github/jumpserver
1
0
Fork 0
mirror of https://github.com/jumpserver/jumpserver.git synced 2025-08-17 13:47:49 +00:00
Code Issues Projects Releases Wiki Activity

fix: Another user can use this job id to spoof both the file name and

Browse Source 
its contents
This commit is contained in:
wangruidong 2024-03-18 11:00:42 +08:00 committed by 老广
parent 8d01c189f0
commit c4d99ed8e2
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apps/ops/api/job.py
View File

@ -142,7 +142,7 @@ class JobViewSet(OrgBulkModelViewSet):
status=400) status=400)
job_id = request.data.get('job_id', '') job_id = request.data.get('job_id', '')
job = get_object_or_404(Job, pk=job_id) job = get_object_or_404(Job, pk=job_id, creator=request.user)
job_args = json.loads(job.args) job_args = json.loads(job.args)
src_path_info = [] src_path_info = []
upload_file_dir = safe_join(settings.DATA_DIR, 'job_upload_file', job_id) upload_file_dir = safe_join(settings.DATA_DIR, 'job_upload_file', job_id)
@ -225,7 +225,7 @@ class JobAssetDetail(APIView):
def get(self, request, **kwargs): def get(self, request, **kwargs):
execution_id = request.query_params.get('execution_id', '') execution_id = request.query_params.get('execution_id', '')
execution = get_object_or_404(JobExecution, id=execution_id) execution = get_object_or_404(JobExecution, id=execution_id, creator=request.user)
return Response(data=execution.assent_result_detail) return Response(data=execution.assent_result_detail)
@ -239,7 +239,7 @@ class JobExecutionTaskDetail(APIView):
task_id = str(kwargs.get('task_id')) task_id = str(kwargs.get('task_id'))
with tmp_to_org(org): with tmp_to_org(org):
execution = get_object_or_404(JobExecution, task_id=task_id) execution = get_object_or_404(JobExecution, pk=task_id, creator=request.user)
return Response(data={ return Response(data={
'status': execution.status, 'status': execution.status,