fix(api): prevent path traversal in ScreenShot endpoint

Anchor the token regex to ^[A-Za-z0-9]+$ so partial matches on traversal strings like "../../etc/passwd" are rejected. Refactor the handler to use early returns so execution stops immediately on validation failure instead of falling through to os.Create with tainted input.
2026-03-21 23:22:34 +01:00 · 2026-02-18 14:10:45 +01:00
parent e353906e1c
commit 898ada3d99
1 changed files with 63 additions and 69 deletions
--- a/server/api/endpoints.go
+++ b/server/api/endpoints.go
@@ -330,83 +330,77 @@ func (s *APIServer) ScreenShotGet(w http.ResponseWriter, r *http.Request) {
 	}
 }
 func (s *APIServer) ScreenShot(w http.ResponseWriter, r *http.Request) {
-	// Create a struct representing the XML result
 	type Result struct {
 		XMLName xml.Name `xml:"result"`
 		Code    string   `xml:"code"`
 	}
-	// Set the Content-Type header to specify that the response is in XML format
-	w.Header().Set("Content-Type", "text/xml")
-	result := Result{Code: "200"}
-	if !s.erupeConfig.Screenshots.Enabled {
-		result = Result{Code: "400"}
-	} else {

-		if r.Method != http.MethodPost {
-			result = Result{Code: "405"}
-		}
-		// Get File from Request
-		file, _, err := r.FormFile("img")
+	writeResult := func(code string) {
+		w.Header().Set("Content-Type", "text/xml")
+		xmlData, err := xml.Marshal(Result{Code: code})
 		if err != nil {
-			result = Result{Code: "400"}
-		}
-		var tokenPattern = regexp.MustCompile(`[A-Za-z0-9]+`)
-		token := r.FormValue("token")
-		if !tokenPattern.MatchString(token) || token == "" {
-			result = Result{Code: "401"}
-
-		}
-
-		// Validate file
-		img, _, err := image.Decode(file)
-		if err != nil {
-			result = Result{Code: "400"}
-		}
-
-		safePath := s.erupeConfig.Screenshots.OutputDir
-
-		path := filepath.Join(safePath, fmt.Sprintf("%s.jpg", token))
-		verified, err := verifyPath(path, safePath)
-
-		if err != nil {
-			result = Result{Code: "500"}
-		} else {
-
-			_, err = os.Stat(safePath)
-			if err != nil {
-				if os.IsNotExist(err) {
-					err = os.MkdirAll(safePath, os.ModePerm)
-					if err != nil {
-						s.logger.Error("Error writing screenshot, could not create folder")
-						result = Result{Code: "500"}
-					}
-				} else {
-					s.logger.Error("Error writing screenshot")
-					result = Result{Code: "500"}
-				}
-			}
-			// Create or open the output file
-			outputFile, err := os.Create(verified)
-			if err != nil {
-				result = Result{Code: "500"}
-			}
-			defer func() { _ = outputFile.Close() }()
-
-			// Encode the image and write it to the file
-			err = jpeg.Encode(outputFile, img, &jpeg.Options{Quality: s.erupeConfig.Screenshots.UploadQuality})
-			if err != nil {
-				s.logger.Error("Error writing screenshot, could not write file", zap.Error(err))
-				result = Result{Code: "500"}
-			}
+			http.Error(w, "Unable to marshal XML", http.StatusInternalServerError)
+			return
 		}
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write(xmlData)
 	}
-	// Marshal the struct into XML
-	xmlData, err := xml.Marshal(result)
-	if err != nil {
-		http.Error(w, "Unable to marshal XML", http.StatusInternalServerError)
+
+	if !s.erupeConfig.Screenshots.Enabled {
+		writeResult("400")
 		return
 	}
-	// Write the XML response with a 200 status code
-	w.WriteHeader(http.StatusOK)
-	_, _ = w.Write(xmlData)
+	if r.Method != http.MethodPost {
+		writeResult("405")
+		return
+	}
+
+	var tokenPattern = regexp.MustCompile(`^[A-Za-z0-9]+$`)
+	token := r.FormValue("token")
+	if !tokenPattern.MatchString(token) {
+		writeResult("401")
+		return
+	}
+
+	file, _, err := r.FormFile("img")
+	if err != nil {
+		writeResult("400")
+		return
+	}
+
+	img, _, err := image.Decode(file)
+	if err != nil {
+		writeResult("400")
+		return
+	}
+
+	safePath := s.erupeConfig.Screenshots.OutputDir
+	path := filepath.Join(safePath, fmt.Sprintf("%s.jpg", token))
+	verified, err := verifyPath(path, safePath)
+	if err != nil {
+		writeResult("500")
+		return
+	}
+
+	if err := os.MkdirAll(safePath, os.ModePerm); err != nil {
+		s.logger.Error("Error writing screenshot, could not create folder", zap.Error(err))
+		writeResult("500")
+		return
+	}
+
+	outputFile, err := os.Create(verified)
+	if err != nil {
+		s.logger.Error("Error writing screenshot, could not create file", zap.Error(err))
+		writeResult("500")
+		return
+	}
+	defer func() { _ = outputFile.Close() }()
+
+	if err := jpeg.Encode(outputFile, img, &jpeg.Options{Quality: s.erupeConfig.Screenshots.UploadQuality}); err != nil {
+		s.logger.Error("Error writing screenshot, could not write file", zap.Error(err))
+		writeResult("500")
+		return
+	}
+
+	writeResult("200")
 }