starred/godoxy-yusing
1
0
Fork 0
mirror of https://github.com/yusing/godoxy.git synced 2026-04-23 16:58:31 +02:00
Code Issues 18 Packages Projects Releases 10 Wiki Activity

fix(api/file): prevent path traversal in file API

Browse Source 
Use os.OpenRoot to restrict file access to the application root,
preventing directory traversal attacks through the file download endpoint.

Also add test to verify path traversal attempts are blocked.
This commit is contained in:
yusing
2026-03-19 10:50:58 +08:00
parent f67ef3c519
commit a541d75bb5
2 changed files with 77 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
internal/api/v1/file/get.go
View File

@@ -1,6 +1,7 @@
package fileapi
import (
"io"
"net/http"
"os"
"path"
@@ -44,7 +45,14 @@ func Get(c *gin.Context) {
return
}
content, err := os.ReadFile(request.FileType.GetPath(request.Filename))
f, err := os.OpenInRoot(".", request.FileType.GetPath(request.Filename))
if err != nil {
c.Error(apitypes.InternalServerError(err, "failed to open root"))
return
}
defer f.Close()
content, err := io.ReadAll(f)
if err != nil {
c.Error(apitypes.InternalServerError(err, "failed to read file"))
return