Upstream/waveterm
1
0
Fork 0
mirror of https://github.com/wavetermdev/waveterm.git synced 2025-01-02 18:39:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Validate config dir path to resolve security warning (#611)

Browse Source 
* Attempt to validate config path to resolve security warning

* move above fullpath

* make sure path does not reference parent dir
This commit is contained in:
Evan Simkowitz 2024-04-26 11:23:09 -07:00 committed by GitHub
parent 22c5d224bd
commit db557e0b69
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
wavesrv/cmd/main-server.go
View File

@ -1018,6 +1018,11 @@ func doShutdown(reason string) {
func configDirHandler(w http.ResponseWriter, r *http.Request) { func configDirHandler(w http.ResponseWriter, r *http.Request) {
configPath := r.URL.Path configPath := r.URL.Path
if !fs.ValidPath(configPath) && !strings.Contains(configPath, "..") {
w.WriteHeader(http.StatusInternalServerError)
w.Write([]byte(fmt.Sprintf("invalid path: %s", configPath)))
return
}
configFullPath := path.Join(scbase.GetWaveHomeDir(), configPath) configFullPath := path.Join(scbase.GetWaveHomeDir(), configPath)
dirFile, err := os.Open(configFullPath) dirFile, err := os.Open(configFullPath)
if err != nil { if err != nil {