From 372b1f00ed9b610d75334cb1feab8c3ae1cd1966 Mon Sep 17 00:00:00 2001
From: Laurynas Gadliauskas <laurynas.gadliauskas@hostinger.com>
Date: Tue, 8 Jun 2021 16:39:45 +0300
Subject: [PATCH] feat: filter out-of-scope symlinks (#10)

---
 files/listing.go |  2 ++
 http/resource.go | 16 +++++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/files/listing.go b/files/listing.go
index 7c064fac..c5a85bdd 100644
--- a/files/listing.go
+++ b/files/listing.go
@@ -109,6 +109,8 @@ func (l byModified) Less(i, j int) bool {
 	return iModified.Sub(jModified) < 0
 }
 
+// FilterItems only includes items that return true when
+// ran through the provided function
 func (l *Listing) FilterItems(fn func(fi *FileInfo) bool) {
 	filtered := []*FileInfo{}
 	for _, item := range l.Items {
diff --git a/http/resource.go b/http/resource.go
index 1b045cd5..c6737f04 100644
--- a/http/resource.go
+++ b/http/resource.go
@@ -52,8 +52,22 @@ var resourceGetHandler = withUser(func(w http.ResponseWriter, r *http.Request, d
 		file.Listing.Sorting = d.user.Sorting
 		file.Listing.ApplySort()
 		file.Listing.FilterItems(func(fi *files.FileInfo) bool {
+			// remove files that should be hidden
 			_, exists := d.server.HiddenFiles[fi.Name]
-			return !exists
+			if exists {
+				return false
+			}
+
+			// remove symlinks that link outside base path
+			if fi.IsSymlink {
+				fullLinkTarget := filepath.Join(d.user.FullPath(file.Path), fi.Link)
+				scopedLinkTarget := d.user.FullPath(filepath.Join(file.Path, fi.Link))
+				if fullLinkTarget != scopedLinkTarget {
+					return false
+				}
+			}
+
+			return true
 		})
 		return renderJSON(w, r, file)
 	}