Home Explore Help
Sign In
TC
/
arozos
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: b23ce82990
Branches Tags
arozos
/
mod
/
agi
/
static.go

static.go 3.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102 
  1. package agi
    2. 

  2. 

  3. import (
    4. 

  4. 	"net/url"
    5. 

  5. 	"path/filepath"
    6. 

  6. 	"strings"
    7. 

  7. 

  8. 	"github.com/robertkrimen/otto"
    9. 

  9. 	"imuslab.com/arozos/mod/filesystem"
    10. 

  10. 	"imuslab.com/arozos/mod/filesystem/arozfs"
    11. 

  11. 	user "imuslab.com/arozos/mod/user"
    12. 

  12. 	"imuslab.com/arozos/mod/utils"
    13. 

  13. )
    14. 

  14. 

  15. //Get the full vpath if the passing value is a relative path
    16. 

  16. //Return the original vpath if any error occured
    17. 

  17. func relativeVpathRewrite(fsh *filesystem.FileSystemHandler, vpath string, vm *otto.Otto, u *user.User) string {
    18. 

  18. 	//Check if the vpath contain a UUID
    19. 

  19. 	if strings.Contains(vpath, ":/") || (len(vpath) > 0 && vpath[len(vpath)-1:] == ":") {
    20. 

  20. 		//This vpath contain root uuid.
    21. 

  21. 		return vpath
    22. 

  22. 	}
    23. 

  23. 

  24. 	//We have no idea where the script is from. Trust its vpath is always full path
    25. 

  25. 	if fsh == nil {
    26. 

  26. 		return vpath
    27. 

  27. 	}
    28. 

  28. 

  29. 	//Get the script execution root path
    30. 

  30. 	rootPath, err := vm.Get("__FILE__")
    31. 

  31. 	if err != nil {
    32. 

  32. 		return vpath
    33. 

  33. 	}
    34. 

  34. 

  35. 	rootPathString, err := rootPath.ToString()
    36. 

  36. 	if err != nil {
    37. 

  37. 		return vpath
    38. 

  38. 	}
    39. 

  39. 

  40. 	//Convert the root path to vpath
    41. 

  41. 	rootVpath, err := fsh.FileSystemAbstraction.RealPathToVirtualPath(rootPathString, u.Username)
    42. 

  42. 	if err != nil {
    43. 

  43. 		return vpath
    44. 

  44. 	}
    45. 

  45. 

  46. 	rootScriptDir := filepath.Dir(rootVpath)
    47. 

  47. 	return arozfs.ToSlash(filepath.Clean(filepath.Join(rootScriptDir, vpath)))
    48. 

  48. }
    49. 

  49. 

  50. //Check if the user can access this script file
    51. 

  51. func checkUserAccessToScript(thisuser *user.User, scriptFile string, scriptScope string) bool {
    52. 

  52. 	moduleName := getScriptRoot(scriptFile, scriptScope)
    53. 

  53. 	if !thisuser.GetModuleAccessPermission(moduleName) {
    54. 

  54. 		return false
    55. 

  55. 	}
    56. 

  56. 	return true
    57. 

  57. }
    58. 

  58. 

  59. //validate the given path is a script from webroot
    60. 

  60. func isValidAGIScript(scriptPath string) bool {
    61. 

  61. 	return utils.FileExists(filepath.Join("./web", scriptPath)) && (filepath.Ext(scriptPath) == ".js" || filepath.Ext(scriptPath) == ".agi")
    62. 

  62. }
    63. 

  63. 

  64. //Return the script root of the current executing script
    65. 

  65. func getScriptRoot(scriptFile string, scriptScope string) string {
    66. 

  66. 	//Get the script root from the script path
    67. 

  67. 	webRootAbs, _ := filepath.Abs(scriptScope)
    68. 

  68. 	webRootAbs = filepath.ToSlash(filepath.Clean(webRootAbs) + "/")
    69. 

  69. 	scriptFileAbs, _ := filepath.Abs(scriptFile)
    70. 

  70. 	scriptFileAbs = filepath.ToSlash(filepath.Clean(scriptFileAbs))
    71. 

  71. 	scriptRoot := strings.Replace(scriptFileAbs, webRootAbs, "", 1)
    72. 

  72. 	scriptRoot = strings.Split(scriptRoot, "/")[0]
    73. 

  73. 	return scriptRoot
    74. 

  74. }
    75. 

  75. 

  76. //For handling special url decode in the request
    77. 

  77. func specialURIDecode(inputPath string) string {
    78. 

  78. 	inputPath = strings.ReplaceAll(inputPath, "+", "{{plus_sign}}")
    79. 

  79. 	inputPath, _ = url.QueryUnescape(inputPath)
    80. 

  80. 	inputPath = strings.ReplaceAll(inputPath, "{{plus_sign}}", "+")
    81. 

  81. 	return inputPath
    82. 

  82. }
    83. 

  83. 

  84. //Check if the target path is escaping the rootpath, accept relative and absolute path
    85. 

  85. func checkRootEscape(rootPath string, targetPath string) (bool, error) {
    86. 

  86. 	rootAbs, err := filepath.Abs(rootPath)
    87. 

  87. 	if err != nil {
    88. 

  88. 		return true, err
    89. 

  89. 	}
    90. 

  90. 

  91. 	targetAbs, err := filepath.Abs(targetPath)
    92. 

  92. 	if err != nil {
    93. 

  93. 		return true, err
    94. 

  94. 	}
    95. 

  95. 

  96. 	if len(targetAbs) < len(rootAbs) || targetAbs[:len(rootAbs)] != rootAbs {
    97. 

  97. 		//Potential path escape. Return true
    98. 

  98. 		return true, nil
    99. 

  99. 	}
    100. 

  100. 

  101. 	return false, nil
    102. 

  102. }
    103.