backend/internal/handlers/static_handlers.go

@@ -3,8 +3,10 @@ package handlers
 import (
 	"gitea.d3m0k1d.ru/d3m0k1d/d3m0k1d.ru/backend/internal/logger"
 	"gitea.d3m0k1d.ru/d3m0k1d/d3m0k1d.ru/backend/internal/models"
-
 	"github.com/gin-gonic/gin"
+	"os"
+	"path/filepath"
+	"strings"
 )
 
 type StaticHandlers struct {
@@ -53,7 +55,36 @@ func (h *StaticHandlers) PostStatic(c *gin.Context) {
 // @Failure 404 {object} models.ErrorResponse "File not found"
 // @Router /upload/{file} [get]
 func (h *StaticHandlers) GetStatic(c *gin.Context) {
-	// TODO: Unsecure handler need to be fixed
-	c.File("/data/upload/" + c.Param("file"))
 
+	filename := c.Param("file")
+	if filename == "" {
+		models.Error(c, 404, "File not found", "")
+		return
+	}
+
+	filename = filepath.Clean(filename)
+
+	if strings.Contains(filename, "..") {
+		models.Error(c, 400, "Invalid file path", "")
+		return
+	}
+
+	if filepath.IsAbs(filename) {
+		models.Error(c, 400, "Invalid file path", "")
+		return
+	}
+
+	baseDir := "/data/upload/"
+	fullPath := filepath.Join(baseDir, filename)
+	if !strings.HasPrefix(fullPath, baseDir) {
+		models.Error(c, 400, "Invalid file path", "")
+		return
+	}
+
+	if _, err := os.Stat(fullPath); os.IsNotExist(err) {
+		models.Error(c, 404, "File not found", "")
+		return
+	}
+
+	c.File(fullPath)
 }