bugfix: prevent path traversal (#31)

6f688b29 · Ian Chen · GitHub · 01452c39 · 6f688b29
Unverified Commit 6f688b29 authored 2 years ago by Ian Chen Committed by GitHub 2 years ago
--- a/backend/webui_service/middleware.go
+++ b/backend/webui_service/middleware.go
 package webui_service

 import (
+	"path/filepath"
+	"strings"
+
 	"github.com/gin-gonic/gin"
 )

@@ -14,9 +17,19 @@ func ReturnPublic() gin.HandlerFunc {
 			if destPath[len(destPath)-1] == '/' {
 				destPath = destPath[:len(destPath)-1]
 			}
+			destPath = verifyDestPath(destPath)
 			context.File(destPath)
 		} else {
 			context.Next()
 		}
 	}
 }
+
+func verifyDestPath(requestedURI string) string {
+	destPath := filepath.Clean(requestedURI)
+	// if destPath contains ".." then it is not a valid path
+	if strings.Contains(destPath, "..") {
+		return PublicPath
+	}
+	return destPath
+}