MyFavMirrors/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-03-03 15:20:06 -05:00
Code Issues Packages Projects Releases Wiki Activity

Extra argument validation.

Browse Source
This commit is contained in:
Ylian Saint-Hilaire 2025-02-25 19:57:27 -08:00
parent fe2f12149d
commit f19ad6c664
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
meshcentral.js
View File

@ -585,6 +585,7 @@ function CreateMeshCentralServer(config, args) {
const child_process = require('child_process'); const child_process = require('child_process');
try { if (process.traceDeprecation === true) { startArgs.unshift('--trace-deprecation'); } } catch (ex) { } try { if (process.traceDeprecation === true) { startArgs.unshift('--trace-deprecation'); } } catch (ex) { }
try { if (process.traceProcessWarnings === true) { startArgs.unshift('--trace-warnings'); } } catch (ex) { } try { if (process.traceProcessWarnings === true) { startArgs.unshift('--trace-warnings'); } } catch (ex) { }
if (startArgs[0] != "--disable-proto=delete") startArgs.unshift("--disable-proto=delete")
childProcess = child_process.execFile(process.argv[0], startArgs, { maxBuffer: Infinity, cwd: obj.parentpath }, function (error, stdout, stderr) { childProcess = child_process.execFile(process.argv[0], startArgs, { maxBuffer: Infinity, cwd: obj.parentpath }, function (error, stdout, stderr) {
if (childProcess.xrestart == 1) { if (childProcess.xrestart == 1) {
setTimeout(function () { obj.launchChildServer(startArgs); }, 500); // This is an expected restart. setTimeout(function () { obj.launchChildServer(startArgs); }, 500); // This is an expected restart.

4
meshuser.js
View File

@ -928,7 +928,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Get a short file and send it back on the web socket // Get a short file and send it back on the web socket
if (common.validateString(command.file, 1, 4096) == false) return; if (common.validateString(command.file, 1, 4096) == false) return;
const scpath = meshPathToRealPath(command.path, user); // This will also check access rights const scpath = meshPathToRealPath(command.path, user); // This will also check access rights
if (scpath == null) break; if ((scpath == null) || (command.file !== parent.path.basename(command.file))) break;
const filePath = parent.path.join(scpath, command.file); const filePath = parent.path.join(scpath, command.file);
fs.stat(filePath, function (err, stat) { fs.stat(filePath, function (err, stat) {
if ((err != null) || (stat == null) || (stat.size >= 204800)) return; if ((err != null) || (stat == null) || (stat.size >= 204800)) return;
@ -943,7 +943,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (common.validateString(command.file, 1, 4096) == false) return; if (common.validateString(command.file, 1, 4096) == false) return;
if (typeof command.data != 'string') return; if (typeof command.data != 'string') return;
const scpath = meshPathToRealPath(command.path, user); // This will also check access rights const scpath = meshPathToRealPath(command.path, user); // This will also check access rights
if (scpath == null) break; if ((scpath == null) || (command.file !== parent.path.basename(command.file))) break;
const filePath = parent.path.join(scpath, command.file); const filePath = parent.path.join(scpath, command.file);
var data = null; var data = null;
try { data = Buffer.from(command.data, 'base64'); } catch (ex) { return; } try { data = Buffer.from(command.data, 'base64'); } catch (ex) { return; }