tookeyman/vinegar
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixing up some directory traversal attacks round 3

Browse Source
This commit is contained in:
dtookey 2023-07-31 11:16:37 -04:00
parent fe84a6d7fd
commit a3ff0f57b3
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
servlet/staticRoute.go
View File

@ -68,6 +68,9 @@ type (
// the provided VinegarServlet. // the provided VinegarServlet.
var NewTextRoute RouteConstructor = func(servlet *VinegarServlet, urlPattern string, pathlike string, useCache bool) *FileRoute { var NewTextRoute RouteConstructor = func(servlet *VinegarServlet, urlPattern string, pathlike string, useCache bool) *FileRoute {
fileRoot := filepath.Clean(pathlike) fileRoot := filepath.Clean(pathlike)
if strings.Contains(fileRoot, "../") {
panic("Traversing the directory is not allowed, use an absolute filepath instead")
}
defaultPrune := strings.Replace(urlPattern, ".*", "", -1) defaultPrune := strings.Replace(urlPattern, ".*", "", -1)
route := FileRoute{srv: servlet, fileRoot: fileRoot, UseCache: useCache} route := FileRoute{srv: servlet, fileRoot: fileRoot, UseCache: useCache}
textRouteHandler := createCompressibleFileServletFunction(&route, defaultPrune, pathlike) textRouteHandler := createCompressibleFileServletFunction(&route, defaultPrune, pathlike)
@ -81,6 +84,9 @@ var NewTextRoute RouteConstructor = func(servlet *VinegarServlet, urlPattern str
var NewImageRoute RouteConstructor = func(servlet *VinegarServlet, urlPattern string, pathlike string, useCache bool) *FileRoute { var NewImageRoute RouteConstructor = func(servlet *VinegarServlet, urlPattern string, pathlike string, useCache bool) *FileRoute {
fileRoot := filepath.Clean(pathlike) fileRoot := filepath.Clean(pathlike)
if strings.Contains(fileRoot, "../") {
panic("Traversing the directory is not allowed, use an absolute filepath instead")
}
defaultPrune := strings.Replace(urlPattern, ".*", "", -1) defaultPrune := strings.Replace(urlPattern, ".*", "", -1)
route := FileRoute{srv: servlet, fileRoot: fileRoot, UseCache: useCache} route := FileRoute{srv: servlet, fileRoot: fileRoot, UseCache: useCache}
rootRoute := NewServletRoute(urlPattern, createUncompressedFileServletFunction(&route, defaultPrune, pathlike)) rootRoute := NewServletRoute(urlPattern, createUncompressedFileServletFunction(&route, defaultPrune, pathlike))
@ -171,6 +177,10 @@ func createSingleFileServletFunction(route *FileRoute) VinegarHandlerFunction {
func createCompressibleFileServletFunction(route *FileRoute, basePattern string, pathlike string) VinegarHandlerFunction { func createCompressibleFileServletFunction(route *FileRoute, basePattern string, pathlike string) VinegarHandlerFunction {
var fun VinegarHandlerFunction = func(w http.ResponseWriter, req *http.Request) { var fun VinegarHandlerFunction = func(w http.ResponseWriter, req *http.Request) {
stub := strings.Replace(req.URL.Path, basePattern, "", 1) stub := strings.Replace(req.URL.Path, basePattern, "", 1)
if strings.Contains(stub, "../") {
route.srv.SendError(w, req, 403, "Forbidden", errors.New("Stop trying directory traversal"))
return
}
cachedContent, exists := route.VinegarRoute.Cache.Get(stub) cachedContent, exists := route.VinegarRoute.Cache.Get(stub)
//i don't like this logic below. we need to streamline this a lot better. it's a twisty jungle right now //i don't like this logic below. we need to streamline this a lot better. it's a twisty jungle right now
@ -214,7 +224,10 @@ func createCompressibleFileServletFunction(route *FileRoute, basePattern string,
func createUncompressedFileServletFunction(route *FileRoute, basePattern string, pathlike string) VinegarHandlerFunction { func createUncompressedFileServletFunction(route *FileRoute, basePattern string, pathlike string) VinegarHandlerFunction {
var fun VinegarHandlerFunction = func(w http.ResponseWriter, req *http.Request) { var fun VinegarHandlerFunction = func(w http.ResponseWriter, req *http.Request) {
stub := strings.Replace(req.URL.Path, basePattern, "", 1) stub := strings.Replace(req.URL.Path, basePattern, "", 1)
if strings.Contains(stub, "../") {
route.srv.SendError(w, req, 403, "Forbidden", errors.New("Stop trying directory traversal"))
return
}
rootPath := filepath.Clean(pathlike) rootPath := filepath.Clean(pathlike)
filePath := filepath.Clean(stub) filePath := filepath.Clean(stub)
resourcePath := path.Join(rootPath, filePath) resourcePath := path.Join(rootPath, filePath)