all repos — legit @ 658e1edc62dd9aea90b301e365a2d06fe4a9d7f7

web frontend for git, written in go

all: use securejoin for path joining

Anirudh Oppiliappan
commit

658e1edc62dd9aea90b301e365a2d06fe4a9d7f7

parent

f8f00566538ed3ce512f8edf98209cb7577f8258

1 file changed, 13 insertions(+), 2 deletions(-)

changed files
M routes/git.goroutes/git.go
@@ -8,13 +8,19 @@ "net/http"
"path/filepath" "git.icyphox.sh/legit/git/service" + securejoin "github.com/cyphar/filepath-securejoin" ) func (d *deps) InfoRefs(w http.ResponseWriter, r *http.Request) { name := r.PathValue("name") name = filepath.Clean(name) - repo := filepath.Join(d.c.Repo.ScanPath, name) + repo, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) + if err != nil { + log.Printf("securejoin error: %v", err) + d.Write404(w) + return + } w.Header().Set("content-type", "application/x-git-upload-pack-advertisement") w.WriteHeader(http.StatusOK)
@@ -35,7 +41,12 @@ func (d *deps) UploadPack(w http.ResponseWriter, r *http.Request) {
name := r.PathValue("name") name = filepath.Clean(name) - repo := filepath.Join(d.c.Repo.ScanPath, name) + repo, err := securejoin.SecureJoin(d.c.Repo.ScanPath, name) + if err != nil { + log.Printf("securejoin error: %v", err) + d.Write404(w) + return + } w.Header().Set("content-type", "application/x-git-upload-pack-result") w.Header().Set("Connection", "Keep-Alive")