LocalAI/pkg/utils/path.go

35 lines
924 B
Go
Raw Normal View History

package utils
import (
"fmt"
"path/filepath"
"strings"
)
func inTrustedRoot(path string, trustedRoot string) error {
for path != "/" {
path = filepath.Dir(path)
if path == trustedRoot {
return nil
}
}
return fmt.Errorf("path is outside of trusted root")
}
// VerifyPath verifies that path is based in basePath.
func VerifyPath(path, basePath string) error {
c := filepath.Clean(filepath.Join(basePath, path))
2023-07-30 07:47:22 +00:00
return inTrustedRoot(c, filepath.Clean(basePath))
}
// SanitizeFileName sanitizes the given filename
func SanitizeFileName(fileName string) string {
// filepath.Clean to clean the path
cleanName := filepath.Clean(fileName)
// filepath.Base to ensure we only get the final element, not any directory path
baseName := filepath.Base(cleanName)
// Replace any remaining tricky characters that might have survived cleaning
safeName := strings.ReplaceAll(baseName, "..", "")
return safeName
}