feat: filter out-of-scope symlinks (#10)

2021-06-08 16:39:45 +03:00 · 2021-06-08 16:39:45 +03:00 · 372b1f00ed
parent 9e52e0cb7a
commit 372b1f00ed
2 changed files with 17 additions and 1 deletions
--- a/files/listing.go
+++ b/files/listing.go
@ -109,6 +109,8 @@ func (l byModified) Less(i, j int) bool {
 	return iModified.Sub(jModified) < 0
 }

+// FilterItems only includes items that return true when
+// ran through the provided function
 func (l *Listing) FilterItems(fn func(fi *FileInfo) bool) {
 	filtered := []*FileInfo{}
 	for _, item := range l.Items {
--- a/http/resource.go
+++ b/http/resource.go
@ -52,8 +52,22 @@ var resourceGetHandler = withUser(func(w http.ResponseWriter, r *http.Request, d
 		file.Listing.Sorting = d.user.Sorting
 		file.Listing.ApplySort()
 		file.Listing.FilterItems(func(fi *files.FileInfo) bool {
+			// remove files that should be hidden
 			_, exists := d.server.HiddenFiles[fi.Name]
-			return !exists
+			if exists {
+				return false
+			}
+
+			// remove symlinks that link outside base path
+			if fi.IsSymlink {
+				fullLinkTarget := filepath.Join(d.user.FullPath(file.Path), fi.Link)
+				scopedLinkTarget := d.user.FullPath(filepath.Join(file.Path, fi.Link))
+				if fullLinkTarget != scopedLinkTarget {
+					return false
+				}
+			}
+
+			return true
 		})
 		return renderJSON(w, r, file)
 	}