Minor refactor settings (#540)

* Refactor push notification file handling and improve path safety * Update README to reflect .NET Core 9.0 requirement and specify VS2022 version
grandnode · Dec 8, 2024 · 1d3d71d · 1d3d71d
1 parent 229c80c
commit 1d3d71d
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 23 deletions.
diff --git a/README.md b/README.md
@@ -71,7 +71,7 @@ To get a local copy up and running follow these simple steps.
 
 ### Prerequisites (develop version)
 
-GrandNode requires .NET Core 8.0, MongoDB 4.0+, and OS-specific dependency tools. 
+GrandNode requires .NET Core 9.0, MongoDB 4.0+, and OS-specific dependency tools. 
 
 ### Installation
 
@@ -88,7 +88,7 @@ If you want to download the latest stable version of GrandNode please use the fo
 docker pull grandnode/grandnode2:x.xx 
 ```
 
-* Open locally with VS2022+
+* Open locally with VS2022+ (v17.12.0) or above
 
 Run the project in the Visual Studio 2022+, extract the source code package downloaded from Releases tab to a folder. Enter the extracted folder and double-click the GrandNode.sln solution file. Select the Plugins project, rebuild it, then select the GrandNode.Web project.
 

diff --git a/src/Web/Grand.Web.Admin/Controllers/SettingController.cs b/src/Web/Grand.Web.Admin/Controllers/SettingController.cs
@@ -765,33 +765,46 @@ public async Task<IActionResult> PushNotifications(PushNotificationsSettingsMode
 
     private void SavePushNotificationsToFile(PushNotificationsSettingsModel model, IConfiguration configuration, IWebHostEnvironment webHostEnvironment)
     {
-        //edit js file needed by firebase
-        var filename = "firebase-messaging-sw.js";
-        var filePath = Path.Combine(webHostEnvironment.WebRootPath, configuration[CommonPath.DirectoryParam] ?? "", filename);
-        if (System.IO.File.Exists(filePath))
-        {
-            var lines = System.IO.File.ReadAllLines(filePath);
-            var i = 0;
-            foreach (var line in lines)
-            {
-                if (line.Contains("apiKey")) lines[i] = "apiKey: \"" + model.PushApiKey + "\",";
-                if (line.Contains("authDomain")) lines[i] = "authDomain: \"" + model.AuthDomain + "\",";
-                if (line.Contains("databaseURL")) lines[i] = "databaseURL: \"" + model.DatabaseUrl + "\",";
-                if (line.Contains("projectId")) lines[i] = "projectId: \"" + model.ProjectId + "\",";
-                if (line.Contains("storageBucket")) lines[i] = "storageBucket: \"" + model.StorageBucket + "\",";
-                if (line.Contains("messagingSenderId")) lines[i] = "messagingSenderId: \"" + model.SenderId + "\",";
-                if (line.Contains("appId")) lines[i] = "appId: \"" + model.AppId + "\",";
-                i++;
-            }
+        var fullPath = GetSafeFilePath(configuration, webHostEnvironment, "firebase-messaging-sw.js");
 
-            System.IO.File.WriteAllLines(filePath, lines);
+        if (System.IO.File.Exists(fullPath))
+        {
+            var lines = System.IO.File.ReadAllLines(fullPath);
+            lines = UpdateFileLines(lines, model);
+            System.IO.File.WriteAllLines(fullPath, lines);
         }
         else
+            throw new ArgumentNullException($"{fullPath} not exist");
+    }
+
+    private string GetSafeFilePath(IConfiguration configuration, IWebHostEnvironment webHostEnvironment, string filename)
+    {
+        var directoryParam = configuration[CommonPath.DirectoryParam] ?? "";
+        var safeDirectoryName = Path.GetFileName(directoryParam);
+        var combinedPath = Path.Combine(webHostEnvironment.WebRootPath, safeDirectoryName, filename);
+        var fullPath = Path.GetFullPath(combinedPath, webHostEnvironment.WebRootPath);
+
+        if (!fullPath.StartsWith(webHostEnvironment.WebRootPath, StringComparison.OrdinalIgnoreCase))
+            throw new ArgumentException("Invalid path parameter - attempt to go outside allowed directory.");
+
+        return fullPath;
+    }
+
+    private string[] UpdateFileLines(string[] lines, PushNotificationsSettingsModel model)
+    {
+        for (var i = 0; i < lines.Length; i++)
         {
-            throw new ArgumentNullException($"{filePath} not exist");
+            if (lines[i].Contains("apiKey")) lines[i] = $"apiKey: \"{model.PushApiKey}\",";
+            if (lines[i].Contains("authDomain")) lines[i] = $"authDomain: \"{model.AuthDomain}\",";
+            if (lines[i].Contains("databaseURL")) lines[i] = $"databaseURL: \"{model.DatabaseUrl}\",";
+            if (lines[i].Contains("projectId")) lines[i] = $"projectId: \"{model.ProjectId}\",";
+            if (lines[i].Contains("storageBucket")) lines[i] = $"storageBucket: \"{model.StorageBucket}\",";
+            if (lines[i].Contains("messagingSenderId")) lines[i] = $"messagingSenderId: \"{model.SenderId}\",";
+            if (lines[i].Contains("appId")) lines[i] = $"appId: \"{model.AppId}\",";
         }
+        return lines;
     }
-
+    
     public IActionResult AdminSearch()
     {
         var settings = settingService.LoadSetting<AdminSearchSettings>();