d3m0k1d/d3m0k1d.ru
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat: update secure on get handler for files
Some checks failed
Backend ci / build (pull_request) Failing after 3m21s
Details

Browse Source
This commit is contained in:
d3m0k1d
2026-02-15 13:31:28 +03:00
parent 482e8571af
commit 18b3e318ab
1 changed files with 34 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
backend/internal/handlers/static_handlers.go
View File

@@ -3,8 +3,10 @@ package handlers
import ( import (
"gitea.d3m0k1d.ru/d3m0k1d/d3m0k1d.ru/backend/internal/logger" "gitea.d3m0k1d.ru/d3m0k1d/d3m0k1d.ru/backend/internal/logger"
"gitea.d3m0k1d.ru/d3m0k1d/d3m0k1d.ru/backend/internal/models" "gitea.d3m0k1d.ru/d3m0k1d/d3m0k1d.ru/backend/internal/models"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"os"
"path/filepath"
"strings"
) )
type StaticHandlers struct { type StaticHandlers struct {
@@ -53,7 +55,36 @@ func (h *StaticHandlers) PostStatic(c *gin.Context) {
// @Failure 404 {object} models.ErrorResponse "File not found" // @Failure 404 {object} models.ErrorResponse "File not found"
// @Router /upload/{file} [get] // @Router /upload/{file} [get]
func (h *StaticHandlers) GetStatic(c *gin.Context) { func (h *StaticHandlers) GetStatic(c *gin.Context) {
// TODO: Unsecure handler need to be fixed
c.File("/data/upload/" + c.Param("file"))
filename := c.Param("file")
if filename == "" {
models.Error(c, 404, "File not found", "")
return
}
filename = filepath.Clean(filename)
if strings.Contains(filename, "..") {
models.Error(c, 400, "Invalid file path", "")
return
}
if filepath.IsAbs(filename) {
models.Error(c, 400, "Invalid file path", "")
return
}
baseDir := "/data/upload/"
fullPath := filepath.Join(baseDir, filename)
if !strings.HasPrefix(fullPath, baseDir) {
models.Error(c, 400, "Invalid file path", "")
return
}
if _, err := os.Stat(fullPath); os.IsNotExist(err) {
models.Error(c, 404, "File not found", "")
return
}
c.File(fullPath)
} }