banquise/pelican-panel-mirror
14
0
Fork 1
mirror of https://github.com/pelican-dev/panel.git synced 2025-11-13 02:54:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

add env variable for max import size

Browse Source
This commit is contained in:
Boy132 2025-11-11 08:42:14 +01:00
parent 19bf597702
commit 7d8f55790f
2 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
app/Services/Helpers/PluginService.php
View File

@ -17,6 +17,7 @@ use Illuminate\Support\Facades\File;
use Illuminate\Support\Facades\Http; use Illuminate\Support\Facades\Http;
use Illuminate\Support\Facades\Process; use Illuminate\Support\Facades\Process;
use Illuminate\Support\ServiceProvider; use Illuminate\Support\ServiceProvider;
use Illuminate\Support\Str;
use Spatie\TemporaryDirectory\TemporaryDirectory; use Spatie\TemporaryDirectory\TemporaryDirectory;
use ZipArchive; use ZipArchive;
@ -312,8 +313,9 @@ class PluginService
public function downloadPluginFromFile(UploadedFile $file, bool $cleanDownload = false): void public function downloadPluginFromFile(UploadedFile $file, bool $cleanDownload = false): void
{ {
// Validate file size to prevent zip bombs // Validate file size to prevent zip bombs
if ($file->getSize() > 100 * 1024 * 1024) { $maxSize = config('panel.plugin.max_import_size');
throw new Exception('Zip file too large. (max 100 MB)'); if ($file->getSize() > $maxSize) {
throw new Exception("Zip file too large. ($maxSize MiB)");
} }
$zip = new ZipArchive(); $zip = new ZipArchive();
@ -327,7 +329,7 @@ class PluginService
// Validate zip contents before extraction // Validate zip contents before extraction
for ($i = 0; $i < $zip->numFiles; $i++) { for ($i = 0; $i < $zip->numFiles; $i++) {
$filename = $zip->getNameIndex($i); $filename = $zip->getNameIndex($i);
if (str_contains($filename, '..') || str_starts_with($filename, '/')) { if (Str::contains($filename, '..') || Str::startsWith($filename, '/')) {
$zip->close(); $zip->close();
throw new Exception('Zip file contains invalid path traversal sequences.'); throw new Exception('Zip file contains invalid path traversal sequences.');
} }
@ -356,8 +358,9 @@ class PluginService
$content = Http::timeout(60)->connectTimeout(5)->throw()->get($url)->body(); $content = Http::timeout(60)->connectTimeout(5)->throw()->get($url)->body();
// Validate file size to prevent zip bombs // Validate file size to prevent zip bombs
if (strlen($content) > 100 * 1024 * 1024) { $maxSize = config('panel.plugin.max_import_size');
throw new InvalidFileUploadException('Zip file too large. (100 MB)'); if (strlen($content) > $maxSize) {
throw new InvalidFileUploadException("Zip file too large. ($maxSize MiB)");
} }
if (!file_put_contents($tmpPath, $content)) { if (!file_put_contents($tmpPath, $content)) {

1
config/panel.php
View File

@ -71,5 +71,6 @@ return [
'plugin' => [ 'plugin' => [
'dev_mode' => env('PANEL_PLUGIN_DEV_MODE', false), 'dev_mode' => env('PANEL_PLUGIN_DEV_MODE', false),
'max_import_size' => env('PANEL_PLUGIN_MAX_IMPORT_SIZE', 1024 * 1024 * 100),
], ],
]; ];