feat: update secure on get handler for files
Some checks failed
Backend ci / build (pull_request) Failing after 3m21s
Some checks failed
Backend ci / build (pull_request) Failing after 3m21s
This commit is contained in:
d3m0k1d
@@ -3,8 +3,10 @@ package handlers
|
||||
import (
|
||||
"gitea.d3m0k1d.ru/d3m0k1d/d3m0k1d.ru/backend/internal/logger"
|
||||
"gitea.d3m0k1d.ru/d3m0k1d/d3m0k1d.ru/backend/internal/models"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
)
|
||||
|
||||
type StaticHandlers struct {
|
||||
@@ -53,7 +55,36 @@ func (h *StaticHandlers) PostStatic(c *gin.Context) {
|
||||
// @Failure 404 {object} models.ErrorResponse "File not found"
|
||||
// @Router /upload/{file} [get]
|
||||
func (h *StaticHandlers) GetStatic(c *gin.Context) {
|
||||
// TODO: Unsecure handler need to be fixed
|
||||
c.File("/data/upload/" + c.Param("file"))
|
||||
|
||||
filename := c.Param("file")
|
||||
if filename == "" {
|
||||
models.Error(c, 404, "File not found", "")
|
||||
return
|
||||
}
|
||||
|
||||
filename = filepath.Clean(filename)
|
||||
|
||||
if strings.Contains(filename, "..") {
|
||||
models.Error(c, 400, "Invalid file path", "")
|
||||
return
|
||||
}
|
||||
|
||||
if filepath.IsAbs(filename) {
|
||||
models.Error(c, 400, "Invalid file path", "")
|
||||
return
|
||||
}
|
||||
|
||||
baseDir := "/data/upload/"
|
||||
fullPath := filepath.Join(baseDir, filename)
|
||||
if !strings.HasPrefix(fullPath, baseDir) {
|
||||
models.Error(c, 400, "Invalid file path", "")
|
||||
return
|
||||
}
|
||||
|
||||
if _, err := os.Stat(fullPath); os.IsNotExist(err) {
|
||||
models.Error(c, 404, "File not found", "")
|
||||
return
|
||||
}
|
||||
|
||||
c.File(fullPath)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user