diff options
-rw-r--r-- | internal/service/deploy/deploy.go | 2 | ||||
-rw-r--r-- | internal/service/deploy/deploy_test.go | 1 |
2 files changed, 2 insertions, 1 deletions
diff --git a/internal/service/deploy/deploy.go b/internal/service/deploy/deploy.go index 936c2807..ac0e2452 100644 --- a/internal/service/deploy/deploy.go +++ b/internal/service/deploy/deploy.go @@ -46,7 +46,7 @@ func validatePath(requestPath string) error { return status.Errorf(codes.InvalidArgument, "invalid path: %q", requestPath) } - if strings.HasPrefix(requestPath, ".") || strings.HasPrefix(requestPath, "/") { + if strings.IndexAny(requestPath, "./~") == 0 { return status.Errorf(codes.InvalidArgument, "invalid path: %q", requestPath) } diff --git a/internal/service/deploy/deploy_test.go b/internal/service/deploy/deploy_test.go index 967c9c47..156e333c 100644 --- a/internal/service/deploy/deploy_test.go +++ b/internal/service/deploy/deploy_test.go @@ -100,6 +100,7 @@ func TestDeleteSiteFail(t *testing.T) { {desc: "traversal end", path: "foo/bar/..", code: codes.InvalidArgument}, {desc: "path starting with period", path: ".foo/bar", code: codes.InvalidArgument}, {desc: "path starting with slash", path: "/foo/bar", code: codes.InvalidArgument}, + {desc: "path starting with tilde", path: "~/foo/bar", code: codes.InvalidArgument}, {desc: "directory does not exist", path: "does/not/exist", code: codes.FailedPrecondition}, {desc: "path is a file not a directory", path: path.Join(sitePath, "hello"), code: codes.FailedPrecondition}, } |