github
/
jumpserver
mirror of https://github.com/jumpserver/jumpserver
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: Another user can use this job id to spoof both the file name and 

its contents
pull/12833/head
wangruidong 2024-03-18 11:00:42 +08:00 committed by 老广
parent 73a4ce0943
commit 0671e56d65
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apps/ops/api/job.py
View File

@ -143,7 +143,7 @@ class JobViewSet(OrgBulkModelViewSet):
status=400) status=400)
job_id = request.data.get('job_id', '') job_id = request.data.get('job_id', '')
job = get_object_or_404(Job, pk=job_id) job = get_object_or_404(Job, pk=job_id, creator=request.user)
job_args = json.loads(job.args) job_args = json.loads(job.args)
src_path_info = [] src_path_info = []
upload_file_dir = safe_join(settings.DATA_DIR, 'job_upload_file', job_id) upload_file_dir = safe_join(settings.DATA_DIR, 'job_upload_file', job_id)
@ -229,7 +229,7 @@ class JobAssetDetail(APIView):
def get(self, request, **kwargs): def get(self, request, **kwargs):
execution_id = request.query_params.get('execution_id', '') execution_id = request.query_params.get('execution_id', '')
execution = get_object_or_404(JobExecution, id=execution_id) execution = get_object_or_404(JobExecution, id=execution_id, creator=request.user)
return Response(data=execution.assent_result_detail) return Response(data=execution.assent_result_detail)
@ -243,7 +243,7 @@ class JobExecutionTaskDetail(APIView):
task_id = str(kwargs.get('task_id')) task_id = str(kwargs.get('task_id'))
with tmp_to_org(org): with tmp_to_org(org):
execution = get_object_or_404(JobExecution, pk=task_id) execution = get_object_or_404(JobExecution, pk=task_id, creator=request.user)
return Response(data={ return Response(data={
'status': execution.status, 'status': execution.status,