security: sanitize path and uri

2026-03-21 00:29:03 +01:00 · 2025-03-22 23:53:33 +08:00
parent 4a5e0b8d81
commit f3840d56af
5 changed files with 106 additions and 11 deletions
--- a/internal/utils/strutils/filepath.go
+++ b/internal/utils/strutils/filepath.go
@@ -0,0 +1,11 @@
+package strutils
+
+import "strings"
+
+// IsValidFilename checks if a filename is safe and doesn't contain path traversal attempts
+// Returns true if the filename is valid, false otherwise
+func IsValidFilename(filename string) bool {
+	return !strings.Contains(filename, "/") &&
+		!strings.Contains(filename, "\\") &&
+		!strings.Contains(filename, "..")
+}
--- a/internal/utils/strutils/url.go
+++ b/internal/utils/strutils/url.go
@@ -0,0 +1,20 @@
+package strutils
+
+import "path"
+
+// SanitizeURI sanitizes a URI reference to ensure it is safe
+// It disallows URLs beginning with // or /\ as absolute URLs,
+// cleans the URL path to remove any .. or . path elements,
+// and ensures the URL starts with a / if it doesn't already
+func SanitizeURI(uri string) string {
+	if uri == "" {
+		return "/"
+	}
+	if uri[0] != '/' {
+		uri = "/" + uri
+	}
+	if len(uri) > 1 && uri[0] == '/' && uri[1] != '/' && uri[1] != '\\' {
+		return path.Clean(uri)
+	}
+	return "/"
+}
--- a/internal/utils/strutils/url_test.go
+++ b/internal/utils/strutils/url_test.go
@@ -0,0 +1,63 @@
+package strutils
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSanitizeURI(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "empty string",
+			input:    "",
+			expected: "/",
+		},
+		{
+			name:     "single slash",
+			input:    "/",
+			expected: "/",
+		},
+		{
+			name:     "normal path",
+			input:    "/path/to/resource",
+			expected: "/path/to/resource",
+		},
+		{
+			name:     "path without leading slash",
+			input:    "path/to/resource",
+			expected: "/path/to/resource",
+		},
+		{
+			name:     "path with dot segments",
+			input:    "/path/./to/../resource",
+			expected: "/path/resource",
+		},
+		{
+			name:     "double slash prefix",
+			input:    "//path/to/resource",
+			expected: "/",
+		},
+		{
+			name:     "backslash prefix",
+			input:    "/\\path/to/resource",
+			expected: "/",
+		},
+		{
+			name:     "path with multiple slashes",
+			input:    "/path//to///resource",
+			expected: "/path/to/resource",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := SanitizeURI(tt.input)
+			require.Equal(t, tt.expected, result)
+		})
+	}
+}