tech/tanabata
1
1
Fork 0
Code Pull Requests Actions Releases Activity

fix(backend): enforce file ACL on file-tag and import endpoints

Browse Source 
Two broken-access-control holes:

- PUT/DELETE /files/:id/tags(/:tag_id) and GET /files/:id/tags went
  straight to TagService with no ACL check, letting any authenticated
  user read or rewrite tags on anyone's private files. The handlers now
  require view (list) or edit (mutate) on the target file via new
  FileService.AuthorizeView/AuthorizeEdit helpers.

- POST /files/import accepted an arbitrary host path from any user,
  turning it into an arbitrary server-side file read. It is now
  admin-only and the supplied path is confined to IMPORT_PATH.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Masahiko AMANO
2026-06-10 13:59:33 +03:00
parent a6680b1c05
commit 945df7ef8a
3 changed files with 87 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/internal/handler/file_handler.go
+6
View File
@@ -613,6 +613,12 @@ func (h *FileHandler) CommonTags(c *gin.Context) {
// ---------------------------------------------------------------------------
func (h *FileHandler) Import(c *gin.Context) {
// Server-side directory import reads arbitrary paths on the host; restrict
// it to administrators.
if !requireAdmin(c) {
return
}
var body struct {
Path string `json:"path"`
}