address uncleaned Dest from codeql

gogrlx · Jun 28, 2023 · 1f5b642 · 1f5b642
1 parent 722b7b3
commit 1f5b642
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/pki/pki.go b/pki/pki.go
@@ -226,6 +226,10 @@ func ListNKeysByType() types.KeysByType {
 func RejectNKey(id string, nkey string) error {
 	defer ReloadNKeys()
 	newDest := filepath.Join(config.FarmerPKI, "sprouts", "rejected", id)
+	cleanDest := filepath.Clean(newDest)
+	if newDest != cleanDest {
+		return types.ErrSproutIDInvalid
+	}
 	fname, err := findNKey(id)
 	if nkey != "" && err == types.ErrSproutIDNotFound {
 		file, errCreate := os.Create(newDest)