Mathis/llamactl
1
0
Fork 0
mirror of https://github.com/lordmathis/llamactl.git synced 2025-11-05 16:44:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix path validation false positive

Browse Source
This commit is contained in:
Matúš Námešný
2025-10-21 22:47:41 +02:00
parent 9bb106a1ce
commit c6ebe47511
1 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
pkg/manager/persistence.go
View File

@@ -49,14 +49,15 @@ func (p *instancePersister) save(inst *instance.Instance) error {
}
// Validate instance name to prevent path traversal
if err := p.validateInstanceName(inst.Name); err != nil {
validatedName, err := p.validateInstanceName(inst.Name)
if err != nil {
return err
}
p.mu.Lock()
defer p.mu.Unlock()
instancePath := filepath.Join(p.instancesDir, inst.Name+".json")
instancePath := filepath.Join(p.instancesDir, validatedName+".json")
tempPath := instancePath + ".tmp"
// Serialize instance to JSON
@@ -106,14 +107,15 @@ func (p *instancePersister) delete(name string) error {
return nil
}
if err := p.validateInstanceName(name); err != nil {
validatedName, err := p.validateInstanceName(name)
if err != nil {
return err
}
p.mu.Lock()
defer p.mu.Unlock()
instancePath := filepath.Join(p.instancesDir, name+".json")
instancePath := filepath.Join(p.instancesDir, validatedName+".json")
if err := os.Remove(instancePath); err != nil {
if os.IsNotExist(err) {
@@ -199,17 +201,18 @@ func (p *instancePersister) loadInstanceFile(name, path string) (*instance.Insta
}
// validateInstanceName ensures the instance name is safe for filesystem operations.
func (p *instancePersister) validateInstanceName(name string) error {
// Returns the validated name if valid, or an error if invalid.
func (p *instancePersister) validateInstanceName(name string) (string, error) {
if name == "" {
return fmt.Errorf("instance name cannot be empty")
return "", fmt.Errorf("instance name cannot be empty")
}
cleaned := filepath.Clean(name)
// After cleaning, name should not contain any path separators
if cleaned != name || strings.Contains(cleaned, string(filepath.Separator)) {
return fmt.Errorf("invalid instance name: %s", name)
return "", fmt.Errorf("invalid instance name: %s", name)
}
return nil
return cleaned, nil
}