fix:only support http/https to convert,disabled to reach file system.

Author: nick

CHANGELOG.md

@@ -1,3 +1,5 @@
+### v0.3.1
+- only support http/https to convert,disabled to reach file system.
 ### v0.3.0
 - support waiting time for html convert to pdf
 - support waiting time for html convert to image

CHECKLIST.md

@@ -0,0 +1,6 @@
+# check list 
+- common/const.go Version
+- CHANGELOG.md
+- Makefile
+- merge branch
+- docker build and push to docker hub

Makefile

@@ -1,8 +1,8 @@
 .DEFAULT: help
 
 IMAGE_NAME ?= lampnick/doctron
-CENTOS_IMAGE_TAG ?= v0.3.0-centos
-ALPINE_IMAGE_TAG ?= v0.3.0-alpine
+CENTOS_IMAGE_TAG ?= v0.3.1-centos
+ALPINE_IMAGE_TAG ?= v0.3.1-alpine
 
 help: Makefile
 	@echo "Doctron is a document convert tools for html pdf image etc.\r\n"

SECURITY.md

@@ -6,7 +6,7 @@ Use this section to tell people about which versions of your project are
 currently being supported with security updates.
 
 | Version | Supported          |
-| ------- | ------------------ |
+| 0.3.1 | ensure can't visit the file system |
 
 
 ## Reporting a Vulnerability

app/http.go

@@ -19,6 +19,7 @@ func NewDoctron() *iris.Application {
 		}
 	})
 	app.PartyFunc("/convert", func(convert router.Party) {
+		convert.Use(middleware.CheckParams)
 		convert.Use(middleware.AuthMiddleware)
 		convert.Use(middleware.CheckRateLimiting)
 		convert.Get("/html2pdf", controller.Html2PdfHandler)

common/const.go

@@ -1,4 +1,4 @@
 package common
 
 //Version Version
-const Version = "0.3.0"
+const Version = "0.3.1"

common/error_code.go

@@ -7,6 +7,7 @@ const (
 	InvalidParams                       = 10000001
 	InvalidUrl                          = 10000002
 	ApiRateLimitExceeded                = 10000003
+	InvalidUrlScheme                    = 10000004
 	ConvertPdfFailed                    = 20000000
 	ConvertPdfWriteBytesFailed          = 20000001
 	ConvertPdfUploadFailed              = 20000002
@@ -28,6 +29,7 @@ var ErrMsg = map[int]string{
 	InvalidParams:                       "invalid params",
 	InvalidUrl:                          "invalid url",
 	ApiRateLimitExceeded:                "api rate limit exceeded",
+	InvalidUrlScheme:                    "only support http/https",
 	ConvertPdfFailed:                    "failed convert html to pdf",
 	ConvertPdfWriteBytesFailed:          "failed convert html to pdf. write bytes failed",
 	ConvertPdfUploadFailed:              "failed convert html to pdf. upload failed",

middleware/params.go

@@ -0,0 +1,36 @@
+package middleware
+
+import (
+	"net/url"
+
+	"github.com/kataras/iris/v12"
+	"github.com/lampnick/doctron/common"
+)
+
+func CheckParams(ctx iris.Context) {
+	webUrl := ctx.URLParam("url")
+	if webUrl == "" {
+		outputDTO := common.NewDefaultOutputDTO(nil)
+		outputDTO.Code = common.InvalidUrl
+		_, _ = common.NewJsonOutput(ctx, outputDTO)
+		return
+	}
+
+	u, err := url.Parse(webUrl)
+	if err != nil {
+		outputDTO := common.NewDefaultOutputDTO(nil)
+		outputDTO.Code = common.InvalidUrl
+		outputDTO.Message = err.Error()
+		_, _ = common.NewJsonOutput(ctx, outputDTO)
+		return
+	}
+
+	if u.Scheme != "http" && u.Scheme != "https" {
+		outputDTO := common.NewDefaultOutputDTO(nil)
+		outputDTO.Code = common.InvalidUrlScheme
+		_, _ = common.NewJsonOutput(ctx, outputDTO)
+		return
+	}
+
+	ctx.Next()
+}