Merge pull request #1301 from yogeshojha/1202-bug-risk-of-leaking-the…

…-scan-result-files (Security) Fixes #1202 bug risk of leaking the scan result files
yogeshojha · Jul 5, 2024 · ca8389b · ca8389b
2 parents 180010a + 2570004
commit ca8389b
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 3 deletions.
diff --git a/config/nginx/rengine.conf b/config/nginx/rengine.conf
@@ -32,8 +32,10 @@ server {
         alias /usr/src/app/staticfiles/;
     }
 
-    location /media/ {
+    location /protected_media/ {
+        internal;
         alias /usr/src/scan_results/;
+        autoindex off;
     }
 
     ssl_protocols                                   TLSv1.2;

diff --git a/web/reNgine/settings.py b/web/reNgine/settings.py
@@ -159,6 +159,7 @@
 DJANGO_CELERY_BEAT_TZ_AWARE = False
 
 MEDIA_URL = '/media/'
+MEDIA_ROOT = '/usr/src/scan_results/'
 FILE_UPLOAD_MAX_MEMORY_SIZE = 100000000
 FILE_UPLOAD_PERMISSIONS = 0o644
 STATIC_URL = '/staticfiles/'

diff --git a/web/reNgine/urls.py b/web/reNgine/urls.py
@@ -8,6 +8,8 @@
 from drf_yasg.views import get_schema_view
 from rest_framework import permissions
 
+from reNgine.views import serve_protected_media
+
 schema_view = get_schema_view(
    openapi.Info(
       title="reNgine API",
@@ -53,5 +55,11 @@
         include(
             'api.urls',
             'api')),
-] + static(settings.MEDIA_URL, document_root=settings.RENGINE_RESULTS) + \
-    static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)
+    path(
+        'media/<path:path>', 
+        serve_protected_media, 
+        name='serve_protected_media'
+    ),
+] + static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)
+# ] + static(settings.MEDIA_URL, document_root=settings.RENGINE_RESULTS) + \
+
diff --git a/web/reNgine/views.py b/web/reNgine/views.py
@@ -0,0 +1,21 @@
+import os
+import mimetypes
+from django.contrib.auth.decorators import login_required
+from django.http import HttpResponse, Http404
+from django.conf import settings
+
+@login_required
+def serve_protected_media(request, path):
+    file_path = os.path.join(settings.MEDIA_ROOT, path)
+    if os.path.isdir(file_path):
+        raise Http404("File not found")
+    if os.path.exists(file_path):
+        content_type, _ = mimetypes.guess_type(file_path)
+        response = HttpResponse()
+        # response['Content-Disposition'] = f'attachment; filename={os.path.basename(file_path)}'
+        response['Content-Type'] = content_type
+        response['X-Accel-Redirect'] = f'/protected_media/{path}'
+        return response
+    else:
+        raise Http404("File not found")
+