From fffe90b7ce71017960ec44b320b8597e8b8d0d90 Mon Sep 17 00:00:00 2001
From: nick <nick@lampnick.com>
Date: Wed, 8 Sep 2021 11:45:36 +0800
Subject: [PATCH] fix:only support http/https to convert,disabled to reach file
 system.

---
 CHANGELOG.md         |  2 ++
 CHECKLIST.md         |  6 ++++++
 Makefile             |  4 ++--
 SECURITY.md          |  2 +-
 app/http.go          |  1 +
 common/const.go      |  2 +-
 common/error_code.go |  2 ++
 middleware/params.go | 36 ++++++++++++++++++++++++++++++++++++
 8 files changed, 51 insertions(+), 4 deletions(-)
 create mode 100644 CHECKLIST.md
 create mode 100644 middleware/params.go

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e3577f8..a2d270a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,5 @@
+### v0.3.1
+- only support http/https to convert,disabled to reach file system.
 ### v0.3.0
 - support waiting time for html convert to pdf
 - support waiting time for html convert to image
diff --git a/CHECKLIST.md b/CHECKLIST.md
new file mode 100644
index 0000000..473ddc1
--- /dev/null
+++ b/CHECKLIST.md
@@ -0,0 +1,6 @@
+# check list 
+- common/const.go Version
+- CHANGELOG.md
+- Makefile
+- merge branch
+- docker build and push to docker hub
\ No newline at end of file
diff --git a/Makefile b/Makefile
index 52c2833..690646c 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,8 @@
 .DEFAULT: help
 
 IMAGE_NAME ?= lampnick/doctron
-CENTOS_IMAGE_TAG ?= v0.3.0-centos
-ALPINE_IMAGE_TAG ?= v0.3.0-alpine
+CENTOS_IMAGE_TAG ?= v0.3.1-centos
+ALPINE_IMAGE_TAG ?= v0.3.1-alpine
 
 help: Makefile
 	@echo "Doctron is a document convert tools for html pdf image etc.\r\n"
diff --git a/SECURITY.md b/SECURITY.md
index d3851f7..b19feb1 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -6,7 +6,7 @@ Use this section to tell people about which versions of your project are
 currently being supported with security updates.
 
 | Version | Supported          |
-| ------- | ------------------ |
+| 0.3.1 | ensure can't visit the file system |
 
 
 ## Reporting a Vulnerability
diff --git a/app/http.go b/app/http.go
index 49e73ea..87111f0 100644
--- a/app/http.go
+++ b/app/http.go
@@ -19,6 +19,7 @@ func NewDoctron() *iris.Application {
 		}
 	})
 	app.PartyFunc("/convert", func(convert router.Party) {
+		convert.Use(middleware.CheckParams)
 		convert.Use(middleware.AuthMiddleware)
 		convert.Use(middleware.CheckRateLimiting)
 		convert.Get("/html2pdf", controller.Html2PdfHandler)
diff --git a/common/const.go b/common/const.go
index 47f6287..ddb70f9 100644
--- a/common/const.go
+++ b/common/const.go
@@ -1,4 +1,4 @@
 package common
 
 //Version Version
-const Version = "0.3.0"
+const Version = "0.3.1"
diff --git a/common/error_code.go b/common/error_code.go
index e71649e..f92c368 100644
--- a/common/error_code.go
+++ b/common/error_code.go
@@ -7,6 +7,7 @@ const (
 	InvalidParams                       = 10000001
 	InvalidUrl                          = 10000002
 	ApiRateLimitExceeded                = 10000003
+	InvalidUrlScheme                    = 10000004
 	ConvertPdfFailed                    = 20000000
 	ConvertPdfWriteBytesFailed          = 20000001
 	ConvertPdfUploadFailed              = 20000002
@@ -28,6 +29,7 @@ var ErrMsg = map[int]string{
 	InvalidParams:                       "invalid params",
 	InvalidUrl:                          "invalid url",
 	ApiRateLimitExceeded:                "api rate limit exceeded",
+	InvalidUrlScheme:                    "only support http/https",
 	ConvertPdfFailed:                    "failed convert html to pdf",
 	ConvertPdfWriteBytesFailed:          "failed convert html to pdf. write bytes failed",
 	ConvertPdfUploadFailed:              "failed convert html to pdf. upload failed",
diff --git a/middleware/params.go b/middleware/params.go
new file mode 100644
index 0000000..40e7383
--- /dev/null
+++ b/middleware/params.go
@@ -0,0 +1,36 @@
+package middleware
+
+import (
+	"net/url"
+
+	"github.com/kataras/iris/v12"
+	"github.com/lampnick/doctron/common"
+)
+
+func CheckParams(ctx iris.Context) {
+	webUrl := ctx.URLParam("url")
+	if webUrl == "" {
+		outputDTO := common.NewDefaultOutputDTO(nil)
+		outputDTO.Code = common.InvalidUrl
+		_, _ = common.NewJsonOutput(ctx, outputDTO)
+		return
+	}
+
+	u, err := url.Parse(webUrl)
+	if err != nil {
+		outputDTO := common.NewDefaultOutputDTO(nil)
+		outputDTO.Code = common.InvalidUrl
+		outputDTO.Message = err.Error()
+		_, _ = common.NewJsonOutput(ctx, outputDTO)
+		return
+	}
+
+	if u.Scheme != "http" && u.Scheme != "https" {
+		outputDTO := common.NewDefaultOutputDTO(nil)
+		outputDTO.Code = common.InvalidUrlScheme
+		_, _ = common.NewJsonOutput(ctx, outputDTO)
+		return
+	}
+
+	ctx.Next()
+}