Prevent directory traversal in file upload

Fixes #53
2020-05-12 20:01:03 +02:00
parent 737a26fee3
commit 2c889e0808
2 changed files with 64 additions and 5 deletions
--- a/internal/db/fileupload.go
+++ b/internal/db/fileupload.go
@@ -126,7 +126,8 @@ func NewFileUpload(fs *FileStore, r io.Reader, fileName string) (*FileUpload, er
 	contentType := http.DetectContentType(tmpBuf.Bytes())

 	// Open the file on disk for writing
-	filePath := fs.filePath(id, fileName)
+	baseName := filepath.Base(fileName)
+	filePath := fs.filePath(id, baseName)
 	if err := os.Mkdir(path.Dir(filePath), dirMode); err != nil {
 		return nil, errors.Wrap(err, "creating file dir")
 	}
@@ -149,7 +150,7 @@ func NewFileUpload(fs *FileStore, r io.Reader, fileName string) (*FileUpload, er
 	fu := &FileUpload{
 		State:       FileUploadStatePresent,
 		ID:          id,
-		FileName:    fileName,
+		FileName:    baseName,
 		ContentType: contentType,
 		Checksum:    hash.Sum32(),
 	}
@@ -169,6 +170,27 @@ func GetFileUpload(tx *bolt.Tx, id uuid.UUID) (*FileUpload, error) {
 	return decodeFileUpload(storedBytes)
 }

+// AllFileUploads tries to retrieve all FileUpload objects from the bolt database.
+func AllFileUploads(tx *bolt.Tx) ([]FileUpload, error) {
+	bucket := tx.Bucket([]byte(BucketFileUpload))
+	if bucket == nil {
+		return nil, errors.Errorf("bucket %v does not exist", BucketFileUpload)
+	}
+	var fus []FileUpload
+	err := bucket.ForEach(func(_, storedBytes []byte) error {
+		fu, err := decodeFileUpload(storedBytes)
+		if err != nil {
+			return err
+		}
+		fus = append(fus, *fu)
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return fus, nil
+}
+
 func decodeFileUpload(storedBytes []byte) (*FileUpload, error) {
 	fu := &FileUpload{}
 	err := gobmarsh.Unmarshal(storedBytes, fu)