@@ -41,10 +41,15 @@ func NewServer() *Server {
4141
4242 sentryHandler := sentryhttp .New (sentryhttp.Options {})
4343
44- r .HandleFunc ("/download" , server .HandlePostDownload ).Methods ("POST" )
44+ //r.HandleFunc("/download", server.HandlePostDownload).Methods("POST")
45+ //r.HandleFunc("/create_download_link", server.HandleCreateLink).Methods("POST")
46+ //r.HandleFunc("/download_link/{link_id}", server.HandleDownloadLink).Methods("GET")
47+ /*
48+ NOTE: Given that the zipstreamer server has unlimited access to private data, we have to disable every endpoint
49+ that could allow users with the correct URLs to private data to exfiltrate it through the zipstreamer service.
50+ This also includes modifying the server.HandleGetDownload such that it *only* supports listfile IDs, and not URLs.
51+ */
4552 r .HandleFunc ("/download" , sentryHandler .HandleFunc (server .HandleGetDownload )).Methods ("GET" )
46- r .HandleFunc ("/create_download_link" , server .HandleCreateLink ).Methods ("POST" )
47- r .HandleFunc ("/download_link/{link_id}" , server .HandleDownloadLink ).Methods ("GET" )
4853
4954 return & server
5055}
@@ -102,11 +107,9 @@ func (s *Server) HandlePostDownload(w http.ResponseWriter, req *http.Request) {
102107
103108func (s * Server ) HandleGetDownload (w http.ResponseWriter , req * http.Request ) {
104109 params := req .URL .Query ()
105- listfileUrl := params .Get ("zsurl" )
106110 listFileId := params .Get ("zsid" )
107- if listfileUrl == "" && s .ListfileUrlPrefix != "" && listFileId != "" {
108- listfileUrl = s .ListfileUrlPrefix + listFileId
109- }
111+ listfileUrl := s .ListfileUrlPrefix + listFileId
112+
110113 if listfileUrl == "" {
111114 w .WriteHeader (http .StatusBadRequest )
112115 w .Write ([]byte (`{"status":"error","error":"invalid parameters"}` ))
0 commit comments