fix: clean path before accessing file store

charmbracelet · May 6, 2022 · 3c90668 · 3c90668
1 parent 9c620ae
commit 3c90668
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/server/http.go b/server/http.go
@@ -10,6 +10,7 @@ import (
 	"io/ioutil"
 	"log"
 	"net/http"
+	"path/filepath"
 	"strconv"
 	"strings"
 
@@ -279,7 +280,7 @@ func (s *HTTPServer) handlePostSeq(w http.ResponseWriter, r *http.Request) {
 
 func (s *HTTPServer) handlePostFile(w http.ResponseWriter, r *http.Request) {
 	u := s.charmUserFromRequest(w, r)
-	path := pattern.Path(r.Context())
+	path := filepath.Clean(pattern.Path(r.Context()))
 	ms := r.URL.Query().Get("mode")
 	m, err := strconv.ParseUint(ms, 10, 32)
 	if err != nil {
@@ -316,7 +317,7 @@ func (s *HTTPServer) handlePostFile(w http.ResponseWriter, r *http.Request) {
 
 func (s *HTTPServer) handleGetFile(w http.ResponseWriter, r *http.Request) {
 	u := s.charmUserFromRequest(w, r)
-	path := pattern.Path(r.Context())
+	path := filepath.Clean(pattern.Path(r.Context()))
 	f, err := s.cfg.FileStore.Get(u.CharmID, path)
 	if errors.Is(err, fs.ErrNotExist) {
 		s.renderCustomError(w, "file not found", http.StatusNotFound)
@@ -353,7 +354,7 @@ func (s *HTTPServer) handleGetFile(w http.ResponseWriter, r *http.Request) {
 
 func (s *HTTPServer) handleDeleteFile(w http.ResponseWriter, r *http.Request) {
 	u := s.charmUserFromRequest(w, r)
-	path := pattern.Path(r.Context())
+	path := filepath.Clean(pattern.Path(r.Context()))
 	err := s.cfg.FileStore.Delete(u.CharmID, path)
 	if err != nil {
 		log.Printf("cannot delete file: %s", err)