viscous/cloudreve
1
0
Fork 0
mirror of https://github.com/cloudreve/cloudreve.git synced 2026-06-27 22:35:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): resolve multiple vulnerability.

Browse Source 
Vulnerability identified and fix provided by Kolega.dev (https://kolega.dev)
This commit is contained in:
Aaron Liu
2026-01-14 12:39:42 +08:00
parent f01ed64bdb
commit e8f965e980
5 changed files with 21 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
inventory/client.go
View File

@@ -67,7 +67,7 @@ func NewRawEntClient(l logging.Logger, config conf.ConfigProvider) (*ent.Client,
} }
// If Database connection string provided, use it directly. // If Database connection string provided, use it directly.
if dbConfig.DatabaseURL != "" { if dbConfig.DatabaseURL != "" {
l.Info("Connect to database with connection string %q.", dbConfig.DatabaseURL) l.Info("Connect to database with connection string")
client, err = sql.Open(string(confDBType), dbConfig.DatabaseURL) client, err = sql.Open(string(confDBType), dbConfig.DatabaseURL)
} else { } else {

2
inventory/user.go
View File

@@ -600,7 +600,7 @@ func withUserEagerLoading(ctx context.Context, q *ent.UserQuery) *ent.UserQuery
func digestPassword(password string) (string, error) { func digestPassword(password string) (string, error) {
//生成16位 Salt //生成16位 Salt
salt := util.RandStringRunes(16) salt := util.RandStringRunesCrypto(32)
//计算 Salt 和密码组合的SHA1摘要 //计算 Salt 和密码组合的SHA1摘要
hash := sha256.New() hash := sha256.New()

3
pkg/auth/hmac.go
View File

@@ -3,6 +3,7 @@ package auth
import ( import (
"crypto/hmac" "crypto/hmac"
"crypto/sha256" "crypto/sha256"
"crypto/subtle"
"encoding/base64" "encoding/base64"
"io" "io"
"strconv" "strconv"
@@ -49,7 +50,7 @@ func (auth HMACAuth) Check(body string, sign string) error {
} }
// 验证签名 // 验证签名
if auth.Sign(body, expires) != sign { if subtle.ConstantTimeCompare([]byte(auth.Sign(body, expires)), []byte(sign)) != 1 {
return serializer.NewError(serializer.CodeInvalidSign, "invalid sign", nil) return serializer.NewError(serializer.CodeInvalidSign, "invalid sign", nil)
} }
return nil return nil

2
pkg/filemanager/manager/upload.go
View File

@@ -154,7 +154,7 @@ func (m *manager) ConfirmUploadSession(ctx context.Context, session *fs.UploadSe
} }
// Confirm locks on placeholder file // Confirm locks on placeholder file
if session.LockToken == "" { if session.LockToken != "" {
release, ls, err := m.fs.ConfirmLock(ctx, file, file.Uri(false), session.LockToken) release, ls, err := m.fs.ConfirmLock(ctx, file, file.Uri(false), session.LockToken)
if err != nil { if err != nil {
return nil, fs.ErrLockExpired.WithError(err) return nil, fs.ErrLockExpired.WithError(err)

16
pkg/util/common.go
View File

@@ -2,7 +2,9 @@ package util
import ( import (
"context" "context"
cryptoRand "crypto/rand"
"fmt" "fmt"
"math/big"
"math/rand" "math/rand"
"path" "path"
"path/filepath" "path/filepath"
@@ -34,6 +36,20 @@ func RandStringRunes(n int) string {
return string(b) return string(b)
} }
func RandStringRunesCrypto(n int) string {
b := make([]rune, n)
for i := range b {
num, err := cryptoRand.Int(cryptoRand.Reader, big.NewInt(int64(len(RandomVariantAll))))
if err != nil {
// fallback to math/rand on crypto failure
b[i] = RandomVariantAll[rand.Intn(len(RandomVariantAll))]
} else {
b[i] = RandomVariantAll[num.Int64()]
}
}
return string(b)
}
// RandString returns random string in given length and variant // RandString returns random string in given length and variant
func RandString(n int, variant []rune) string { func RandString(n int, variant []rune) string {
b := make([]rune, n) b := make([]rune, n)