Reject upload requests for .git paths

Fixes #107
2024-12-13 05:50:27 +00:00 · 2021-10-27 12:43:36 +07:00 · 2021-10-27 12:43:36 +07:00 · 6eab333ba8
commit 6eab333ba8
parent 742f34ae9a
2 changed files with 9 additions and 4 deletions
--- a/shroom/can.go
+++ b/shroom/can.go
@ -14,7 +14,7 @@ func canFactory(
 	dispatcher func(*hyphae.Hypha, *user.User, *l18n.Localizer) (string, string),
 	noRightsMsg string,
 	notExistsMsg string,
-	careAboutExistence bool,
+	mustExist bool,
 ) func(*user.User, *hyphae.Hypha, *l18n.Localizer) (string, error) {
 	return func(u *user.User, h *hyphae.Hypha, lc *l18n.Localizer) (string, error) {
 		if !u.CanProceed(action) {
@ -22,7 +22,7 @@ func canFactory(
 			return lc.Get("ui.act_no_rights"), errors.New(lc.Get(noRightsMsg))
 		}

-		if careAboutExistence && !h.Exists {
+		if mustExist && !h.Exists {
 			rejectLogger(h, u, "does not exist")
 			return lc.Get("ui.act_notexist"), errors.New(lc.Get(notExistsMsg))
 		}
--- a/shroom/upload.go
+++ b/shroom/upload.go
@ -72,8 +72,7 @@ func uploadHelp(h *hyphae.Hypha, hop *history.Op, ext string, data []byte, u *us
 		originalFullPath = &h.TextPath
 		originalText     = "" // for backlink update
 	)
-	// Reject if the path is outside the hyphae dir
-	if !strings.HasPrefix(fullPath, files.HyphaeDir()) {
+	if isBadPath(fullPath) {
 		err := errors.New("bad path")
 		return hop.WithErrAbort(err), err.Error()
 	}
@ -110,3 +109,9 @@ func uploadHelp(h *hyphae.Hypha, hop *history.Op, ext string, data []byte, u *us
 	}
 	return hop.WithFiles(fullPath).WithUser(u).Apply(), ""
 }
+
+func isBadPath(pathname string) bool {
+	return !strings.HasPrefix(pathname, files.HyphaeDir()) ||
+		strings.Contains(pathname, "..") ||
+		strings.Contains(pathname, "/.git/")
+}