Merge pull request #2401 from nocodb/fix/ssrf

fix: ssrf
2 years ago · 69c5ef6eed
3 changed files with 42 additions and 10 deletions
--- a/packages/nc-gui/components/import/QuickImport.vue
+++ b/packages/nc-gui/components/import/QuickImport.vue
@ -60,11 +60,18 @@
                      v-model="url"
                      hide-details="auto"
                      type="url"
-                      :label="quickImportType == 'excel' ? $t('msg.info.excelURL') : $t('msg.info.csvURL') "
+                      :label="quickImportType === 'excel' ? $t('msg.info.excelURL') : $t('msg.info.csvURL') "
                      class="caption"
                      outlined
                      dense
-                      :rules="[v => !!v || $t('general.required') ]"
+                      :rules="
+                        [
+                          v => !!v || $t('general.required'), 
+                          v => !(/(10)(\.([2]([0-5][0-5]|[01234][6-9])|[1][0-9][0-9]|[1-9][0-9]|[0-9])){3}|(172)\.(1[6-9]|2[0-9]|3[0-1])(\.(2[0-4][0-9]|25[0-5]|[1][0-9][0-9]|[1-9][0-9]|[0-9])){2}|(192)\.(168)(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){2}|(0.0.0.0)|localhost?/g).test(v) || errorMessages.ipBlockList,
+                          v => quickImportType === 'excel' ?
+                            (/.*\.(xls|xlsx|xlsm|ods|ots)/.test(v) || errorMessages.importExcel) :
+                            (/.*\.(csv)/.test(v) || errorMessages.importCSV),
+                        ]"
                    />
                    <v-btn v-t="['c:project:create:excel:load-url']" class="ml-3" color="primary" @click="loadUrl">
                      <!--Load-->
@ -213,7 +220,12 @@ export default {
      parserConfig: {
        maxRowsToParse: 500
      },
-      filename: ''
+      filename: '',
+      errorMessages: {
+        importExcel: "Target file is not an accepted file type. The accepted file types are .xls, .xlsx, .xlsm, .ods, .ots!",
+        importCSV: "Target file is not an accepted file type. The accepted file type is .csv!",
+        ipBlockList: "IP Not allowed!"
+      }
    }
  },
  computed: {
@ -288,7 +300,7 @@ export default {
            templateGenerator = new ExcelTemplateAdapter(name, val, this.parserConfig)
            break
          case 'url':
-            templateGenerator = new ExcelUrlTemplateAdapter(val, this.$store, this.parserConfig, this.$api)
+            templateGenerator = new ExcelUrlTemplateAdapter(val, this.$store, this.parserConfig, this.$api, this.quickImportType)
            break
        }
        await templateGenerator.init()
@ -322,11 +334,11 @@ export default {

      if (this.quickImportType === 'excel') {
        if (!/.*\.(xls|xlsx|xlsm|ods|ots)/.test(file.name)) {
-          return this.$toast.error('Dropped file is not an accepted file type. The accepted file types are .xls, .xlsx, .xlsm, .ods, .ots!').goAway(3000)
+          return this.$toast.error(this.errorMessages.importExcel).goAway(3000)
        }
      } else if (this.quickImportType === 'csv') {
        if (!/.*\.(csv)/.test(file.name)) {
-          return this.$toast.error('Dropped file is not an accepted file type. The accepted file type is .csv!').goAway(3000)
+          return this.$toast.error(this.errorMessages.importCSV).goAway(3000)
        }
      }
      this._file(file)
--- a/packages/nc-gui/components/import/templateParsers/ExcelUrlTemplateAdapter.js
+++ b/packages/nc-gui/components/import/templateParsers/ExcelUrlTemplateAdapter.js
@ -1,19 +1,19 @@
 import ExcelTemplateAdapter from '~/components/import/templateParsers/ExcelTemplateAdapter'

 export default class ExcelUrlTemplateAdapter extends ExcelTemplateAdapter {
-  constructor(url, $store, parserConfig, $api) {
+  constructor(url, $store, parserConfig, $api, quickImportType) {
    const name = url.split('/').pop()
    super(name, null, parserConfig)
    this.url = url
    this.$api = $api
    this.$store = $store
+    this.quickImportType = quickImportType
  }

  async init() {
    const data = await this.$api.utils.axiosRequestMake({
      apiMeta: {
-        url: this.url,
-        responseType: 'arraybuffer'
+        url: this.url
      }
    })
    this.excelData = data.data
--- a/packages/nocodb/src/lib/meta/api/utilApis.ts
+++ b/packages/nocodb/src/lib/meta/api/utilApis.ts
@ -60,8 +60,9 @@ export async function releaseVersion(_req: Request, res: Response) {
  res.json(result);
 }

-export async function axiosRequestMake(req: Request, res: Response) {
+async function _axiosRequestMake(req: Request, res: Response) {
  const { apiMeta } = req.body;
+
  if (apiMeta?.body) {
    try {
      apiMeta.body = JSON.parse(apiMeta.body);
@ -106,6 +107,25 @@ export async function axiosRequestMake(req: Request, res: Response) {
  return res.json(data?.data);
 }

+export async function axiosRequestMake(req: Request, res: Response) {
+  const {
+    apiMeta: { url }
+  } = req.body;
+  const isExcelImport = /.*\.(xls|xlsx|xlsm|ods|ots)/;
+  const isCSVImport = /.*\.(csv)/;
+  const ipBlockList = /(10)(\.([2]([0-5][0-5]|[01234][6-9])|[1][0-9][0-9]|[1-9][0-9]|[0-9])){3}|(172)\.(1[6-9]|2[0-9]|3[0-1])(\.(2[0-4][0-9]|25[0-5]|[1][0-9][0-9]|[1-9][0-9]|[0-9])){2}|(192)\.(168)(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){2}|(0.0.0.0)|localhost?/g;
+  if (
+    ipBlockList.test(url) ||
+    (!isCSVImport.test(url) && !isExcelImport.test(url))
+  ) {
+    return res.json({});
+  }
+  if (isCSVImport || isExcelImport) {
+    req.body.apiMeta.responseType = 'arraybuffer';
+  }
+  return await _axiosRequestMake(req, res);
+}
+
 export default router => {
  router.post(
    '/api/v1/db/meta/connection/test',