all: use securejoin for path joining
Anirudh Oppiliappan x@icyphox.sh
Sat, 15 Feb 2025 11:07:29 +0200
2 files changed, 73 insertions(+), 11 deletions(-)
M routes/git.go → routes/git.go
@@ -8,13 +8,19 @@ "net/http" "path/filepath" "git.icyphox.sh/legit/git/service" + securejoin "github.com/cyphar/filepath-securejoin" ) func (d *deps) InfoRefs(w http.ResponseWriter, r *http.Request) { name := r.PathValue("name") name = filepath.Clean(name) - repo := filepath.Join(d.c.Repo.ScanPath, name) + repo, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) + if err != nil { + log.Printf("securejoin error: %v", err) + d.Write404(w) + return + } w.Header().Set("content-type", "application/x-git-upload-pack-advertisement") w.WriteHeader(http.StatusOK) @@ -35,7 +41,12 @@ func (d *deps) UploadPack(w http.ResponseWriter, r *http.Request) { name := r.PathValue("name") name = filepath.Clean(name) - repo := filepath.Join(d.c.Repo.ScanPath, name) + repo, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) + if err != nil { + log.Printf("securejoin error: %v", err) + d.Write404(w) + return + } w.Header().Set("content-type", "application/x-git-upload-pack-result") w.Header().Set("Connection", "Keep-Alive")
M routes/routes.go → routes/routes.go
@@ -15,6 +15,7 @@ "time" "git.icyphox.sh/legit/config" "git.icyphox.sh/legit/git" + securejoin "github.com/cyphar/filepath-securejoin" "github.com/dustin/go-humanize" "github.com/microcosm-cc/bluemonday" "github.com/russross/blackfriday/v2" @@ -45,7 +46,13 @@ if !dir.IsDir() || d.isIgnored(name) || d.isUnlisted(name) { continue } - path := filepath.Join(d.c.Repo.ScanPath, name) + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) + if err != nil { + log.Printf("securejoin error: %v", err) + d.Write404(w) + return + } + gr, err := git.Open(path, "") if err != nil { log.Println(err) @@ -92,7 +99,12 @@ d.Write404(w) return } name = filepath.Clean(name) - path := filepath.Join(d.c.Repo.ScanPath, name) + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) + if err != nil { + log.Printf("securejoin error: %v", err) + d.Write404(w) + return + } gr, err := git.Open(path, "") if err != nil { @@ -177,7 +189,12 @@ treePath := r.PathValue("rest") ref := r.PathValue("ref") name = filepath.Clean(name) - path := filepath.Join(d.c.Repo.ScanPath, name) + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) + if err != nil { + log.Printf("securejoin error: %v", err) + d.Write404(w) + return + } gr, err := git.Open(path, ref) if err != nil { d.Write404(w) @@ -218,7 +235,13 @@ treePath := r.PathValue("rest") ref := r.PathValue("ref") name = filepath.Clean(name) - path := filepath.Join(d.c.Repo.ScanPath, name) + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) + if err != nil { + log.Printf("securejoin error: %v", err) + d.Write404(w) + return + } + gr, err := git.Open(path, ref) if err != nil { d.Write404(w) @@ -271,7 +294,13 @@ filename := fmt.Sprintf("%s-%s.tar.gz", name, ref) setContentDisposition(w, filename) setGZipMIME(w) - path := filepath.Join(d.c.Repo.ScanPath, name) + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) + if err != nil { + log.Printf("securejoin error: %v", err) + d.Write404(w) + return + } + gr, err := git.Open(path, ref) if err != nil { d.Write404(w) @@ -307,7 +336,13 @@ return } ref := r.PathValue("ref") - path := filepath.Join(d.c.Repo.ScanPath, name) + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) + if err != nil { + log.Printf("securejoin error: %v", err) + d.Write404(w) + return + } + gr, err := git.Open(path, ref) if err != nil { d.Write404(w) @@ -347,7 +382,12 @@ return } ref := r.PathValue("ref") - path := filepath.Join(d.c.Repo.ScanPath, name) + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) + if err != nil { + log.Printf("securejoin error: %v", err) + d.Write404(w) + return + } gr, err := git.Open(path, ref) if err != nil { d.Write404(w) @@ -388,7 +428,13 @@ d.Write404(w) return } - path := filepath.Join(d.c.Repo.ScanPath, name) + path, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) + if err != nil { + log.Printf("securejoin error: %v", err) + d.Write404(w) + return + } + gr, err := git.Open(path, "") if err != nil { d.Write404(w) @@ -428,7 +474,12 @@ } func (d *deps) ServeStatic(w http.ResponseWriter, r *http.Request) { f := r.PathValue("file") - f = filepath.Clean(filepath.Join(d.c.Dirs.Static, f)) + f = filepath.Clean(f) + f, err := securejoin.SecureJoin(d.c.Dirs.Static, f) + if err != nil { + d.Write404(w) + return + } http.ServeFile(w, r, f) }