go-packages/iris
1
0
Fork 0
mirror of https://github.com/kataras/iris.git synced 2025-02-02 15:30:36 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

CI and Context

Browse Source
This commit is contained in:
Gerasimos (Makis) Maropoulos 2023-10-24 15:52:13 +03:00
parent 1d0ad5bf8e
commit 8b46dafb76
No known key found for this signature in database
GPG Key ID: B9839E9CD30B7B6B
2 changed files with 31 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/ci.yml vendored
View File

@ -26,7 +26,9 @@ jobs:
- name: Set up Go 1.x - name: Set up Go 1.x
uses: actions/setup-go@v4 uses: actions/setup-go@v4
with: with:
go-version: ${{ matrix.go_version }} go-version-file: './go.mod'
check-latest: true
- run: go version
- name: Test - name: Test
run: go test -v ./... run: go test -v ./...

36
context/context.go
View File

@ -2380,6 +2380,15 @@ func (ctx *Context) FormFiles(key string, before ...func(*Context, *multipart.Fi
return nil, nil, http.ErrMissingFile return nil, nil, http.ErrMissingFile
} }
var (
// ValidFileNameRegexp is used to validate the user input by using a regular expression.
// See `Context.UploadFormFiles` method.
ValidFilenameRegexp = regexp.MustCompile(`^[a-zA-Z0-9_\-\.]+$`)
// ValidExtensionRegexp acts as an allowlist of valid extensions. It's optional. Defaults to nil (all file extensions are allowed to be uploaded).
// See `Context.UploadFormFiles` method.
ValidExtensionRegexp *regexp.Regexp
)
// UploadFormFiles uploads any received file(s) from the client // UploadFormFiles uploads any received file(s) from the client
// to the system physical location "destDirectory". // to the system physical location "destDirectory".
// //
@ -2418,24 +2427,35 @@ func (ctx *Context) UploadFormFiles(destDirectory string, before ...func(*Contex
for _, files := range fhs { for _, files := range fhs {
innerLoop: innerLoop:
for _, file := range files { for _, file := range files {
// Security fix for go < 1.17.5:
// Reported by Kirill Efimov (snyk.io) through security reports.
file.Filename = filepath.Base(file.Filename)
for _, b := range before { for _, b := range before {
if !b(ctx, file) { if !b(ctx, file) {
continue innerLoop continue innerLoop
} }
} }
// Security fix for go < 1.17.5:
// Reported by Kirill Efimov (snyk.io) through security reports.
filename := filepath.Base(filepath.ToSlash(file.Filename))
// CWE-99. // CWE-99.
// Sanitize the user input by removing any path separators.
sanitizedInput := strings.ReplaceAll(file.Filename, string(os.PathSeparator), "") // Sanitize the user input by using a regular expression
// and an allowlist of valid extensions
isValidFilename := ValidFilenameRegexp.MatchString(filename)
if !isValidFilename {
// Reject the input as it is invalid or unsafe.
continue innerLoop
}
if ValidExtensionRegexp != nil && !ValidExtensionRegexp.MatchString(filename) {
// Reject the input as it is invalid or unsafe.
continue innerLoop
}
// Join the sanitized input with the destination directory. // Join the sanitized input with the destination directory.
destPath := filepath.Join(destDirectory, sanitizedInput) destPath := filepath.Join(destDirectory, filename)
// Get the canonical path of the destination. // Get the canonical path of the destination
canonicalDestPath, err := filepath.EvalSymlinks(destPath) canonicalDestPath, err := filepath.EvalSymlinks(destPath)
if err != nil { if err != nil {
return nil, 0, err return nil, 0, err