From a369381c4e6bd841e7c566c105b1eee48249064c Mon Sep 17 00:00:00 2001
From: Evan Simkowitz <esimkowitz@users.noreply.github.com>
Date: Tue, 24 Sep 2024 16:19:59 -0700
Subject: [PATCH] Fix uncontrolled path expression in ExpandHomeDir (#816)

---
 pkg/wavebase/wavebase.go | 2 +-
 pkg/web/web.go           | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkg/wavebase/wavebase.go b/pkg/wavebase/wavebase.go
index 2ae6f1be6..3935e04f0 100644
--- a/pkg/wavebase/wavebase.go
+++ b/pkg/wavebase/wavebase.go
@@ -59,7 +59,7 @@ func ExpandHomeDir(pathStr string) string {
 	if pathStr == "~" {
 		return homeDir
 	}
-	return filepath.Join(homeDir, pathStr[2:])
+	return filepath.Clean(filepath.Join(homeDir, pathStr[2:]))
 }
 
 func ReplaceHomeDir(pathStr string) string {
diff --git a/pkg/web/web.go b/pkg/web/web.go
index 96b1e77c6..4452405e6 100644
--- a/pkg/web/web.go
+++ b/pkg/web/web.go
@@ -14,6 +14,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"path/filepath"
 	"runtime/debug"
 	"strconv"
 	"time"
@@ -223,7 +224,7 @@ func handleLocalStreamFile(w http.ResponseWriter, r *http.Request, fileName stri
 		// use the custom response writer
 		rw := &notFoundBlockingResponseWriter{w: w, headers: http.Header{}}
 		// Serve the file using http.ServeFile
-		http.ServeFile(rw, r, fileName)
+		http.ServeFile(rw, r, filepath.Clean(fileName))
 		// if the file was not found, serve the transparent GIF
 		log.Printf("got streamfile status: %d\n", rw.status)
 		if rw.status == http.StatusNotFound {