llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-07-02 19:40:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: fix SSRF when download avatar (#1193)

Browse Source
This commit is contained in:
Yaodong Yu
2022-10-20 14:47:08 +08:00
committed by GitHub
parent dffa68cbce
commit 6a1ec51978
6 changed files with 75 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
object/avatar.go
View File

@ -50,7 +50,7 @@ func downloadFile(url string) (*bytes.Buffer, error) {
return fileBuffer, nil
}
func getPermanentAvatarUrl(organization string, username string, url string) string {
func getPermanentAvatarUrl(organization string, username string, url string, upload bool) string {
if url == "" {
return ""
}
@ -62,6 +62,14 @@ func getPermanentAvatarUrl(organization string, username string, url string) str
fullFilePath := fmt.Sprintf("/avatar/%s/%s.png", organization, username)
uploadedFileUrl, _ := getUploadFileUrl(defaultStorageProvider, fullFilePath, false)
if upload {
DownloadAndUpload(url, fullFilePath)
}
return uploadedFileUrl
}
func DownloadAndUpload(url string, fullFilePath string) {
fileBuffer, err := downloadFile(url)
if err != nil {
panic(err)
@ -71,6 +79,4 @@ func getPermanentAvatarUrl(organization string, username string, url string) str
if err != nil {
panic(err)
}
return uploadedFileUrl
}