excel.go
Workarounds
Can will be affected by the first source (https://github.com/flipped-aurora/gin-vue-admin/blob/main/server/api/v1/example/exa_excel.go), one of the 82 to 107 line commented out.
References
#1002
For more information
Affected source code: https://github.com/flipped-aurora/gin-vue-admin/blob/main/server/api/v1/example/exa_excel.go, did not check the reason for the fileName parameter, Causes an arbitrary file to be read with the code on lines 82 through 107: