From 6ca450e0b316eab6e6bb34d37ca5774f86b4428f Mon Sep 17 00:00:00 2001 From: Chapuis Bertil Date: Thu, 6 Aug 2015 12:20:18 +0200 Subject: [PATCH] better path parameter verification --- backend/rest_test.go | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/backend/rest_test.go b/backend/rest_test.go index 0a2152128..f58f3e432 100644 --- a/backend/rest_test.go +++ b/backend/rest_test.go @@ -79,7 +79,8 @@ func TestRestBackend(t *testing.T) { // List the blobs of a given type. r.HandleFunc("/{type}/", func(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) - path := filepath.Join(path, vars["type"]) + blobType := filepath.Clean(vars["type"]) + path := filepath.Join(path, blobType) files, _ := ioutil.ReadDir(path) names := make([]string, len(files)) for i, f := range files { @@ -92,7 +93,9 @@ func TestRestBackend(t *testing.T) { // Check if a blob of a given type exists. r.HandleFunc("/{type}/{blob}", func(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) - blob := filepath.Join(path, vars["type"], vars["blob"]) + blobType := filepath.Clean(vars["type"]) + blobID := filepath.Clean(vars["blob"]) + blob := filepath.Join(path, blobType, blobID) if _, err := os.Stat(blob); err != nil { http.Error(w, "Blob not found", 404) } @@ -101,7 +104,9 @@ func TestRestBackend(t *testing.T) { // Get a blob of a given type. r.HandleFunc("/{type}/{blob}", func(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) - blob := filepath.Join(path, vars["type"], vars["blob"]) + blobType := filepath.Clean(vars["type"]) + blobID := filepath.Clean(vars["blob"]) + blob := filepath.Join(path, blobType, blobID) if file, err := os.Open(blob); err == nil { http.ServeContent(w, r, "", time.Unix(0, 0), file) } else { @@ -112,7 +117,9 @@ func TestRestBackend(t *testing.T) { // Save a blob of a given type. r.HandleFunc("/{type}/{blob}", func(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) - blob := filepath.Join(path, vars["type"], vars["blob"]) + blobType := filepath.Clean(vars["type"]) + blobID := filepath.Clean(vars["blob"]) + blob := filepath.Join(path, blobType, blobID) if _, err := os.Stat(blob); err == nil { http.Error(w, "Blob already uploaded", 403) } else { @@ -124,7 +131,9 @@ func TestRestBackend(t *testing.T) { // Delete a blob of a given type. r.HandleFunc("/{type}/{blob}", func(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) - blob := filepath.Join(path, vars["type"], vars["blob"]) + blobType := filepath.Clean(vars["type"]) + blobID := filepath.Clean(vars["blob"]) + blob := filepath.Join(path, blobType, blobID) if _, err := os.Stat(blob); err == nil { os.Remove(blob) } else {