fix(serverHandler): prevent mutation from parent directory

marjune163 · marjune163 · commit 98f43209587b · 2020-12-30T14:32:27.000+08:00
When passing file path for Upload, Mkdir and Delete, treat parent
directory path as illegal path.
diff --git a/src/serverHandler/delete.go b/src/serverHandler/delete.go
@@ -1,14 +1,24 @@
 package serverHandler
 
 import (
+	"errors"
 	"os"
 )
 
 func (h *handler) deleteItems(fsPrefix string, files []string, aliasSubItems []os.FileInfo) bool {
 	errs := []error{}
 
-	for _, filename := range files {
-		if containsItem(aliasSubItems, filename) {
+	for _, inputFilename := range files {
+		if len(inputFilename) == 0 {
+			continue
+		}
+
+		var filename string
+		var ok bool
+		if filename, ok = getCleanFilePath(inputFilename); !ok {
+			errs = append(errs, errors.New("delete: illegal item name "+inputFilename))
+			continue
+		} else if containsItem(aliasSubItems, filename) {
 			continue
 		}
 		err := os.RemoveAll(fsPrefix + "/" + filename)
diff --git a/src/serverHandler/mkdir.go b/src/serverHandler/mkdir.go
@@ -1,14 +1,22 @@
 package serverHandler
 
 import (
+	"errors"
 	"os"
 )
 
 func (h *handler) mkdirs(fsPrefix string, files []string, aliasSubItems []os.FileInfo) bool {
 	errs := []error{}
 
-	for _, filename := range files {
-		if len(filename) == 0 {
+	for _, inputFilename := range files {
+		if len(inputFilename) == 0 {
+			continue
+		}
+
+		var filename string
+		var ok bool
+		if filename, ok = getCleanFilePath(inputFilename); !ok {
+			errs = append(errs, errors.New("mkdir: illegal directory name "+inputFilename))
 			continue
 		} else if containsItem(aliasSubItems, filename) {
 			continue
diff --git a/src/serverHandler/upload.go b/src/serverHandler/upload.go
@@ -58,11 +58,13 @@ func (h *handler) saveUploadFiles(fsPrefix string, createDir, overwriteExists bo
 			break
 		}
 
-		partFilename := path.Clean(strings.Replace(part.FileName(), "\\", "/", -1))
-		if partFilename[0] == '/' {
-			partFilename = partFilename[1:]
+		inputPartFilename := part.FileName()
+		if len(inputPartFilename) == 0 {
+			continue
 		}
-		if len(partFilename) == 0 {
+		partFilename, ok := getCleanDirFilePath(inputPartFilename)
+		if !ok {
+			errs = append(errs, errors.New("upload: illegal file name "+inputPartFilename))
 			continue
 		}
 
diff --git a/src/serverHandler/util.go b/src/serverHandler/util.go
@@ -3,6 +3,8 @@ package serverHandler
 import (
 	"net/http"
 	"os"
+	"path"
+	"strings"
 )
 
 func needResponseBody(method string) bool {
@@ -20,3 +22,17 @@ func containsItem(infos []os.FileInfo, name string) bool {
 	}
 	return false
 }
+
+func getCleanFilePath(requestPath string) (filePath string, ok bool) {
+	filePath = path.Clean(requestPath)
+	ok = filePath == path.Base(filePath)
+
+	return
+}
+
+func getCleanDirFilePath(requestPath string) (filePath string, ok bool) {
+	filePath = path.Clean(strings.Replace(requestPath, "\\", "/", -1))
+	ok = filePath[0] != '/' && filePath != "." && filePath != ".." && !strings.HasPrefix(filePath, "../")
+
+	return
+}
diff --git a/src/serverHandler/util_test.go b/src/serverHandler/util_test.go
@@ -0,0 +1,73 @@
+package serverHandler
+
+import "testing"
+
+func TestGetCleanFilePath(t *testing.T) {
+	var cleanPath string
+	var ok bool
+
+	cleanPath, ok = getCleanFilePath("file1")
+	if cleanPath != "file1" || !ok {
+		t.Error(cleanPath, ok)
+	}
+
+	cleanPath, ok = getCleanFilePath("./file2")
+	if cleanPath != "file2" || !ok {
+		t.Error(cleanPath, ok)
+	}
+
+	cleanPath, ok = getCleanFilePath("./dir/file3")
+	if ok {
+		t.Error(cleanPath, ok)
+	}
+
+	cleanPath, ok = getCleanFilePath("dir/file4")
+	if ok {
+		t.Error(cleanPath, ok)
+	}
+
+	cleanPath, ok = getCleanFilePath("../file5")
+	if ok {
+		t.Error(cleanPath, ok)
+	}
+}
+
+func TestGetCleanDirFilePath(t *testing.T) {
+	var cleanPath string
+	var ok bool
+
+	cleanPath, ok = getCleanDirFilePath("file1")
+	if cleanPath != "file1" || !ok {
+		t.Error(cleanPath, ok)
+	}
+
+	cleanPath, ok = getCleanDirFilePath("./file2")
+	if cleanPath != "file2" || !ok {
+		t.Error(cleanPath, ok)
+	}
+
+	cleanPath, ok = getCleanDirFilePath("./dir/file3")
+	if cleanPath != "dir/file3" || !ok {
+		t.Error(cleanPath, ok)
+	}
+
+	cleanPath, ok = getCleanDirFilePath("dir/file4")
+	if cleanPath != "dir/file4" || !ok {
+		t.Error(cleanPath, ok)
+	}
+
+	cleanPath, ok = getCleanDirFilePath("dir1/../dir2/file5")
+	if cleanPath != "dir2/file5" || !ok {
+		t.Error(cleanPath, ok)
+	}
+
+	cleanPath, ok = getCleanDirFilePath("dir1/../../dir2/file6")
+	if ok {
+		t.Error(cleanPath, ok)
+	}
+
+	cleanPath, ok = getCleanDirFilePath("../file5")
+	if ok {
+		t.Error(cleanPath, ok)
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -58,11 +58,13 @@ func (h *handler) saveUploadFiles(fsPrefix string, createDir, overwriteExists bo`
`58`	`58`	`break`
`59`	`59`	`}`
`60`	`60`
`61`		`- partFilename := path.Clean(strings.Replace(part.FileName(), "\\", "/", -1))`
`62`		`- if partFilename[0] == '/' {`
`63`		`- partFilename = partFilename[1:]`
	`61`	`+ inputPartFilename := part.FileName()`
	`62`	`+ if len(inputPartFilename) == 0 {`
	`63`	`+ continue`
`64`	`64`	`}`
`65`		`- if len(partFilename) == 0 {`
	`65`	`+ partFilename, ok := getCleanDirFilePath(inputPartFilename)`
	`66`	`+ if !ok {`
	`67`	`+ errs = append(errs, errors.New("upload: illegal file name "+inputPartFilename))`
`66`	`68`	`continue`
`67`	`69`	`}`
`68`	`70`