fix: 修复 celery 等日志文件的访问漏洞 (#5474)

Co-authored-by: xinwen <coderWen@126.com>
2021-01-19 14:36:35 +08:00 · 2021-01-19 14:36:35 +08:00 · 97262645be
parent 82077a3ae1
commit 97262645be
2 changed files with 6 additions and 1 deletions
--- a/apps/ops/celery/utils.py
+++ b/apps/ops/celery/utils.py
@ -2,6 +2,7 @@
 #
 import json
 import os
+import uuid

 import redis_lock
 import redis
@ -103,6 +104,10 @@ def get_celery_periodic_task(task_name):

 def get_celery_task_log_path(task_id):
    task_id = str(task_id)
+    try:
+        uuid.UUID(task_id)
+    except:
+        return
    rel_path = os.path.join(task_id[0], task_id[1], task_id + '.log')
    path = os.path.join(settings.CELERY_LOG_DIR, rel_path)
    os.makedirs(os.path.dirname(path), exist_ok=True)
--- a/apps/ops/ws.py
+++ b/apps/ops/ws.py
@ -16,7 +16,7 @@ class CeleryLogWebsocket(JsonWebsocketConsumer):

    def connect(self):
        user = self.scope["user"]
-        if user.is_authenticated and user.is_org_admin:
+        if user.is_authenticated:
            self.accept()
        else:
            self.close()