Nemcio/Gogs
1
0
Fork 0
mirror of https://github.com/gogs/gogs.git synced 2026-05-06 18:26:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

models/repo_editor: sanitize user-defined file name to prevent RCE (#5558)

Browse Source 
Reported by PentesterLab (https://pentesterlab.com).
This commit is contained in:
Unknwon
2018-12-18 01:31:04 -05:00
parent d74437af57
commit 86ada87529
4 changed files with 31 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
pkg/tool/path.go
View File

@@ -4,9 +4,18 @@
package tool
import (
"strings"
)
// IsSameSiteURLPath returns true if the URL path belongs to the same site, false otherwise.
// False: //url, http://url, /\url
// True: /url
func IsSameSiteURLPath(url string) bool {
return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\'
}
// SanitizePath sanitizes user-defined file paths to prevent remote code execution.
func SanitizePath(path string) string {
return strings.TrimLeft(path, "./")
}

16
pkg/tool/path_test.go
View File

@@ -30,3 +30,19 @@ func Test_IsSameSiteURLPath(t *testing.T) {
}
})
}
func Test_SanitizePath(t *testing.T) {
Convey("Sanitize malicious user-defined path", t, func() {
testCases := []struct {
path string
expect string
}{
{"../../../../../../../../../data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8", "data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8"},
{"data/sessions/a/9/a9f0ab6c3ef63dd8", "data/sessions/a/9/a9f0ab6c3ef63dd8"},
}
for _, tc := range testCases {
So(SanitizePath(tc.path), ShouldEqual, tc.expect)
}
})
}