go-packages/iris
1
0
Fork 0
mirror of https://github.com/kataras/iris.git synced 2025-02-02 15:30:36 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

UploadFormFiles: CWE-99

Browse Source
This commit is contained in:
Gerasimos (Makis) Maropoulos 2023-10-24 15:32:06 +03:00
parent d5a29fad6c
commit 1d0ad5bf8e
No known key found for this signature in database
GPG Key ID: B9839E9CD30B7B6B
1 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
context/context.go
View File

@ -2428,7 +2428,32 @@ func (ctx *Context) UploadFormFiles(destDirectory string, before ...func(*Contex
}
}
n0, err0 := ctx.SaveFormFile(file, filepath.Join(destDirectory, file.Filename))
// CWE-99.
// Sanitize the user input by removing any path separators.
sanitizedInput := strings.ReplaceAll(file.Filename, string(os.PathSeparator), "")
// Join the sanitized input with the destination directory.
destPath := filepath.Join(destDirectory, sanitizedInput)
// Get the canonical path of the destination.
canonicalDestPath, err := filepath.EvalSymlinks(destPath)
if err != nil {
return nil, 0, err
}
// Get the canonical path of the destination directory.
canonicalDestDir, err := filepath.EvalSymlinks(destDirectory)
if err != nil {
return nil, 0, err
}
// Check if the destination path is within the destination directory.
if !strings.HasPrefix(canonicalDestPath, canonicalDestDir) {
// Reject the input as it is a path traversal attempt.
continue innerLoop
}
n0, err0 := ctx.SaveFormFile(file, destPath)
if err0 != nil {
return nil, 0, err0
}