fix: 修复 celery 等日志文件的访问漏洞 (#5469)

Co-authored-by: xinwen <coderWen@126.com>

apps/ops/utils.py

@@ -1,11 +1,13 @@
 # ~*~ coding: utf-8 ~*~
 import os
+import uuid
 
 from django.utils.translation import ugettext_lazy as _
 
 from common.utils import get_logger, get_object_or_none
 from common.tasks import send_mail_async
 from orgs.utils import org_aware_func
+from jumpserver.const import PROJECT_DIR
 
 from .models import Task, AdHoc
 
@@ -79,8 +81,12 @@ def send_server_performance_mail(path, usage, usages):
 
 def get_task_log_path(base_path, task_id, level=2):
     task_id = str(task_id)
+    try:
+        uuid.UUID(task_id)
+    except:
+        return os.path.join(PROJECT_DIR, 'data', 'caution.txt')
+
     rel_path = os.path.join(*task_id[:level], task_id + '.log')
     path = os.path.join(base_path, rel_path)
     os.makedirs(os.path.dirname(path), exist_ok=True)
     return path
-

apps/ops/ws.py

@@ -22,7 +22,7 @@ class TaskLogWebsocket(JsonWebsocketConsumer):
 
     def connect(self):
         user = self.scope["user"]
-        if user.is_authenticated and user.is_org_admin:
+        if user.is_authenticated:
             self.accept()
         else:
             self.close()

data/caution.txt

@@ -0,0 +1,2 @@
+ 你想偷看啥 ！！！
+ What are you trying to peek at !!!