- Add r.URL.Path protection

Signed-off-by: Valery Piashchynski <[email protected]>
author: Valery Piashchynski <[email protected]> 2021-04-28 17:37:54 +0300
committer: Valery Piashchynski <[email protected]> 2021-04-28 17:37:54 +0300
commit: 2812157be7a9c1411d02872f0b9fa567bcf7a9b7 (patch)
tree: 6c982f5ace059292ec7f748bd32fa6d1ca7719f0 /plugins/http
parent: 4b83cbfc8500ac4d01bb0d1aca5d5ed65a710ce8 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/plugins/http/plugin.go b/plugins/http/plugin.go
index 58336c17..2b1dec89 100644
--- a/plugins/http/plugin.go
+++ b/plugins/http/plugin.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 
 	"github.com/hashicorp/go-multierror"
@@ -186,6 +187,13 @@ func (s *Plugin) serve(errCh chan error) { //nolint:gocognit
 
 			// calculate etag for the resource
 			if s.cfg.Static.CalculateEtag {
+				// do not allow paths like ../../resource
+				// only specified folder and resources in it
+				// https://lgtm.com/rules/1510366186013/
+				if strings.Contains(r.URL.Path, "..") {
+					w.WriteHeader(http.StatusForbidden)
+					return
+				}
 				f, errS := os.Open(filepath.Join(s.cfg.Static.Dir, r.URL.Path))
 				if errS != nil {
 					s.log.Warn("error opening file to calculate the Etag", "provided path", r.URL.Path)
author	Valery Piashchynski <[email protected]>	2021-04-28 17:37:54 +0300
committer	Valery Piashchynski <[email protected]>	2021-04-28 17:37:54 +0300
commit	2812157be7a9c1411d02872f0b9fa567bcf7a9b7 (patch)
tree	6c982f5ace059292ec7f748bd32fa6d1ca7719f0 /plugins/http
parent	4b83cbfc8500ac4d01bb0d1aca5d5ed65a710ce8 (diff)