Mathis/lemma
1
0
Fork 0
mirror of https://github.com/lordmathis/lemma.git synced 2025-11-06 07:54:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

File path validation

Browse Source
This commit is contained in:
Matúš Námešný
2024-09-27 17:56:20 +02:00
parent 840e77fcc0
commit 56bd2c29ad
2 changed files with 38 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
backend/internal/api/handlers.go
View File

@@ -16,7 +16,7 @@ func ListFiles(fs *filesystem.FileSystem) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
files, err := fs.ListFilesRecursively() files, err := fs.ListFilesRecursively()
if err != nil { if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError) http.Error(w, "Failed to list files", http.StatusInternalServerError)
return return
} }
@@ -30,7 +30,7 @@ func GetFileContent(fs *filesystem.FileSystem) http.HandlerFunc {
filePath := strings.TrimPrefix(r.URL.Path, "/api/v1/files/") filePath := strings.TrimPrefix(r.URL.Path, "/api/v1/files/")
content, err := fs.GetFileContent(filePath) content, err := fs.GetFileContent(filePath)
if err != nil { if err != nil {
http.Error(w, err.Error(), http.StatusNotFound) http.Error(w, "Failed to read file", http.StatusNotFound)
return return
} }

40
backend/internal/filesystem/filesystem.go
View File

@@ -1,8 +1,10 @@
package filesystem package filesystem
import ( import (
"errors"
"os" "os"
"path/filepath" "path/filepath"
"strings"
) )
type FileSystem struct { type FileSystem struct {
@@ -19,6 +21,27 @@ func New(rootDir string) *FileSystem {
return &FileSystem{RootDir: rootDir} return &FileSystem{RootDir: rootDir}
} }
// validatePath checks if the given path is within the root directory
func (fs *FileSystem) validatePath(path string) (string, error) {
fullPath := filepath.Join(fs.RootDir, path)
cleanPath := filepath.Clean(fullPath)
if !strings.HasPrefix(cleanPath, fs.RootDir) {
return "", errors.New("invalid path: outside of root directory")
}
relPath, err := filepath.Rel(fs.RootDir, cleanPath)
if err != nil {
return "", err
}
if strings.HasPrefix(relPath, "..") {
return "", errors.New("invalid path: outside of root directory")
}
return cleanPath, nil
}
func (fs *FileSystem) ListFilesRecursively() ([]FileNode, error) { func (fs *FileSystem) ListFilesRecursively() ([]FileNode, error) {
return fs.walkDirectory(fs.RootDir) return fs.walkDirectory(fs.RootDir)
} }
@@ -55,14 +78,20 @@ func (fs *FileSystem) walkDirectory(dir string) ([]FileNode, error) {
} }
func (fs *FileSystem) GetFileContent(filePath string) ([]byte, error) { func (fs *FileSystem) GetFileContent(filePath string) ([]byte, error) {
fullPath := filepath.Join(fs.RootDir, filePath) fullPath, err := fs.validatePath(filePath)
if err != nil {
return nil, err
}
return os.ReadFile(fullPath) return os.ReadFile(fullPath)
} }
func (fs *FileSystem) SaveFile(filePath string, content []byte) error { func (fs *FileSystem) SaveFile(filePath string, content []byte) error {
fullPath := filepath.Join(fs.RootDir, filePath) fullPath, err := fs.validatePath(filePath)
dir := filepath.Dir(fullPath) if err != nil {
return err
}
dir := filepath.Dir(fullPath)
if err := os.MkdirAll(dir, 0755); err != nil { if err := os.MkdirAll(dir, 0755); err != nil {
return err return err
} }
@@ -71,6 +100,9 @@ func (fs *FileSystem) SaveFile(filePath string, content []byte) error {
} }
func (fs *FileSystem) DeleteFile(filePath string) error { func (fs *FileSystem) DeleteFile(filePath string) error {
fullPath := filepath.Join(fs.RootDir, filePath) fullPath, err := fs.validatePath(filePath)
if err != nil {
return err
}
return os.Remove(fullPath) return os.Remove(fullPath)
} }