Merge pull request #799 from WindLi001/clean

Use Clean() but not Abs() to prevent directory traversal
2023-02-13 17:31:49 +01:00 · 2023-02-13 17:31:49 +01:00 · fdae46a548
parent dcc05f4ea8 6bebed4693
commit fdae46a548
1 changed files with 5 additions and 10 deletions
--- a/api/routes/spa.go
+++ b/api/routes/spa.go
@ -3,6 +3,7 @@ package routes
 import (
 	"net/http"
 	"os"
+	"path"
 	"path/filepath"
 )

@ -27,20 +28,14 @@ func NewSpaHandler(staticPath string, indexPath string) SpaHandler {
 // file located at the index path on the SPA handler will be served. This
 // is suitable behavior for serving an SPA (single page application).
 func (h SpaHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	// get the absolute path to prevent directory traversal
-	path, err := filepath.Abs(r.URL.Path)
-	if err != nil {
-		// if we failed to get the absolute path respond with a 400 bad request
-		// and stop
-		http.Error(w, err.Error(), http.StatusBadRequest)
-		return
-	}
+	// get the clean path to prevent directory traversal
+	servePath := path.Clean(r.URL.Path)

 	// prepend the path with the path to the static directory
-	path = filepath.Join(h.staticPath, path)
+	servePath = filepath.Join(h.staticPath, servePath)

 	// check whether a file exists at the given path
-	_, err = os.Stat(path)
+	_, err := os.Stat(servePath)
 	if os.IsNotExist(err) {
 		// file does not exist, serve index.html
 		http.ServeFile(w, r, filepath.Join(h.staticPath, h.indexPath))