Skip to content

Commit

Permalink
Remove double dots (..) from user provided data
Browse files Browse the repository at this point in the history
  • Loading branch information
jadolg committed May 26, 2022
1 parent 2f872d2 commit 95eb5c4
Show file tree
Hide file tree
Showing 7 changed files with 24 additions and 10 deletions.
3 changes: 2 additions & 1 deletion cmd/DockerImageSaveServer/handlers.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,9 +66,10 @@ func SaveImageHandler(w http.ResponseWriter, r *http.Request) {
params := mux.Vars(r)

user := dockerimagesave.Sanitize(params["user"])
user = dockerimagesave.RemoveDoubleDots(user)
imageID := dockerimagesave.Sanitize(params["id"])
cleanImageID := strings.Replace(imageID, ":", "_", 1)
imageName := cleanImageID
imageName := dockerimagesave.RemoveDoubleDots(cleanImageID)

if user != "" {
imageID = user + "/" + imageID
Expand Down
1 change: 1 addition & 0 deletions docker.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ func SaveImage(imageid string, folder string) error {
}
imageFileName := strings.ReplaceAll(imageid, "/", "_")
imageFileName = strings.Replace(imageFileName, ":", "_", 1)
imageFileName = RemoveDoubleDots(imageFileName)
f, err := os.Create(folder + "/" + imageFileName + ".tar")
if err != nil {
return err
Expand Down
2 changes: 2 additions & 0 deletions files.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (

// GetFileSize gets the size of a file
func GetFileSize(afile string) int64 {
afile = RemoveDoubleDots(afile)
fi, err := os.Stat(afile)
if err != nil {
log.Print(err)
Expand All @@ -17,6 +18,7 @@ func GetFileSize(afile string) int64 {

//FileExists checks if a file exists
func FileExists(afile string) bool {
afile = RemoveDoubleDots(afile)
if _, err := os.Stat(afile); os.IsNotExist(err) {
return false
}
Expand Down
9 changes: 3 additions & 6 deletions files_test.go
Original file line number Diff line number Diff line change
@@ -1,17 +1,14 @@
package dockerimagesave

import (
"github.com/stretchr/testify/assert"
"testing"
)

func TestGetFileSize(t *testing.T) {
if GetFileSize("zipfile.go") != 1033 {
t.Fail()
}
assert.Equal(t, int64(1088), GetFileSize("zipfile.go"))
}

func TestFileExists(t *testing.T) {
if !FileExists("zipfile.go") {
t.Fail()
}
assert.True(t, FileExists("zipfile.go"))
}
8 changes: 8 additions & 0 deletions stringutils.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,11 @@ func Sanitize(s string) string {
escapedString = strings.Replace(escapedString, "\r", "", -1)
return escapedString
}

func RemoveDoubleDots(s string) string {
escapedString := strings.ReplaceAll(s, "..", ".")
for strings.Contains(escapedString, "..") {
escapedString = strings.ReplaceAll(escapedString, "..", ".")
}
return escapedString
}
6 changes: 6 additions & 0 deletions stringutils_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,9 @@ func TestSanitizer(t *testing.T) {
s := "test string\n\r"
assert.Equal(t, "test string", Sanitize(s))
}

func TestRemoveDots(t *testing.T) {
assert.Equal(t, "asd/././ppp.a", RemoveDoubleDots("asd/../../ppp.a"))
assert.Equal(t, "asd/././ppp.a", RemoveDoubleDots("asd/.../.../ppp.a"))
assert.Equal(t, "asdppp.a", RemoveDoubleDots("asdppp.a"))
}
5 changes: 2 additions & 3 deletions zipfile.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (

// ZipFiles compresses one or many files into a single zip archive file
func ZipFiles(filename string, files []string) error {

filename = RemoveDoubleDots(filename)
newfile, err := os.Create(filename)
if err != nil {
return err
Expand All @@ -22,8 +22,7 @@ func ZipFiles(filename string, files []string) error {

// Add files to zip
for _, file := range files {

zipfile, err := os.Open(file)
zipfile, err := os.Open(RemoveDoubleDots(file))
if err != nil {
return err
}
Expand Down

0 comments on commit 95eb5c4

Please sign in to comment.