davrot/forgejo_backup
1
0
Fork 0
mirror of https://codeberg.org/davrot/forgejo.git synced 2025-06-24 02:00:04 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

upload with path structure: Modified traversal path handling, changed tests accordingly

Browse source
This commit is contained in:
David Rotermund 2025-04-27 21:59:37 +02:00
parent 30da6d4d85
commit 0ab9b04f95
2 changed files with 84 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

18
services/repository/files/pathutils.go
View file

@ -9,12 +9,19 @@ import (
"strings"
)
var fileNameComponentSanitizeRegexp = regexp.MustCompile(`(?i)\.\.|[<>:\"/\\|?*\x{0000}-\x{001F}]|^(con|prn|aux|nul|com\d|lpt\d)$`)
// var fileNameComponentSanitizeRegexp = regexp.MustCompile(`(?i)\.\.|[<>:\"/\\|?*\x{0000}-\x{001F}]|^(con|prn|aux|nul|com\d|lpt\d)$`)
var fileNameComponentSanitizeRegexp = regexp.MustCompile(`(?i)[<>:\"/\\|?*\x{0000}-\x{001F}]|^(con|prn|aux|nul|com\d|lpt\d)$`)
// SanitizePath cleans and validates a file path
func SanitizePath(inputPath string) (string, error) {
// Normalize path separators
s := strings.ReplaceAll(inputPath, "\\", "/")
// We don't want a / or \\ as the beginning of a path
if strings.HasPrefix(inputPath, "/") {
return "", fmt.Errorf("path starts with / : %s", inputPath)
}
// Clean the path
s = path.Clean(s)
// Split the path components
@ -22,6 +29,15 @@ func SanitizePath(inputPath string) (string, error) {
// Sanitize each path component
var sanitizedComponents []string
for _, component := range pathComponents {
// There is no reason why there should be a path segment with ..
if component == ".." {
return "", fmt.Errorf("path contains directory traversal: %s", s)
}
// There is no reason why there should be a path segment with .
if component == "." {
return "", fmt.Errorf("path contains directory traversal: %s", s)
}
// Trim whitespace and apply regex sanitization
sanitizedComponent := strings.TrimSpace(fileNameComponentSanitizeRegexp.ReplaceAllString(component, "_"))