2023-06-22 15:53:10 +00:00
|
|
|
package utils
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"path/filepath"
|
2024-02-18 10:12:02 +00:00
|
|
|
"strings"
|
2023-06-22 15:53:10 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func inTrustedRoot(path string, trustedRoot string) error {
|
|
|
|
for path != "/" {
|
|
|
|
path = filepath.Dir(path)
|
|
|
|
if path == trustedRoot {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return fmt.Errorf("path is outside of trusted root")
|
|
|
|
}
|
|
|
|
|
|
|
|
// VerifyPath verifies that path is based in basePath.
|
|
|
|
func VerifyPath(path, basePath string) error {
|
|
|
|
c := filepath.Clean(filepath.Join(basePath, path))
|
2023-07-30 07:47:22 +00:00
|
|
|
return inTrustedRoot(c, filepath.Clean(basePath))
|
2023-06-22 15:53:10 +00:00
|
|
|
}
|
2024-02-18 10:12:02 +00:00
|
|
|
|
|
|
|
// SanitizeFileName sanitizes the given filename
|
|
|
|
func SanitizeFileName(fileName string) string {
|
|
|
|
// filepath.Clean to clean the path
|
|
|
|
cleanName := filepath.Clean(fileName)
|
|
|
|
// filepath.Base to ensure we only get the final element, not any directory path
|
|
|
|
baseName := filepath.Base(cleanName)
|
|
|
|
// Replace any remaining tricky characters that might have survived cleaning
|
|
|
|
safeName := strings.ReplaceAll(baseName, "..", "")
|
|
|
|
return safeName
|
|
|
|
}
|