Added utils to verify paths

server/api/endpoints.go

@@ -297,8 +297,7 @@ func (s *APIServer) ExportSave(w http.ResponseWriter, r *http.Request) {
 }
 func (s *APIServer) ScreenShotGet(w http.ResponseWriter, r *http.Request) {
 	// Get the 'id' parameter from the URL
-	vars := mux.Vars(r)
+	token := mux.Vars(r)["id"]
-	token := vars["id"]
 	var tokenPattern = regexp.MustCompile(`[A-Za-z0-9]+`)
 
 	if !tokenPattern.MatchString(token) || token == "" {
@@ -306,8 +305,16 @@ func (s *APIServer) ScreenShotGet(w http.ResponseWriter, r *http.Request) {
 
 	}
 	// Open the image file
-	path := filepath.Join(s.erupeConfig.Screenshots.OutputDir, fmt.Sprintf("%s.jpg", token))
+	safePath := s.erupeConfig.Screenshots.OutputDir
-	file, err := os.Open(path)
+	path := filepath.Join(safePath, fmt.Sprintf("%s.jpg", token))
+	result, err := verifyPath(path, safePath)
+
+	if err != nil {
+		fmt.Println("Error " + err.Error())
+	} else {
+		fmt.Println("Canonical: " + result)
+
+		file, err := os.Open(result)
 		if err != nil {
 			http.Error(w, "Image not found", http.StatusNotFound)
 			return
@@ -320,6 +327,7 @@ func (s *APIServer) ScreenShotGet(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "Unable to send image", http.StatusInternalServerError)
 			return
 		}
+	}
 }
 func (s *APIServer) ScreenShot(w http.ResponseWriter, r *http.Request) {
 	// Create a struct representing the XML result
@@ -355,12 +363,19 @@ func (s *APIServer) ScreenShot(w http.ResponseWriter, r *http.Request) {
 			result = Result{Code: "400"}
 		}
 
-		dir := filepath.Join(s.erupeConfig.Screenshots.OutputDir)
+		safePath := s.erupeConfig.Screenshots.OutputDir
-		path := filepath.Join(s.erupeConfig.Screenshots.OutputDir, fmt.Sprintf("%s.jpg", token))
+
-		_, err = os.Stat(dir)
+		path := filepath.Join(safePath, fmt.Sprintf("%s.jpg", token))
+		verified, err := verifyPath(path, safePath)
+
+		if err != nil {
+			result = Result{Code: "500"}
+		} else {
+
+			_, err = os.Stat(safePath)
 			if err != nil {
 				if os.IsNotExist(err) {
-				err = os.MkdirAll(dir, os.ModePerm)
+					err = os.MkdirAll(safePath, os.ModePerm)
 					if err != nil {
 						s.logger.Error("Error writing screenshot, could not create folder")
 						result = Result{Code: "500"}
@@ -371,7 +386,7 @@ func (s *APIServer) ScreenShot(w http.ResponseWriter, r *http.Request) {
 				}
 			}
 			// Create or open the output file
-		outputFile, err := os.Create(path)
+			outputFile, err := os.Create(verified)
 			if err != nil {
 				result = Result{Code: "500"}
 			}
@@ -384,6 +399,7 @@ func (s *APIServer) ScreenShot(w http.ResponseWriter, r *http.Request) {
 				result = Result{Code: "500"}
 			}
 		}
+	}
 	// Marshal the struct into XML
 	xmlData, err := xml.Marshal(result)
 	if err != nil {

server/api/utils.go

@@ -0,0 +1,37 @@
+package api
+
+import (
+	"errors"
+	"fmt"
+	"path/filepath"
+)
+
+func inTrustedRoot(path string, trustedRoot string) error {
+	for path != "/" {
+		path = filepath.Dir(path)
+		if path == trustedRoot {
+			return nil
+		}
+	}
+	return errors.New("path is outside of trusted root")
+}
+
+func verifyPath(path string, trustedRoot string) (string, error) {
+
+	c := filepath.Clean(path)
+	fmt.Println("Cleaned path: " + c)
+
+	r, err := filepath.EvalSymlinks(c)
+	if err != nil {
+		fmt.Println("Error " + err.Error())
+		return c, errors.New("Unsafe or invalid path specified")
+	}
+
+	err = inTrustedRoot(r, trustedRoot)
+	if err != nil {
+		fmt.Println("Error " + err.Error())
+		return r, errors.New("Unsafe or invalid path specified")
+	} else {
+		return r, nil
+	}
+}