diff --git a/cmd/DockerImageSaveServer/handlers.go b/cmd/DockerImageSaveServer/handlers.go index 4ef9817..13913e0 100644 --- a/cmd/DockerImageSaveServer/handlers.go +++ b/cmd/DockerImageSaveServer/handlers.go @@ -66,9 +66,10 @@ func SaveImageHandler(w http.ResponseWriter, r *http.Request) { params := mux.Vars(r) user := dockerimagesave.Sanitize(params["user"]) + user = dockerimagesave.RemoveDoubleDots(user) imageID := dockerimagesave.Sanitize(params["id"]) cleanImageID := strings.Replace(imageID, ":", "_", 1) - imageName := cleanImageID + imageName := dockerimagesave.RemoveDoubleDots(cleanImageID) if user != "" { imageID = user + "/" + imageID diff --git a/docker.go b/docker.go index 9dc94d6..a0f7d98 100644 --- a/docker.go +++ b/docker.go @@ -55,6 +55,7 @@ func SaveImage(imageid string, folder string) error { } imageFileName := strings.ReplaceAll(imageid, "/", "_") imageFileName = strings.Replace(imageFileName, ":", "_", 1) + imageFileName = RemoveDoubleDots(imageFileName) f, err := os.Create(folder + "/" + imageFileName + ".tar") if err != nil { return err diff --git a/files.go b/files.go index 6be69d2..8ac2e55 100644 --- a/files.go +++ b/files.go @@ -7,6 +7,7 @@ import ( // GetFileSize gets the size of a file func GetFileSize(afile string) int64 { + afile = RemoveDoubleDots(afile) fi, err := os.Stat(afile) if err != nil { log.Print(err) @@ -17,6 +18,7 @@ func GetFileSize(afile string) int64 { //FileExists checks if a file exists func FileExists(afile string) bool { + afile = RemoveDoubleDots(afile) if _, err := os.Stat(afile); os.IsNotExist(err) { return false } diff --git a/files_test.go b/files_test.go index 8ee9f75..4d001d4 100644 --- a/files_test.go +++ b/files_test.go @@ -1,17 +1,14 @@ package dockerimagesave import ( + "github.com/stretchr/testify/assert" "testing" ) func TestGetFileSize(t *testing.T) { - if GetFileSize("zipfile.go") != 1033 { - t.Fail() - } + assert.Equal(t, int64(1088), GetFileSize("zipfile.go")) } func TestFileExists(t *testing.T) { - if !FileExists("zipfile.go") { - t.Fail() - } + assert.True(t, FileExists("zipfile.go")) } diff --git a/stringutils.go b/stringutils.go index 68c725a..46db3bb 100644 --- a/stringutils.go +++ b/stringutils.go @@ -7,3 +7,11 @@ func Sanitize(s string) string { escapedString = strings.Replace(escapedString, "\r", "", -1) return escapedString } + +func RemoveDoubleDots(s string) string { + escapedString := strings.ReplaceAll(s, "..", ".") + for strings.Contains(escapedString, "..") { + escapedString = strings.ReplaceAll(escapedString, "..", ".") + } + return escapedString +} diff --git a/stringutils_test.go b/stringutils_test.go index 7a08acb..f5dae1b 100644 --- a/stringutils_test.go +++ b/stringutils_test.go @@ -9,3 +9,9 @@ func TestSanitizer(t *testing.T) { s := "test string\n\r" assert.Equal(t, "test string", Sanitize(s)) } + +func TestRemoveDots(t *testing.T) { + assert.Equal(t, "asd/././ppp.a", RemoveDoubleDots("asd/../../ppp.a")) + assert.Equal(t, "asd/././ppp.a", RemoveDoubleDots("asd/.../.../ppp.a")) + assert.Equal(t, "asdppp.a", RemoveDoubleDots("asdppp.a")) +} diff --git a/zipfile.go b/zipfile.go index 1afcae9..169fdb3 100644 --- a/zipfile.go +++ b/zipfile.go @@ -10,7 +10,7 @@ import ( // ZipFiles compresses one or many files into a single zip archive file func ZipFiles(filename string, files []string) error { - + filename = RemoveDoubleDots(filename) newfile, err := os.Create(filename) if err != nil { return err @@ -22,8 +22,7 @@ func ZipFiles(filename string, files []string) error { // Add files to zip for _, file := range files { - - zipfile, err := os.Open(file) + zipfile, err := os.Open(RemoveDoubleDots(file)) if err != nil { return err }