From 6eab333ba84c954647dbeb3c5af2c1d087c638cf Mon Sep 17 00:00:00 2001 From: Umar Getagazov Date: Wed, 27 Oct 2021 12:43:36 +0700 Subject: [PATCH] Reject upload requests for .git paths Fixes #107 --- shroom/can.go | 4 ++-- shroom/upload.go | 9 +++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/shroom/can.go b/shroom/can.go index 114dc7c..7db6430 100644 --- a/shroom/can.go +++ b/shroom/can.go @@ -14,7 +14,7 @@ func canFactory( dispatcher func(*hyphae.Hypha, *user.User, *l18n.Localizer) (string, string), noRightsMsg string, notExistsMsg string, - careAboutExistence bool, + mustExist bool, ) func(*user.User, *hyphae.Hypha, *l18n.Localizer) (string, error) { return func(u *user.User, h *hyphae.Hypha, lc *l18n.Localizer) (string, error) { if !u.CanProceed(action) { @@ -22,7 +22,7 @@ func canFactory( return lc.Get("ui.act_no_rights"), errors.New(lc.Get(noRightsMsg)) } - if careAboutExistence && !h.Exists { + if mustExist && !h.Exists { rejectLogger(h, u, "does not exist") return lc.Get("ui.act_notexist"), errors.New(lc.Get(notExistsMsg)) } diff --git a/shroom/upload.go b/shroom/upload.go index 6e4ffe2..ffb82f5 100644 --- a/shroom/upload.go +++ b/shroom/upload.go @@ -72,8 +72,7 @@ func uploadHelp(h *hyphae.Hypha, hop *history.Op, ext string, data []byte, u *us originalFullPath = &h.TextPath originalText = "" // for backlink update ) - // Reject if the path is outside the hyphae dir - if !strings.HasPrefix(fullPath, files.HyphaeDir()) { + if isBadPath(fullPath) { err := errors.New("bad path") return hop.WithErrAbort(err), err.Error() } @@ -110,3 +109,9 @@ func uploadHelp(h *hyphae.Hypha, hop *history.Op, ext string, data []byte, u *us } return hop.WithFiles(fullPath).WithUser(u).Apply(), "" } + +func isBadPath(pathname string) bool { + return !strings.HasPrefix(pathname, files.HyphaeDir()) || + strings.Contains(pathname, "..") || + strings.Contains(pathname, "/.git/") +}