Commit 4cd7ba36 authored by David Vorick's avatar David Vorick Committed by GitHub

Merge pull request #1583 from NebulousLabs/siapath-sanitize

add validateSiapath to validate renter siapaths on upload
parents 4e67896a 205359b5
......@@ -45,15 +45,35 @@ var (
}()
)
// validateSiapath checks that a Siapath is a legal filename.
// ../ is disallowed to prevent directory traversal,
// and paths must not begin with / or be empty.
func validateSiapath(siapath string) error {
if strings.HasPrefix(siapath, "/") || strings.HasPrefix(siapath, "./") {
return errors.New("nicknames cannot begin with /")
}
if siapath == "" {
return ErrEmptyFilename
}
if strings.Contains(siapath, "../") {
return errors.New("directory traversal is not allowed")
}
if strings.Contains(siapath, "./") {
return errors.New("siapath contains invalid characters")
}
return nil
}
// Upload instructs the renter to start tracking a file. The renter will
// automatically upload and repair tracked files using a background loop.
func (r *Renter) Upload(up modules.FileUploadParams) error {
// Enforce nickname rules.
if strings.HasPrefix(up.SiaPath, "/") {
return errors.New("nicknames cannot begin with /")
}
if up.SiaPath == "" {
return ErrEmptyFilename
if err := validateSiapath(up.SiaPath); err != nil {
return err
}
// Check for a nickname conflict.
......
package renter
import (
"testing"
)
// TestRenterSiapathValidate verifies that the validateSiapath function correctly validates SiaPaths.
func TestRenterSiapathValidate(t *testing.T) {
var pathtests = []struct {
in string
valid bool
}{
{"valid/siapath", true},
{"../../../directory/traversal", false},
{"testpath", true},
{"valid/siapath/../with/directory/traversal", false},
{"validpath/test", true},
{"..validpath/..test", true},
{"./invalid/path", false},
{"test/path", true},
{"/leading/slash", false},
{"foo/./bar", false},
{"", false},
}
for _, pathtest := range pathtests {
err := validateSiapath(pathtest.in)
if err != nil && pathtest.valid {
t.Fatal("validateSiapath failed on valid path: ", pathtest.in)
}
if err == nil && !pathtest.valid {
t.Fatal("validateSiapath succeeded on invalid path: ", pathtest.in)
}
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment