diff options
| author | Jaime Martinez <jmartinez@gitlab.com> | 2021-02-04 08:14:44 +0300 |
|---|---|---|
| committer | Jaime Martinez <jmartinez@gitlab.com> | 2021-02-15 02:17:24 +0300 |
| commit | f54633ee2a26006a9bfb372d2f2242086a298b94 (patch) | |
| tree | 7dc7489e589d36b983cd17dbccd258e3603e87c0 /internal/httpfs | |
| parent | 586317c827f5878444bcc86bf953b21e7e31ee10 (diff) | |
Add test for path not allowed
Diffstat (limited to 'internal/httpfs')
| -rw-r--r-- | internal/httpfs/http_fs.go | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/internal/httpfs/http_fs.go b/internal/httpfs/http_fs.go index 274bca57..cd2edb83 100644 --- a/internal/httpfs/http_fs.go +++ b/internal/httpfs/http_fs.go @@ -13,6 +13,8 @@ import ( "path" "path/filepath" "strings" + + "gitlab.com/gitlab-org/labkit/log" ) var ( @@ -52,13 +54,15 @@ func (p *fileSystemPaths) Open(name string) (http.File, error) { if err != nil { return nil, err } - for _, allowedPath := range p.allowedPaths { if strings.HasPrefix(absPath, allowedPath+"/") { return os.Open(absPath) } } + log.WithError(os.ErrPermission).Errorf("requested filepath %q not in allowed paths: %q", + absPath, strings.Join(p.allowedPaths, string(os.PathListSeparator))) + // os.ErrPermission is converted to http.StatusForbidden // https://github.com/golang/go/blob/release-branch.go1.15/src/net/http/fs.go#L635 return nil, os.ErrPermission |