Remove ineffective filepath.Clean
I'm assuming that you put in this call to filepath.Clean
to prevent directory traversal attacks, but it can be circumvented. You parse whatever is received with url.Parse
, but url.Parse
accepts relative paths. So instead of requesting gemini://gemini.lostleonardo.xyz/
, one could also request something like ../certs/key.pem
and titan2 would happily take that. filepath.Clean("../certs/key.pem")
outputs ../certs/key.pem
, so it does nothing to prevent directory traversal attacks here.
There is, however, one more thing that prevents the attack from working and that is rootDir.Open
. It ensures, that no resource outside of rootDir
can be accessed. Thus I think you don't even need the filepath.Clean
call.