Skip to content

Commit

Permalink
Fix possible path traversal vulnerability in form package
Browse files Browse the repository at this point in the history
  • Loading branch information
@wneessen
wneessen committed Aug 11, 2021
1 parent 3ba9cca commit ac0377b
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 2 deletions.
10 changes: 8 additions & 2 deletions form/form.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package form

import (
"fmt"
"github.com/cyphar/filepath-securejoin"
"github.com/kkyr/fig"
log "github.com/sirupsen/logrus"
"github.com/wneessen/js-mailer/config"
Expand Down Expand Up @@ -54,10 +55,15 @@ func NewForm(c *config.Config, i string) (Form, error) {
l := log.WithFields(log.Fields{
"action": "form.NewForm",
})
_, err := os.Stat(fmt.Sprintf("%s/%s.json", c.Forms.Path, i))
formPath, err := securejoin.SecureJoin(c.Forms.Path, fmt.Sprintf("%s.json", i))
if err != nil {
l.Errorf("Failed to securely join forms path and form id")
return Form{}, fmt.Errorf("not a valid form id")
}
_, err = os.Stat(formPath)
if err != nil {
l.Errorf("Failed to stat form config: %s", err)
return Form{}, fmt.Errorf("Not a valid form id")
return Form{}, fmt.Errorf("not a valid form id")
}
var formObj Form
if err := fig.Load(&formObj, fig.File(fmt.Sprintf("%s.json", i)),
Expand Down
1 change: 1 addition & 0 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ go 1.16

require (
github.com/ReneKroon/ttlcache/v2 v2.7.0
github.com/cyphar/filepath-securejoin v0.2.3
github.com/go-mail/mail v2.3.1+incompatible
github.com/kkyr/fig v0.2.0
github.com/sirupsen/logrus v1.8.1
Expand Down
2 changes: 2 additions & 0 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/ReneKroon/ttlcache/v2 v2.7.0 h1:sZeaSwA2UN/y/h7CvkW15Kovd2Oiy76CBDORiOwHPwI=
github.com/ReneKroon/ttlcache/v2 v2.7.0/go.mod h1:mBxvsNY+BT8qLLd6CuAJubbKo6r0jh3nb5et22bbfGY=
github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI=
github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
Expand Down

0 comments on commit ac0377b

Please sign in to comment.