Mathis/llamactl
1
0
Fork 0
mirror of https://github.com/lordmathis/llamactl.git synced 2025-11-06 00:54:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix instance name validation

Browse Source
This commit is contained in:
Matúš Námešný
2025-10-21 22:57:23 +02:00
parent c6ebe47511
commit bc025bbe28
2 changed files with 90 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/manager/persistence.go
View File

@@ -207,12 +207,17 @@ func (p *instancePersister) validateInstanceName(name string) (string, error) {
return "", fmt.Errorf("instance name cannot be empty")
}
cleaned := filepath.Clean(name)
// After cleaning, name should not contain any path separators
if cleaned != name || strings.Contains(cleaned, string(filepath.Separator)) {
return "", fmt.Errorf("invalid instance name: %s", name)
// Check for path separators and parent directory references
// This prevents path traversal attacks
if strings.Contains(name, "/") || strings.Contains(name, "\\") || strings.Contains(name, "..") {
return "", fmt.Errorf("invalid instance name: %s (cannot contain path separators or '..')", name)
}
return cleaned, nil
// Additional check: ensure the name doesn't start with a dot (hidden files)
// or contain any other suspicious characters
if strings.HasPrefix(name, ".") {
return "", fmt.Errorf("invalid instance name: %s (cannot start with '.')", name)
}
return name, nil
}