Skip to content

Commit

Permalink
Fixes path injection vulnerability #35
Browse files Browse the repository at this point in the history
  • Loading branch information
targodan committed Dec 23, 2022
1 parent bd6afb3 commit fef9a33
Showing 1 changed file with 12 additions and 1 deletion.
13 changes: 12 additions & 1 deletion archiver/remoteServer.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"math/rand"
"net/http"
"os"
"path"
"path/filepath"
"strings"
"sync"
Expand Down Expand Up @@ -241,14 +242,24 @@ type CreateReportRequest struct {
Name string `json:"name"`
}

func sanitizeFilename(name string) string {
return path.Base(path.Clean("/" + name))
}

func (s *ArchiverServer) createReport(c *gin.Context) {
var req CreateReportRequest
if err := c.ShouldBindJSON(&req); handleError(c, err) {
return
}

reportName := sanitizeFilename(req.Name)
if reportName == "." || reportName == "/" {
handleError(c, fmt.Errorf("invalid report name '%s'", req.Name))
return
}

reportID := generateReportID()
_, err := s.registerReport(reportID, req.Name)
_, err := s.registerReport(reportID, reportName)
if handleError(c, err) {
return
}
Expand Down

0 comments on commit fef9a33

Please sign in to comment.