mirrors/go-hauk
2
0
Fork 0
mirror of https://github.com/parkan/go-hauk.git synced 2026-05-08 16:47:46 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix adopt auth bypass, add rate limiting

Browse Source
This commit is contained in:
Arkadiy Kukarkin
2025-12-25 19:19:28 +01:00
parent 6959aff335
commit 558b4ddf1c
6 changed files with 200 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
api/adopt.go
View File

@@ -54,13 +54,14 @@ func (s *Server) handleAdopt(w http.ResponseWriter, r *http.Request) {
return
}
hostSession, err := model.LoadSession(ctx, s.store, share.Host(), s.cfg.MaxCachedPts)
if err != nil {
fmt.Fprintln(w, "Session expired!")
// verify caller owns the share being adopted
// after this check, session IS the host session
if sid != share.Host() {
fmt.Fprintln(w, "Not authorized!")
return
}
if hostSession.Encrypted() {
if session.Encrypted() {
fmt.Fprintln(w, "End-to-end encrypted shares cannot be adopted!")
return
}
@@ -78,13 +79,11 @@ func (s *Server) handleAdopt(w http.ResponseWriter, r *http.Request) {
return
}
hostSession.AddTarget(target.ID())
if err := hostSession.Save(ctx); err != nil {
session.AddTarget(target.ID())
if err := session.Save(ctx); err != nil {
http.Error(w, "internal error", http.StatusInternalServerError)
return
}
_ = session
fmt.Fprintln(w, "OK")
}