diff options
| author | Unknwon <u@gogs.io> | 2018-12-25 09:45:20 -0500 |
|---|---|---|
| committer | Unknwon <u@gogs.io> | 2018-12-25 09:47:33 -0500 |
| commit | 5f1f1bb5ed3c9916f11016942b9f553ef4fb72a9 (patch) | |
| tree | 626d65ac7a5e9f10a3c36ed1650a1457af5cc42c /pkg/tool/path.go | |
| parent | 9ff2df78f02fb09106b33beb7e4c644f86c30c6f (diff) | |
pkg/tool/path: use IsMaliciousPath to replace SanitizePath (#5558)
Diffstat (limited to 'pkg/tool/path.go')
| -rw-r--r-- | pkg/tool/path.go | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/pkg/tool/path.go b/pkg/tool/path.go index e8f7bcbe..e95bba8b 100644 --- a/pkg/tool/path.go +++ b/pkg/tool/path.go @@ -5,6 +5,7 @@ package tool import ( + "path/filepath" "strings" ) @@ -15,10 +16,8 @@ func IsSameSiteURLPath(url string) bool { return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\' } -// SanitizePath sanitizes user-defined file paths to prevent remote code execution. -func SanitizePath(path string) string { - path = strings.TrimLeft(path, "/") - path = strings.Replace(path, "../", "", -1) - path = strings.Replace(path, "..\\", "", -1) - return path +// IsMaliciousPath returns true if given path is an absolute path or contains malicious content +// which has potential to traverse upper level directories. +func IsMaliciousPath(path string) bool { + return filepath.IsAbs(path) || strings.Contains(path, "..") } |