aboutsummaryrefslogtreecommitdiff
path: root/pkg/tool/path.go
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/tool/path.go')
-rw-r--r--pkg/tool/path.go11
1 files changed, 5 insertions, 6 deletions
diff --git a/pkg/tool/path.go b/pkg/tool/path.go
index e8f7bcbe..e95bba8b 100644
--- a/pkg/tool/path.go
+++ b/pkg/tool/path.go
@@ -5,6 +5,7 @@
package tool
import (
+ "path/filepath"
"strings"
)
@@ -15,10 +16,8 @@ func IsSameSiteURLPath(url string) bool {
return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\'
}
-// SanitizePath sanitizes user-defined file paths to prevent remote code execution.
-func SanitizePath(path string) string {
- path = strings.TrimLeft(path, "/")
- path = strings.Replace(path, "../", "", -1)
- path = strings.Replace(path, "..\\", "", -1)
- return path
+// IsMaliciousPath returns true if given path is an absolute path or contains malicious content
+// which has potential to traverse upper level directories.
+func IsMaliciousPath(path string) bool {
+ return filepath.IsAbs(path) || strings.Contains(path, "..")
}
Powered by cgit, Themed by Ted Yin.