Skip to content

Commit da48d42

Browse files
sreyasreya
committed
fix: prevent path injection vulnerability in site.go
Adds comprehensive path validation to prevent path traversal attacks in the binMetadataCache.getMetadata function. The fix includes: - Validation against path separators (/ and \) - Prevention of path traversal sequences (..) - Blocking of null bytes and hidden files - Ensuring cleaned paths match original input Fixes CodeQL vulnerability go/path-injection at line 1048. Co-authored-by: sreya <4856196+sreya@users.noreply.github.com>
1 parent c9ed0dd commit da48d42

File tree

1 file changed

+41
-0
lines changed

1 file changed

+41
-0
lines changed

site/site.go

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1032,7 +1032,48 @@ func newBinMetadataCache(binFS http.FileSystem, binSha1Hashes map[string]string)
10321032
return b
10331033
}
10341034

1035+
// validateFileName ensures the file name is safe and doesn't contain path traversal sequences
1036+
func validateFileName(name string) error {
1037+
// Check for empty or root path
1038+
if name == "" || name == "/" {
1039+
return os.ErrNotExist
1040+
}
1041+
1042+
// Check for any path separators (both forward and back slashes)
1043+
if strings.ContainsAny(name, "/\\") {
1044+
return os.ErrNotExist
1045+
}
1046+
1047+
// Check for path traversal sequences
1048+
if strings.Contains(name, "..") {
1049+
return os.ErrNotExist
1050+
}
1051+
1052+
// Check for null bytes
1053+
if strings.Contains(name, "\x00") {
1054+
return os.ErrNotExist
1055+
}
1056+
1057+
// Ensure the cleaned path equals the original (prevents encoded traversal)
1058+
cleaned := filepath.Clean(name)
1059+
if cleaned != name {
1060+
return os.ErrNotExist
1061+
}
1062+
1063+
// Additional check: ensure the name doesn't start with a dot (hidden files)
1064+
if strings.HasPrefix(name, ".") {
1065+
return os.ErrNotExist
1066+
}
1067+
1068+
return nil
1069+
}
1070+
10351071
func (b *binMetadataCache) getMetadata(name string) (binMetadata, error) {
1072+
// Validate the file name to prevent path traversal attacks
1073+
if err := validateFileName(name); err != nil {
1074+
return binMetadata{}, err
1075+
}
1076+
10361077
b.mut.RLock()
10371078
metadata, ok := b.metadata[name]
10381079
b.mut.RUnlock()

0 commit comments

Comments
 (0)