3diy
/
moonraker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

app: Add sha256 checksum validation to file uploads 

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
This commit is contained in:
Arksine 2021-04-20 09:12:34 -04:00
parent 2c078cbc7c
commit 9478678ea0
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
moonraker/app.py
View File

@ -20,7 +20,7 @@ from tornado.log import access_log
from utils import ServerError from utils import ServerError
from websockets import WebRequest, WebsocketManager, WebSocket from websockets import WebRequest, WebsocketManager, WebSocket
from streaming_form_data import StreamingFormDataParser from streaming_form_data import StreamingFormDataParser
from streaming_form_data.targets import FileTarget, ValueTarget from streaming_form_data.targets import FileTarget, ValueTarget, SHA256Target
# These endpoints are reserved for klippy/server communication only and are # These endpoints are reserved for klippy/server communication only and are
# not exposed via http or the websocket # not exposed via http or the websocket
@ -609,10 +609,13 @@ class FileUploadHandler(AuthorizedRequestHandler):
'root': ValueTarget(), 'root': ValueTarget(),
'print': ValueTarget(), 'print': ValueTarget(),
'path': ValueTarget(), 'path': ValueTarget(),
'checksum': ValueTarget(),
} }
self._file = FileTarget(tmpname) self._file = FileTarget(tmpname)
self._sha256_target = SHA256Target()
self._parser = StreamingFormDataParser(self.request.headers) self._parser = StreamingFormDataParser(self.request.headers)
self._parser.register('file', self._file) self._parser.register('file', self._file)
self._parser.register('file', self._sha256_target)
for name, target in self._targets.items(): for name, target in self._targets.items():
self._parser.register(name, target) self._parser.register(name, target)
@ -622,6 +625,20 @@ class FileUploadHandler(AuthorizedRequestHandler):
async def post(self): async def post(self):
form_args = {} form_args = {}
chk_target = self._targets.pop('checksum')
calc_chksum = self._sha256_target.value.lower()
if chk_target.value:
# Validate checksum
recd_cksum = chk_target.value.decode().lower()
if calc_chksum != recd_cksum:
# remove temporary file
try:
os.remove(self._file.filename)
except Exception:
pass
raise self.server.error(
f"File checksum mismatch: expected {recd_cksum}, "
f"calculated {calc_chksum}", 422)
for name, target in self._targets.items(): for name, target in self._targets.items():
if target.value: if target.value:
form_args[name] = target.value.decode() form_args[name] = target.value.decode()
@ -630,6 +647,7 @@ class FileUploadHandler(AuthorizedRequestHandler):
debug_msg = "\nFile Upload Arguments:" debug_msg = "\nFile Upload Arguments:"
for name, value in form_args.items(): for name, value in form_args.items():
debug_msg += f"\n{name}: {value}" debug_msg += f"\n{name}: {value}"
debug_msg += f"\nChecksum: {calc_chksum}"
logging.debug(debug_msg) logging.debug(debug_msg)
try: try:
result = await self.file_manager.finalize_upload(form_args) result = await self.file_manager.finalize_upload(form_args)