diff options
author | Jacob Vosmaer <jacob@gitlab.com> | 2018-05-23 14:36:43 +0300 |
---|---|---|
committer | Jacob Vosmaer <jacob@gitlab.com> | 2018-05-23 14:36:43 +0300 |
commit | bc511610bd5aa309b40d92d6a7c87fe3b4a3f24e (patch) | |
tree | 2667e9adee993ba5f674ef5e09975311e550f4ff | |
parent | 4a0c3a92d2e60d58a07d238e6e79a11614f8595e (diff) |
Ban leading tildedelete-site-rpc
-rw-r--r-- | internal/service/deploy/deploy.go | 2 | ||||
-rw-r--r-- | internal/service/deploy/deploy_test.go | 1 |
2 files changed, 2 insertions, 1 deletions
diff --git a/internal/service/deploy/deploy.go b/internal/service/deploy/deploy.go index 936c2807..ac0e2452 100644 --- a/internal/service/deploy/deploy.go +++ b/internal/service/deploy/deploy.go @@ -46,7 +46,7 @@ func validatePath(requestPath string) error { return status.Errorf(codes.InvalidArgument, "invalid path: %q", requestPath) } - if strings.HasPrefix(requestPath, ".") || strings.HasPrefix(requestPath, "/") { + if strings.IndexAny(requestPath, "./~") == 0 { return status.Errorf(codes.InvalidArgument, "invalid path: %q", requestPath) } diff --git a/internal/service/deploy/deploy_test.go b/internal/service/deploy/deploy_test.go index 967c9c47..156e333c 100644 --- a/internal/service/deploy/deploy_test.go +++ b/internal/service/deploy/deploy_test.go @@ -100,6 +100,7 @@ func TestDeleteSiteFail(t *testing.T) { {desc: "traversal end", path: "foo/bar/..", code: codes.InvalidArgument}, {desc: "path starting with period", path: ".foo/bar", code: codes.InvalidArgument}, {desc: "path starting with slash", path: "/foo/bar", code: codes.InvalidArgument}, + {desc: "path starting with tilde", path: "~/foo/bar", code: codes.InvalidArgument}, {desc: "directory does not exist", path: "does/not/exist", code: codes.FailedPrecondition}, {desc: "path is a file not a directory", path: path.Join(sitePath, "hello"), code: codes.FailedPrecondition}, } |