From 2dc1fa247424ad962cdddbc1d440ae7c56c32095 Mon Sep 17 00:00:00 2001
From: Dave <dave@gray101.com>
Date: Fri, 26 Apr 2024 12:46:35 -0400
Subject: [PATCH] fix: `config_file_watcher.go` - root all file reads for
 safety (#2144)

callHandler() now has all file access rooted within DynamicConfigDir

Signed-off-by: Dave Lee <dave@gray101.com>
---
 core/startup/config_file_watcher.go | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/core/startup/config_file_watcher.go b/core/startup/config_file_watcher.go
index 800059d0..6bbb367f 100644
--- a/core/startup/config_file_watcher.go
+++ b/core/startup/config_file_watcher.go
@@ -21,7 +21,6 @@ type configFileHandler struct {
 
 	watcher *fsnotify.Watcher
 
-	configDir string
 	appConfig *config.ApplicationConfig
 }
 
@@ -30,7 +29,6 @@ type configFileHandler struct {
 func newConfigFileHandler(appConfig *config.ApplicationConfig) configFileHandler {
 	c := configFileHandler{
 		handlers:  make(map[string]fileHandler),
-		configDir: appConfig.DynamicConfigsDir,
 		appConfig: appConfig,
 	}
 	c.Register("api_keys.json", readApiKeysJson(*appConfig), true)
@@ -45,16 +43,17 @@ func (c *configFileHandler) Register(filename string, handler fileHandler, runNo
 	}
 	c.handlers[filename] = handler
 	if runNow {
-		c.callHandler(path.Join(c.appConfig.DynamicConfigsDir, filename), handler)
+		c.callHandler(filename, handler)
 	}
 	return nil
 }
 
 func (c *configFileHandler) callHandler(filename string, handler fileHandler) {
-	log.Trace().Str("filename", filename).Msg("reading file for dynamic config update")
-	fileContent, err := os.ReadFile(filename)
+	rootedFilePath := filepath.Join(c.appConfig.DynamicConfigsDir, filepath.Clean(filename))
+	log.Trace().Str("filename", rootedFilePath).Msg("reading file for dynamic config update")
+	fileContent, err := os.ReadFile(rootedFilePath)
 	if err != nil && !os.IsNotExist(err) {
-		log.Error().Err(err).Str("filename", filename).Msg("could not read file")
+		log.Error().Err(err).Str("filename", rootedFilePath).Msg("could not read file")
 	}
 
 	if err = handler(fileContent, c.appConfig); err != nil {
@@ -66,7 +65,8 @@ func (c *configFileHandler) Watch() error {
 	configWatcher, err := fsnotify.NewWatcher()
 	c.watcher = configWatcher
 	if err != nil {
-		log.Fatal().Err(err).Str("configdir", c.configDir).Msg("wnable to create a watcher for configuration directory")
+		log.Fatal().Err(err).Str("configdir", c.appConfig.DynamicConfigsDir).Msg("unable to create a watcher for configuration directory")
+
 	}
 
 	if c.appConfig.DynamicConfigsDirPollInterval > 0 {
@@ -77,7 +77,7 @@ func (c *configFileHandler) Watch() error {
 				<-ticker.C
 				for file, handler := range c.handlers {
 					log.Debug().Str("file", file).Msg("polling config file")
-					c.callHandler(filepath.Join(c.appConfig.DynamicConfigsDir, file), handler)
+					c.callHandler(file, handler)
 				}
 			}
 		}()
@@ -97,7 +97,7 @@ func (c *configFileHandler) Watch() error {
 						continue
 					}
 
-					c.callHandler(event.Name, handler)
+					c.callHandler(filepath.Base(event.Name), handler)
 				}
 			case err, ok := <-c.watcher.Errors:
 				log.Error().Err(err).Msg("config watcher error received")