From 9f270c12b485e7ea4a4478fde379406910fbc661 Mon Sep 17 00:00:00 2001
From: W13R <9070224-W13R@users.noreply.gitlab.com>
Date: Wed, 2 Nov 2022 21:55:36 +0100
Subject: [PATCH] Profile pictures are now handled by the application to
 mitigate possible directory traversals to other sub-directories of the static
 directory (Admins/Staff with the right to edit user accounts were able to set
 a path like ../static/favicon.png for the profile picture - this isn't a "i'm
 in, now i have root access and can hack your mom"-vulnerability, but better
 fix it before it evolves to one. or a dragon. it's too late for this crap.)

---
 .gitignore                                    |  4 +++-
 .../app/templates/registration/login.html     |  2 +-
 application/app/templates/userPanel.html      |  2 +-
 application/app/urls.py                       |  3 ++-
 application/app/views.py                      | 24 +++++++++++++++++++
 application/drinks_manager/settings.py        |  2 ++
 lib/env.sh                                    |  1 +
 .../default.svg                               |  0
 8 files changed, 34 insertions(+), 4 deletions(-)
 rename {static/profilepictures => profilepictures}/default.svg (100%)

diff --git a/.gitignore b/.gitignore
index 8db7fca..4f97b84 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,7 @@
 /archive/*
 /logs/*
 /packages/*
+/profilepictures/*
 /temp
 /tmp
 __pycache__
@@ -12,4 +13,5 @@ __pycache__
 !/config/config.sample.sh
 !/config/Caddyfile
 !/config/tls/
-!.gitkeep
\ No newline at end of file
+!/profilepictures/default.svg
+!.gitkeep
diff --git a/application/app/templates/registration/login.html b/application/app/templates/registration/login.html
index af1f25c..765172e 100644
--- a/application/app/templates/registration/login.html
+++ b/application/app/templates/registration/login.html
@@ -69,7 +69,7 @@
         <ul class="userlist">
             {% for user_ in user_list %}
                 <li class="userlistButton button" data-username="{{ user_.username }}">
-                    <img src="{% static 'profilepictures/'|add:user_.profile_picture_filename %}">
+                    <img src="{{ '/profilepictures?name='|add:user_.profile_picture_filename }}">
                     <div>
                         {% if user_.first_name %}
 
diff --git a/application/app/templates/userPanel.html b/application/app/templates/userPanel.html
index 447c2d8..32afe40 100644
--- a/application/app/templates/userPanel.html
+++ b/application/app/templates/userPanel.html
@@ -3,7 +3,7 @@
 
 <div class="userPanel">
     <div class="userInfo">
-        <img src="{% static 'profilepictures/'|add:user.profile_picture_filename %}">
+        <img src="{{ '/profilepictures?name='|add:user.profile_picture_filename }}">
         <span>
             {% if user.first_name != "" %}
                 {% translate "User" %}: {{ user.first_name }} {{ user.last_name }} ({{ user.username }})
diff --git a/application/app/urls.py b/application/app/urls.py
index e720876..788ecd9 100644
--- a/application/app/urls.py
+++ b/application/app/urls.py
@@ -16,9 +16,10 @@ urlpatterns = [
     path('accounts/password_change/', auth_views.PasswordChangeView.as_view(), name='password_change'),
     path('accounts/password_change_done/', views.redirect_home, name='password_change_done'),
     path('admin/', adminSite.urls),
+    # custom-handled resources
+    path('profilepictures', views.profile_pictures),
     # API #
     path('api/order-drink', views.api_order_drink),
     path('api/deposit', views.api_deposit),
     path('api/supply', views.api_supply)
-    #path('api/get-statistics', views.api_get_statistics)
 ]
\ No newline at end of file
diff --git a/application/app/views.py b/application/app/views.py
index 8511249..d3fafb5 100644
--- a/application/app/views.py
+++ b/application/app/views.py
@@ -1,12 +1,16 @@
 import json
 import sys
 
+from pathlib import Path
+
+from django.conf import settings
 from django.contrib.auth import authenticate
 from django.contrib.auth import get_user_model
 from django.contrib.auth import login
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.forms import AuthenticationForm
 from django.http.response import HttpResponseRedirect
+from django.http.response import FileResponse
 from django.http.response import HttpResponse
 from django.shortcuts import render
 
@@ -20,6 +24,9 @@ from .models import Drink
 from .models import Order
 from .models import RegisterTransaction
 
+#
+
+profile_pictures_path = Path(settings.PROFILE_PICTURES).resolve()
 
 # login view
 
@@ -112,6 +119,23 @@ def redirect_home(request):
     return HttpResponseRedirect("/")
 
 
+# Custom-Handled Resources
+
+def profile_pictures(request):
+    if not "name" in request.GET:
+        return HttpResponse(b"", status=400)
+    print(request.GET["name"])
+    ppic_filepath = Path(profile_pictures_path / request.GET["name"]).resolve()
+    try:
+        ppic_filepath.relative_to(profile_pictures_path)
+    except:
+        return HttpResponse("No.", status=403)
+    if ppic_filepath.is_file():
+        return FileResponse(ppic_filepath.open('rb'))
+    else:
+        return FileResponse(b"", status=404)
+
+
 # API for XHR requests #
 
 @login_required
diff --git a/application/drinks_manager/settings.py b/application/drinks_manager/settings.py
index 9523d14..d01503f 100644
--- a/application/drinks_manager/settings.py
+++ b/application/drinks_manager/settings.py
@@ -175,3 +175,5 @@ try:
     CURRENCY_SUFFIX = os.environ["CURRENCY_SUFFIX"]
 except KeyError:
     CURRENCY_SUFFIX = "$"
+
+PROFILE_PICTURES = os.environ["PROFILE_PICTURES"]
diff --git a/lib/env.sh b/lib/env.sh
index 8781ef1..67c9e68 100644
--- a/lib/env.sh
+++ b/lib/env.sh
@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 
 export DJANGO_SK_ABS_FP="$(pwd)/config/secret_key.txt"
+export PROFILE_PICTURES="$(pwd)/profilepictures/"
 export STATIC_FILES="$(pwd)/static/"
 export APP_VERSION="12"
 export PYTHONPATH="$(pwd)/packages/"
diff --git a/static/profilepictures/default.svg b/profilepictures/default.svg
similarity index 100%
rename from static/profilepictures/default.svg
rename to profilepictures/default.svg