barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-10-28 12:45:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: validate resource file paths in ui middleware

Browse Source
This commit is contained in:
Stavros
2025-08-25 22:31:57 +03:00
parent cb8022af91
commit 03af18fd15
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
internal/middleware/ui_middleware.go
View File

@@ -4,6 +4,7 @@ import (
"io/fs"
"net/http"
"os"
"path/filepath"
"strings"
"tinyauth/internal/assets"
@@ -52,7 +53,15 @@ func (m *UIMiddleware) Middleware() gin.HandlerFunc {
c.Next()
return
case "resources":
_, err := os.Stat(m.Config.ResourcesDir + strings.TrimPrefix(c.Request.URL.Path, "/resources/"))
requestFilePath := m.Config.ResourcesDir + strings.TrimPrefix(c.Request.URL.Path, "/resources/")
if !filepath.IsLocal(requestFilePath) {
c.Status(404)
c.Abort()
return
}
_, err := os.Stat(requestFilePath)
if os.IsNotExist(err) {
c.Status(404)