encode blockid via base64 url encoding to avoid security problems

Author: ChristopherHX

routers/api/actions/artifacts_chunks.go

@@ -140,10 +140,15 @@ func listChunksByRunIDV4(st storage.ObjectStorage, runID, artifactID int64, blis
 		// no matter the subdirectory setting in storage config
 		item := chunkFileItem{Path: storageDir + "/" + baseName, ArtifactID: artifactID}
 		var size int64
-		var chunkName string
-		if _, err := fmt.Sscanf(baseName, "block-%d-%d-%s", &item.RunID, &size, &chunkName); err != nil {
+		var b64chunkName string
+		if _, err := fmt.Sscanf(baseName, "block-%d-%d-%s", &item.RunID, &size, &b64chunkName); err != nil {
 			return fmt.Errorf("parse content range error: %v", err)
 		}
+		rchunkName, err := base64.URLEncoding.DecodeString(b64chunkName)
+		if err != nil {
+			return fmt.Errorf("failed to parse chunkName: %v", err)
+		}
+		chunkName := string(rchunkName)
 		item.End = item.Start + size - 1
 		if _, ok := chunkMap[chunkName]; ok {
 			chunkMap[chunkName] = &item

routers/api/actions/artifactsv4.go

@@ -327,7 +327,7 @@ func (r *artifactV4Routes) uploadArtifact(ctx *ArtifactContext) {
 				return
 			}
 		} else {
-			_, err := r.fs.Save(fmt.Sprintf("tmp%d/block-%d-%d-%s", task.Job.RunID, task.Job.RunID, ctx.Req.ContentLength, blockid), ctx.Req.Body, -1)
+			_, err := r.fs.Save(fmt.Sprintf("tmp%d/block-%d-%d-%s", task.Job.RunID, task.Job.RunID, ctx.Req.ContentLength, base64.URLEncoding.EncodeToString([]byte(blockid))), ctx.Req.Body, -1)
 			if err != nil {
 				log.Error("Error runner api getting task: task is not running")
 				ctx.Error(http.StatusInternalServerError, "Error runner api getting task: task is not running")