Added utils to verify paths

2025-12-13 15:34:38 +01:00 · 2024-03-15 20:00:39 +00:00
parent d123182a2f
commit 295ff6537b
2 changed files with 88 additions and 35 deletions
--- a/server/api/utils.go
+++ b/server/api/utils.go
@@ -0,0 +1,37 @@
+package api
+
+import (
+	"errors"
+	"fmt"
+	"path/filepath"
+)
+
+func inTrustedRoot(path string, trustedRoot string) error {
+	for path != "/" {
+		path = filepath.Dir(path)
+		if path == trustedRoot {
+			return nil
+		}
+	}
+	return errors.New("path is outside of trusted root")
+}
+
+func verifyPath(path string, trustedRoot string) (string, error) {
+
+	c := filepath.Clean(path)
+	fmt.Println("Cleaned path: " + c)
+
+	r, err := filepath.EvalSymlinks(c)
+	if err != nil {
+		fmt.Println("Error " + err.Error())
+		return c, errors.New("Unsafe or invalid path specified")
+	}
+
+	err = inTrustedRoot(r, trustedRoot)
+	if err != nil {
+		fmt.Println("Error " + err.Error())
+		return r, errors.New("Unsafe or invalid path specified")
+	} else {
+		return r, nil
+	}
+}