Sanitize file path input to prevent directory traversal

[rbdr/mobius] / hotline / file_path.go

diff --git a/hotline/file_path.go b/hotline/file_path.go
index d6c05bcbcfb581d4df6d7f0dd89e2eb0670cea81..2e2e085046a6269f5f577930ec7b7e1781d2c436 100644 (file)
--- a/hotline/file_path.go
+++ b/hotline/file_path.go
@@ -32,6 +32,9 @@ type FilePath struct {
 
 const minFilePathLen = 2
 func (fp *FilePath) UnmarshalBinary(b []byte) error {
+       if b == nil {
+               return nil
+       }
        if len(b) < minFilePathLen {
                return errors.New("insufficient bytes")
        }
@@ -71,3 +74,21 @@ func ReadFilePath(filePathFieldData []byte) string {
        }
        return fp.String()
 }
+
+func readPath(fileRoot string, filePath, fileName []byte) (fullPath string, err error) {
+       var fp FilePath
+       if filePath != nil {
+               if err = fp.UnmarshalBinary(filePath); err != nil {
+                       return "", err
+               }
+       }
+
+       fullPath = path.Join(
+               "/",
+               fileRoot,
+               fp.String(),
+               path.Join("/", string(fileName)),
+       )
+
+       return fullPath, nil
+}