Skip to content

Commit

Permalink
Merge pull request ChatGPTNextWeb#4353 from H0llyW00dzZ/cherry-pick-w…
Browse files Browse the repository at this point in the history
…ebdav

[Cherry Pick] Fix Webdav Syncing Issues
  • Loading branch information
fred-bf authored Mar 21, 2024
2 parents 3ba984d + c0c54e5 commit ebbd870
Showing 1 changed file with 24 additions and 13 deletions.
37 changes: 24 additions & 13 deletions app/api/webdav/[...path]/route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -12,17 +12,28 @@ async function handle(

const requestUrl = new URL(req.url);
let endpoint = requestUrl.searchParams.get("endpoint");
if (!endpoint?.endsWith("/")) {
endpoint += "/";

// Validate the endpoint to prevent potential SSRF attacks
if (!endpoint || !endpoint.startsWith("/")) {
return NextResponse.json(
{
error: true,
msg: "Invalid endpoint",
},
{
status: 400,
},
);
}
const endpointPath = params.path.join("/");
const targetPath = `${endpoint}/${endpointPath}`;

// only allow MKCOL, GET, PUT
if (req.method !== "MKCOL" && req.method !== "GET" && req.method !== "PUT") {
return NextResponse.json(
{
error: true,
msg: "you are not allowed to request " + params.path.join("/"),
msg: "you are not allowed to request " + targetPath,
},
{
status: 403,
Expand All @@ -32,13 +43,13 @@ async function handle(

// for MKCOL request, only allow request ${folder}
if (
req.method == "MKCOL" &&
!new URL(endpointPath).pathname.endsWith(folder)
req.method === "MKCOL" &&
!targetPath.endsWith(folder)
) {
return NextResponse.json(
{
error: true,
msg: "you are not allowed to request " + params.path.join("/"),
msg: "you are not allowed to request " + targetPath,
},
{
status: 403,
Expand All @@ -48,13 +59,13 @@ async function handle(

// for GET request, only allow request ending with fileName
if (
req.method == "GET" &&
!new URL(endpointPath).pathname.endsWith(fileName)
req.method === "GET" &&
!targetPath.endsWith(fileName)
) {
return NextResponse.json(
{
error: true,
msg: "you are not allowed to request " + params.path.join("/"),
msg: "you are not allowed to request " + targetPath,
},
{
status: 403,
Expand All @@ -64,21 +75,21 @@ async function handle(

// for PUT request, only allow request ending with fileName
if (
req.method == "PUT" &&
!new URL(endpointPath).pathname.endsWith(fileName)
req.method === "PUT" &&
!targetPath.endsWith(fileName)
) {
return NextResponse.json(
{
error: true,
msg: "you are not allowed to request " + params.path.join("/"),
msg: "you are not allowed to request " + targetPath,
},
{
status: 403,
},
);
}

const targetUrl = `${endpoint + endpointPath}`;
const targetUrl = `${endpoint}/${endpointPath}`;

const method = req.method;
const shouldNotHaveBody = ["get", "head"].includes(
Expand Down

0 comments on commit ebbd870

Please sign in to comment.