From c9266d88499ab4056a939121bd95eda830e4efa9 Mon Sep 17 00:00:00 2001 From: Pierre Dubouilh Date: Fri, 6 Sep 2019 20:15:13 +0200 Subject: [PATCH] fix hidden files --- .gitignore | 1 + Makefile | 2 +- src/gossa.go | 6 +++--- src/gossa_test.go | 19 ++++++++++++++----- test-fixture/.testhidden | 1 + 5 files changed, 20 insertions(+), 9 deletions(-) create mode 100644 test-fixture/.testhidden diff --git a/.gitignore b/.gitignore index f0812ba..ec40082 100755 --- a/.gitignore +++ b/.gitignore @@ -8,6 +8,7 @@ gossa-windows.exe .vscode test-fixture/* test-fixture/*/* +!test-fixture/.testhidden !test-fixture/compress !test-fixture/compress/foo* !test-fixture/gzip diff --git a/Makefile b/Makefile index acc8cf0..331f8fc 100755 --- a/Makefile +++ b/Makefile @@ -11,7 +11,7 @@ run: run-extra: make build - ./gossa -verb=true -prefix="/fancy-path/" -symlinks=true test-fixture + ./gossa -verb=true -prefix="/fancy-path/" -k=false -symlinks=true test-fixture ci: -@cd test-fixture && ln -s ../support . diff --git a/src/gossa.go b/src/gossa.go index 04bfb89..4e915f6 100755 --- a/src/gossa.go +++ b/src/gossa.go @@ -175,11 +175,11 @@ func rpc(w http.ResponseWriter, r *http.Request) { } func checkPath(p string) string { - p = filepath.Join(initPath, strings.TrimPrefix(p, *extraPath)) - fp, err := filepath.Abs(p) + joined := filepath.Join(initPath, strings.TrimPrefix(p, *extraPath)) + fp, err := filepath.Abs(joined) sl, _ := filepath.EvalSymlinks(fp) - if err != nil || !strings.HasPrefix(fp, initPath) || len(sl) > 0 && !*symlinks && !strings.HasPrefix(sl, initPath) { + if err != nil || !strings.HasPrefix(fp, initPath) || *skipHidden && strings.Contains(p, "/.") || !*symlinks && len(sl) > 0 && !strings.HasPrefix(sl, initPath) { panic(errors.New("invalid path")) } diff --git a/src/gossa_test.go b/src/gossa_test.go index 604a24e..31b6b6e 100644 --- a/src/gossa_test.go +++ b/src/gossa_test.go @@ -84,7 +84,7 @@ func fetchAndTestDefault(t *testing.T, url string) string { return bodyStr } -func doTest(t *testing.T, url string, symlinkEnabled bool) { +func doTest(t *testing.T, url string, testExtra bool) { payload := "" path := "" bodyStr := "" @@ -202,16 +202,16 @@ func doTest(t *testing.T, url string, symlinkEnabled bool) { } // ~~~~~~~~~~~~~~~~~ - fmt.Println("\r\n~~~~~~~~~~ test symlink, should succeed: ", symlinkEnabled) + fmt.Println("\r\n~~~~~~~~~~ test symlink, should succeed: ", testExtra) bodyStr = get(t, url+"/support/readme.md") hasReadme := strings.Contains(bodyStr, `the master branch is automatically built and pushed`) - if !symlinkEnabled && hasReadme { + if !testExtra && hasReadme { t.Fatal("error symlink reached where illegal") - } else if symlinkEnabled && !hasReadme { + } else if testExtra && !hasReadme { t.Fatal("error symlink unreachable") } - if symlinkEnabled { + if testExtra { fmt.Println("\r\n~~~~~~~~~~ test symlink mkdir & cleanup") bodyStr = postJSON(t, url+"rpc", `{"call":"mkdirp","args":["/support/testfolder"]}`) if bodyStr != `ok` { @@ -224,6 +224,15 @@ func doTest(t *testing.T, url string, symlinkEnabled bool) { } } + fmt.Println("\r\n~~~~~~~~~~ test hidden file, should succeed: ", testExtra) + bodyStr = get(t, url+"/.testhidden") + hasHidden := strings.Contains(bodyStr, `test`) + if !testExtra && hasHidden { + t.Fatal("error hidden file reached where illegal") + } else if testExtra && !hasHidden { + t.Fatal("error hidden file unreachable") + } + // fmt.Println("\r\n~~~~~~~~~~ test upload in new folder") payload = "abcdef1234" diff --git a/test-fixture/.testhidden b/test-fixture/.testhidden new file mode 100644 index 0000000..9daeafb --- /dev/null +++ b/test-fixture/.testhidden @@ -0,0 +1 @@ +test