Attempt 2 to resolve security warning (#612)

* replace path with filepath

* remove configPath from error

* remove unnecessary printf

* replace more paths with filepath

* remove unnecessary abs path call

* bad commit

wavesrv/cmd/main-server.go

@@ -17,7 +17,6 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
-	"path"
 	"path/filepath"
 	"regexp"
 	"runtime"
@@ -798,26 +797,21 @@ func HandleRunEphemeralCommand(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func CheckIsDir(dirHandler http.Handler, fileHandler http.Handler) http.Handler {
+// Checks if the /config request is for a specific file or a directory. Passes the request to the appropriate handler.
+func ConfigHandlerCheckIsDir(dirHandler http.Handler, fileHandler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		configPath := r.URL.Path
-		configAbsPath, err := filepath.Abs(configPath)
+		configBaseDir := filepath.Join(scbase.GetWaveHomeDir(), "config")
-		if err != nil {
+		configFullPath, err := filepath.Abs(filepath.Join(scbase.GetWaveHomeDir(), configPath))
+		if err != nil || !strings.HasPrefix(configFullPath, configBaseDir) {
 			w.WriteHeader(http.StatusInternalServerError)
-			w.Write([]byte(fmt.Sprintf("error getting absolute path: %v", err)))
+			w.Write([]byte("error: path is not in config folder"))
-			return
-		}
-		configBaseDir := path.Join(scbase.GetWaveHomeDir(), "config")
-		configFullPath := path.Join(scbase.GetWaveHomeDir(), configAbsPath)
-		if !strings.HasPrefix(configFullPath, configBaseDir) {
-			w.WriteHeader(http.StatusInternalServerError)
-			w.Write([]byte(fmt.Sprintf("error: path is not in config folder")))
 			return
 		}
 		fstat, err := os.Stat(configFullPath)
 		if errors.Is(err, fs.ErrNotExist) {
 			w.WriteHeader(http.StatusNotFound)
-			w.Write([]byte(fmt.Sprintf("file not found: %v", configAbsPath)))
+			w.Write([]byte(fmt.Sprintf("file not found: %v", err)))
 			return
 		} else if err != nil {
 			w.WriteHeader(http.StatusInternalServerError)
@@ -864,7 +858,7 @@ func AuthKeyWrapAllowHmac(fn WebFnType) WebFnType {
 			hmacOk, err := waveenc.ValidateUrlHmac([]byte(scbase.WaveAuthKey), r.URL.Path, qvals)
 			if err != nil || !hmacOk {
 				w.WriteHeader(http.StatusInternalServerError)
-				w.Write([]byte(fmt.Sprintf("error validating hmac")))
+				w.Write([]byte("error validating hmac"))
 				return
 			}
 			// fallthrough (hmac is valid)
@@ -1018,12 +1012,13 @@ func doShutdown(reason string) {
 
 func configDirHandler(w http.ResponseWriter, r *http.Request) {
 	configPath := r.URL.Path
-	if !fs.ValidPath(configPath) && !strings.Contains(configPath, "..") {
+	homeDir := scbase.GetWaveHomeDir()
+	configFullPath, err := filepath.Abs(filepath.Join(homeDir, configPath))
+	if err != nil || !strings.HasPrefix(configFullPath, homeDir) {
 		w.WriteHeader(http.StatusInternalServerError)
-		w.Write([]byte(fmt.Sprintf("invalid path: %s", configPath)))
+		w.Write([]byte(fmt.Sprintf("Invalid path: %v", err)))
 		return
 	}
-	configFullPath := path.Join(scbase.GetWaveHomeDir(), configPath)
 	dirFile, err := os.Open(configFullPath)
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
@@ -1185,11 +1180,11 @@ func main() {
 	gr.HandleFunc("/api/log-active-state", AuthKeyWrap(HandleLogActiveState))
 	gr.HandleFunc("/api/read-file", AuthKeyWrapAllowHmac(HandleReadFile))
 	gr.HandleFunc("/api/write-file", AuthKeyWrap(HandleWriteFile)).Methods("POST")
-	configPath := path.Join(scbase.GetWaveHomeDir(), "config") + "/"
+	configPath := filepath.Join(scbase.GetWaveHomeDir(), "config")
 	log.Printf("[wave] config path: %q\n", configPath)
-	isFileHandler := http.StripPrefix("/config/", http.FileServer(http.Dir(configPath)))
+	isFileHandler := http.StripPrefix("/config/", http.FileServer(http.Dir(configPath)+"/"))
 	isDirHandler := http.HandlerFunc(configDirHandler)
-	gr.PathPrefix("/config/").Handler(CheckIsDir(isDirHandler, isFileHandler))
+	gr.PathPrefix("/config/").Handler(ConfigHandlerCheckIsDir(isDirHandler, isFileHandler))
 
 	serverAddr := MainServerAddr
 	if scbase.IsDevMode() {

wavesrv/pkg/scbase/scbase.go

@@ -12,7 +12,7 @@ import (
 	"log"
 	"os"
 	"os/exec"
-	"path"
+	"path/filepath"
 	"regexp"
 	"runtime"
 	"strconv"
@@ -64,9 +64,9 @@ func GetWaveHomeDir() string {
 		}
 		pdev := os.Getenv(WaveDevVarName)
 		if pdev != "" {
-			scHome = path.Join(homeVar, WaveDevDirName)
+			scHome = filepath.Join(homeVar, WaveDevDirName)
 		} else {
-			scHome = path.Join(homeVar, WaveDirName)
+			scHome = filepath.Join(homeVar, WaveDirName)
 		}
 
 	}
@@ -78,7 +78,7 @@ func MShellBinaryDir() string {
 	if appPath == "" {
 		appPath = "."
 	}
-	return path.Join(appPath, "bin", "mshell")
+	return filepath.Join(appPath, "bin", "mshell")
 }
 
 func MShellBinaryPath(version string, goos string, goarch string) (string, error) {
@@ -91,7 +91,7 @@ func MShellBinaryPath(version string, goos string, goarch string) (string, error
 		return "", fmt.Errorf("invalid mshell version: %q", version)
 	}
 	fileName := fmt.Sprintf("mshell-%s-%s.%s", versionStr, goos, goarch)
-	fullFileName := path.Join(binaryDir, fileName)
+	fullFileName := filepath.Join(binaryDir, fileName)
 	return fullFileName, nil
 }
 
@@ -134,7 +134,7 @@ func InitializeWaveAuthKey() error {
 	if err != nil {
 		return fmt.Errorf("cannot find/create WAVETERM_HOME directory %q", homeDir)
 	}
-	fileName := path.Join(homeDir, WaveAuthKeyFileName)
+	fileName := filepath.Join(homeDir, WaveAuthKeyFileName)
 	fd, err := os.Open(fileName)
 	if err != nil && errors.Is(err, fs.ErrNotExist) {
 		return createWaveAuthKeyFile(fileName)
@@ -162,7 +162,7 @@ func AcquireWaveLock() (*os.File, error) {
 	if err != nil {
 		return nil, fmt.Errorf("cannot find/create WAVETERM_HOME directory %q", homeDir)
 	}
-	lockFileName := path.Join(homeDir, WaveLockFile)
+	lockFileName := filepath.Join(homeDir, WaveLockFile)
 	log.Printf("[base] acquiring lock on %s\n", lockFileName)
 	fd, err := os.OpenFile(lockFileName, os.O_RDWR|os.O_CREATE, 0600)
 	if err != nil {
@@ -188,7 +188,7 @@ func EnsureSessionDir(sessionId string) (string, error) {
 		return sdir, nil
 	}
 	scHome := GetWaveHomeDir()
-	sdir = path.Join(scHome, SessionsDirBaseName, sessionId)
+	sdir = filepath.Join(scHome, SessionsDirBaseName, sessionId)
 	err := ensureDir(sdir)
 	if err != nil {
 		return "", err
@@ -202,7 +202,7 @@ func EnsureSessionDir(sessionId string) (string, error) {
 // deprecated (v0.1.8)
 func GetSessionsDir() string {
 	waveHome := GetWaveHomeDir()
-	sdir := path.Join(waveHome, SessionsDirBaseName)
+	sdir := filepath.Join(waveHome, SessionsDirBaseName)
 	return sdir
 }
 
@@ -217,7 +217,7 @@ func EnsureScreenDir(screenId string) (string, error) {
 		return sdir, nil
 	}
 	scHome := GetWaveHomeDir()
-	sdir = path.Join(scHome, ScreensDirBaseName, screenId)
+	sdir = filepath.Join(scHome, ScreensDirBaseName, screenId)
 	err := ensureDir(sdir)
 	if err != nil {
 		return "", err
@@ -230,18 +230,18 @@ func EnsureScreenDir(screenId string) (string, error) {
 
 func GetScreensDir() string {
 	waveHome := GetWaveHomeDir()
-	sdir := path.Join(waveHome, ScreensDirBaseName)
+	sdir := filepath.Join(waveHome, ScreensDirBaseName)
 	return sdir
 }
 
 func EnsureConfigDirs() (string, error) {
 	scHome := GetWaveHomeDir()
-	configDir := path.Join(scHome, "config")
+	configDir := filepath.Join(scHome, "config")
 	err := ensureDir(configDir)
 	if err != nil {
 		return "", err
 	}
-	keybindingsFile := path.Join(configDir, "keybindings.json")
+	keybindingsFile := filepath.Join(configDir, "keybindings.json")
 	keybindingsFileObj, err := ensureFile(keybindingsFile)
 	if err != nil {
 		return "", err
@@ -250,7 +250,7 @@ func EnsureConfigDirs() (string, error) {
 		keybindingsFileObj.WriteString("[]\n")
 		keybindingsFileObj.Close()
 	}
-	terminalThemesDir := path.Join(configDir, "terminal-themes")
+	terminalThemesDir := filepath.Join(configDir, "terminal-themes")
 	err = ensureDir(terminalThemesDir)
 	if err != nil {
 		return "", err