Mathis/llamactl
1
0
Fork 0
mirror of https://github.com/lordmathis/llamactl.git synced 2025-11-06 00:54:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix path validation false positive

Browse Source
This commit is contained in:
Matúš Námešný
2025-10-21 22:47:41 +02:00
parent 9bb106a1ce
commit c6ebe47511
1 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
pkg/manager/persistence.go
View File

@@ -49,14 +49,15 @@ func (p *instancePersister) save(inst *instance.Instance) error {
} }
// Validate instance name to prevent path traversal // Validate instance name to prevent path traversal
if err := p.validateInstanceName(inst.Name); err != nil { validatedName, err := p.validateInstanceName(inst.Name)
if err != nil {
return err return err
} }
p.mu.Lock() p.mu.Lock()
defer p.mu.Unlock() defer p.mu.Unlock()
instancePath := filepath.Join(p.instancesDir, inst.Name+".json") instancePath := filepath.Join(p.instancesDir, validatedName+".json")
tempPath := instancePath + ".tmp" tempPath := instancePath + ".tmp"
// Serialize instance to JSON // Serialize instance to JSON
@@ -106,14 +107,15 @@ func (p *instancePersister) delete(name string) error {
return nil return nil
} }
if err := p.validateInstanceName(name); err != nil { validatedName, err := p.validateInstanceName(name)
if err != nil {
return err return err
} }
p.mu.Lock() p.mu.Lock()
defer p.mu.Unlock() defer p.mu.Unlock()
instancePath := filepath.Join(p.instancesDir, name+".json") instancePath := filepath.Join(p.instancesDir, validatedName+".json")
if err := os.Remove(instancePath); err != nil { if err := os.Remove(instancePath); err != nil {
if os.IsNotExist(err) { if os.IsNotExist(err) {
@@ -199,17 +201,18 @@ func (p *instancePersister) loadInstanceFile(name, path string) (*instance.Insta
} }
// validateInstanceName ensures the instance name is safe for filesystem operations. // validateInstanceName ensures the instance name is safe for filesystem operations.
func (p *instancePersister) validateInstanceName(name string) error { // Returns the validated name if valid, or an error if invalid.
func (p *instancePersister) validateInstanceName(name string) (string, error) {
if name == "" { if name == "" {
return fmt.Errorf("instance name cannot be empty") return "", fmt.Errorf("instance name cannot be empty")
} }
cleaned := filepath.Clean(name) cleaned := filepath.Clean(name)
// After cleaning, name should not contain any path separators // After cleaning, name should not contain any path separators
if cleaned != name || strings.Contains(cleaned, string(filepath.Separator)) { if cleaned != name || strings.Contains(cleaned, string(filepath.Separator)) {
return fmt.Errorf("invalid instance name: %s", name) return "", fmt.Errorf("invalid instance name: %s", name)
} }
return nil return cleaned, nil
} }