pimhwang
/
go-chat
mirror of https://github.com/kone-net/go-chat.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

fix: prevent path traversal in GetFile endpoint 

Signed-off-by: tranquac <tranquac@users.noreply.github.com>
pull/16/head
quactv 2 weeks ago
parent
a17fdcdc78
commit
a702c264bf
1 changed files with 15 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 16
      api/v1/file_controller.go

16
api/v1/file_controller.go
Unescape View File

@ -2,6 +2,7 @@ package v1 @@ -2,6 +2,7 @@ package v1
import (
"io/ioutil"
"path/filepath"
"net/http"
"strings"
@ -18,7 +19,20 @@ import ( @@ -18,7 +19,20 @@ import (
func GetFile(c *gin.Context) {
fileName := c.Param("fileName")
log.Logger.Info(fileName)
data, _ := ioutil.ReadFile(config.GetConfig().StaticPath.FilePath + fileName)
// Prevent path traversal by extracting only the base filename
fileName = filepath.Base(fileName)
if fileName == "." || fileName == "/" {
c.JSON(http.StatusBadRequest, response.FailMsg("invalid file name"))
return
}
filePath := filepath.Join(config.GetConfig().StaticPath.FilePath, fileName)
data, err := ioutil.ReadFile(filePath)
if err != nil {
c.JSON(http.StatusNotFound, response.FailMsg("file not found"))
return
}
c.Writer.Write(data)
}

Write Preview
Loading…
Cancel
Save