Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

解压功能鉴权无效 #7981

Open
4 tasks done
xrgzs opened this issue Feb 11, 2025 · 5 comments · May be fixed by #7982
Open
4 tasks done

解压功能鉴权无效 #7981

xrgzs opened this issue Feb 11, 2025 · 5 comments · May be fixed by #7982
Labels
bug Something isn't working

Comments

@xrgzs
Copy link
Contributor

xrgzs commented Feb 11, 2025

Please make sure of the following things

  • I have read the documentation.
    我已经阅读了文档

  • I'm sure there are no duplicate issues or discussions.
    我确定没有重复的issue或讨论。

  • I'm sure it's due to AList and not something else(such as Network ,Dependencies or Operational).
    我确定是AList的问题,而不是其他原因(例如网络依赖操作)。

  • I'm sure this issue is not fixed in the latest version.
    我确定这个问题在最新版本中没有被修复。

AList Version / AList 版本

v3.42.0

Driver used / 使用的存储驱动

archive

Describe the bug / 问题描述

Alist v3.42.0版本的解压缩功能发现一个漏洞,所有用户均可以通过 #7817 的解压接口消耗服务器流量,在设置中关闭读取压缩文件、解压无效

Reproduction / 复现链接

下载解压配置中的上传的 app.zip,将Alist主程序放入并使用 alist server 运行,访问:

http://127.0.0.1:5244/ae/mount/1GB.zip?inner=/1GB.bin&sign=oXVKHW6Xxe1OZXm0ahoPdW1hKfy86VR5StDneeJz4jc=:0

(如果签名过期的话请自行替换,或关闭签名)

这个 1GB.zip 中包含一个填充/dev/zero的 1GB.bin 文件

Config / 配置

配置文件:app.zip

读取压缩文件、解压都是关闭的:

如果挂载文件的路径不正确的话可以自行修改:

Logs / 日志

C:\Users\Admin>curl "http://127.0.0.1:5244/ae/mount/1GB.zip?inner=/1GB.bin&sign=oXVKHW6Xxe1OZXm0ahoPdW1hKfy86VR5StDneeJz4jc=:0" -v
*   Trying 127.0.0.1:5244...
* Connected to 127.0.0.1 (127.0.0.1) port 5244 (#0)
> GET /ae/mount/1GB.zip?inner=/1GB.bin&sign=oXVKHW6Xxe1OZXm0ahoPdW1hKfy86VR5StDneeJz4jc=:0 HTTP/1.1
> Host: 127.0.0.1:5244
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Cache-Control: max-age=0, no-cache, no-store, must-revalidate
< Content-Disposition: attachment; filename="1GB.bin"; filename*=UTF-8''1GB.bin
< Content-Length: 1073741824
< Content-Type: application/octet-stream
< Referrer-Policy: no-referrer
< Date: Tue, 11 Feb 2025 11:36:37 GMT
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failure writing output to destination
* Closing connection 0
@xrgzs xrgzs added the bug Something isn't working label Feb 11, 2025
@xrgzs
Copy link
Contributor Author

xrgzs commented Feb 11, 2025
edited
Loading

在问题被修复前,建议管理员通过 NGINX 或 WAF 封禁以下路径,避免造成服务器流量被恶意消耗:

/ae/

@KirCute
Copy link
Contributor

KirCute commented Feb 11, 2025

我看 /d 和 /p 是没加鉴权的,如何理解呢

@xrgzs
Copy link
Contributor Author

xrgzs commented Feb 11, 2025

我看 /d 和 /p 是没加鉴权的,如何理解呢

/d 和 /p 没加鉴权不影响,实际情况都是挂载网盘然后302跳转,不会造成服务器流量消耗,但解压功能的流量会走服务器中转,因此要对其进行鉴权或限制。

最主要的问题是用户设置里面即使禁用了解压功能也能解压。

@KirCute
Copy link
Contributor

KirCute commented Feb 11, 2025

我看 /d 和 /p 是没加鉴权的,如何理解呢

/d 和 /p 没加鉴权不影响,实际情况都是挂载网盘然后302跳转,不会造成服务器流量消耗,但解压功能的流量会走服务器中转,因此要对其进行鉴权或限制。

最主要的问题是用户设置里面即使禁用了解压功能也能解压。

/ad /ap 和 /d /p 的行为是一样的,那应该只有 /ae 需要鉴权

@KirCute KirCute linked a pull request Feb 12, 2025 that will close this issue
Open
@KirCute
Copy link
Contributor

KirCute commented Feb 12, 2025

前端访问/ae的时候不走 axios,所以不会带 Authorization 请求头,也就没法用middlewares.Auth鉴权,我改了一下这三个接口的路径签名方式,应该能解决问题

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(archive): use another sign for extraction KirCute/alist
2 participants
@KirCute @xrgzs