Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Use SafeJoin in the uploadHandler #821

Merged
merged 3 commits into from
Sep 18, 2023
Merged

Use SafeJoin in the uploadHandler #821

merged 3 commits into from
Sep 18, 2023

Conversation

alessio-perugini
Copy link
Contributor

@alessio-perugini alessio-perugini commented Sep 4, 2023
edited
Loading

@alessio-perugini alessio-perugini self-assigned this Sep 4, 2023
@alessio-perugini alessio-perugini added topic: code Related to content of the project itself topic: security Related to the protection of user data labels Sep 4, 2023
@codecov-commenter
Copy link

codecov-commenter commented Sep 4, 2023
edited
Loading

Codecov Report

Patch coverage: 96.42% and project coverage change: +0.91% 🎉

Comparison is base (716e7aa) 16.85% compared to head (139ce6b) 17.76%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #821      +/-   ##
==========================================
+ Coverage   16.85%   17.76%   +0.91%     
==========================================
  Files          53       53              
  Lines        4082     4103      +21     
==========================================
+ Hits          688      729      +41     
+ Misses       3294     3270      -24     
- Partials      100      104       +4
Flag Coverage Δ
unit 17.76% <96.42%> (+0.91%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed Coverage Δ
conn.go 16.32% <83.33%> (+16.32%) ⬆️
utilities/utilities.go 23.76% <100.00%> (+12.26%) ⬆️
v2/pkgs/tools.go 67.09% <100.00%> (+0.64%) ⬆️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@luigigubello
Copy link

👀

@per1234 per1234 added the type: imperfection Perceived defect in any part of project label Sep 4, 2023
umbynos
umbynos approved these changes Sep 5, 2023
View reviewed changes
Copy link
Contributor

@umbynos umbynos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, good work 🏁

cmaglie
cmaglie reviewed Sep 12, 2023
View reviewed changes
utilities/utilities.go
Comment on lines +153 to +164
// SafeJoin performs a filepath.Join of 'parent' and 'subdir' but returns an error
// if the resulting path points outside of 'parent'.
func SafeJoin(parent, subdir string) (string, error) {
res := filepath.Join(parent, subdir)
if !strings.HasSuffix(parent, string(os.PathSeparator)) {
parent += string(os.PathSeparator)
}
if !strings.HasPrefix(res, parent) {
return res, fmt.Errorf("unsafe path join: '%s' with '%s'", parent, subdir)
}
return res, nil
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this could be a good candidate for go-paths-helper

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, since we added this also in https://github.com/codeclysm/extract/pull/14/files#diff-705c94be3d96b8c2131b6430f14904b30b254b30ca4ce3229aecd7db83822b15R328-R337

@alessio-perugini alessio-perugini merged commit e740ad9 into main Sep 18, 2023
@alessio-perugini alessio-perugini deleted the use-safe-join branch September 18, 2023 08:56
@ghost ghost mentioned this pull request Sep 23, 2023
Closed
@umbynos umbynos mentioned this pull request Sep 29, 2023
Merged
2 tasks
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@umbynos umbynos umbynos approved these changes

@cmaglie cmaglie cmaglie left review comments

@rhpco rhpco rhpco approved these changes

@rhaidiz rhaidiz rhaidiz approved these changes

Assignees

@alessio-perugini alessio-perugini

Labels
topic: code Related to content of the project itself topic: security Related to the protection of user data type: imperfection Perceived defect in any part of project
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@alessio-perugini @codecov-commenter @luigigubello @cmaglie @rhaidiz @rhpco @umbynos @per1234