pkg/tool/path.go

// Copyright 2018 The Gogs Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

package tool

import (
	"strings"
)

// IsSameSiteURLPath returns true if the URL path belongs to the same site, false otherwise.
// False: //url, http://url, /\url
// True: /url
func IsSameSiteURLPath(url string) bool {
	return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\'
}

// SanitizePath sanitizes user-defined file paths to prevent remote code execution.
func SanitizePath(path string) string {
	return strings.TrimLeft(path, "./")
}
routes: fix open redirect vulnerability (#5355) Reported by @cezar97. 2018-09-28 23:19:08 -04:00			`// Copyright 2018 The Gogs Authors. All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`

			`package tool`

models/repo_editor: sanitize user-defined file name to prevent RCE (#5558) Reported by PentesterLab (https://pentesterlab.com). 2018-12-18 01:31:04 -05:00			`import (`
			`"strings"`
			`)`

routes: fix open redirect vulnerability (#5355) Reported by @cezar97. 2018-09-28 23:19:08 -04:00			`// IsSameSiteURLPath returns true if the URL path belongs to the same site, false otherwise.`
			`// False: //url, http://url, /\url`
			`// True: /url`
			`func IsSameSiteURLPath(url string) bool {`
			`return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\'`
			`}`
models/repo_editor: sanitize user-defined file name to prevent RCE (#5558) Reported by PentesterLab (https://pentesterlab.com). 2018-12-18 01:31:04 -05:00
			`// SanitizePath sanitizes user-defined file paths to prevent remote code execution.`
			`func SanitizePath(path string) string {`
			`return strings.TrimLeft(path, "./")`
			`}`