pkg/tool: improve SanitizePath (#5558)

2026-01-09 08:52:39 +01:00 · 2018-12-18 01:38:08 -05:00
parent 86ada87529
commit ff93d9dbda
4 changed files with 6 additions and 3 deletions
--- a/pkg/tool/path.go
+++ b/pkg/tool/path.go
@@ -17,5 +17,7 @@ func IsSameSiteURLPath(url string) bool {

 // SanitizePath sanitizes user-defined file paths to prevent remote code execution.
 func SanitizePath(path string) string {
-	return strings.TrimLeft(path, "./")
+	path = strings.TrimLeft(path, "/")
+	path = strings.Replace(path, "../", "", -1)
+	return path
 }
--- a/pkg/tool/path_test.go
+++ b/pkg/tool/path_test.go
@@ -38,6 +38,7 @@ func Test_SanitizePath(t *testing.T) {
 			expect string
 		}{
 			{"../../../../../../../../../data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8", "data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8"},
+			{"data/gogs/../../../../../../../../../data/sessions/a/9/a9f0ab6c3ef63dd8", "data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8"},

 			{"data/sessions/a/9/a9f0ab6c3ef63dd8", "data/sessions/a/9/a9f0ab6c3ef63dd8"},
 		}