From 009cd8f654c4e316d89cc46c8ebf42ea7f5a5bf1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Borna=20Rajkovi=C4=87?= <br50969@fer.hr>
Date: Sun, 7 Jan 2024 20:23:15 +0100
Subject: [PATCH] Fixed issue with relative paths leaving parent folder

---
 api/api.go        | 23 +++++++++++++++++++++++
 api/middleware.go |  2 +-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/api/api.go b/api/api.go
index c3aa5b3..c39c2b4 100644
--- a/api/api.go
+++ b/api/api.go
@@ -53,6 +53,10 @@ func HandleUpload(resourceManager resource.Manager) gin.HandlerFunc {
 			c.AbortWithStatusJSON(400, gin.H{"error": "bad request"})
 			return
 		}
+		if !isValidPath(request.Path) {
+			c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
+			return
+		}
 		content, err := base64.StdEncoding.DecodeString(request.Content)
 		if err != nil {
 			c.AbortWithStatusJSON(400, gin.H{"error": "bad request"})
@@ -83,6 +87,13 @@ func HandleUpload(resourceManager resource.Manager) gin.HandlerFunc {
 	}
 }
 
+func isValidPath(currentPath string) bool {
+	if strings.HasPrefix(currentPath, "../") || strings.Contains(currentPath, "/../") {
+		return false
+	}
+	return true
+}
+
 func HandleCopy(resourceManager resource.Manager) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		from := c.Query("from")
@@ -103,6 +114,10 @@ func HandleCopy(resourceManager resource.Manager) gin.HandlerFunc {
 func HandlePresign(resourceManager resource.Manager) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		path := c.Query("path")
+		if !isValidPath(path) {
+			c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
+			return
+		}
 		url, err := resourceManager.Presign(c, path)
 		if err != nil {
 			c.AbortWithStatus(404)
@@ -126,6 +141,10 @@ func HandleDownload(resourceManager resource.Manager) gin.HandlerFunc {
 		} else {
 			path = c.Query("path")
 		}
+		if !isValidPath(path) {
+			c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
+			return
+		}
 		log.Printf("Downloading '%s'...", path)
 		data, err := resourceManager.Download(c, path)
 		if err == nil {
@@ -141,6 +160,10 @@ func HandleDownload(resourceManager resource.Manager) gin.HandlerFunc {
 func HandleDelete(resourceManager resource.Manager) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		path := c.Query("path")
+		if !isValidPath(path) {
+			c.AbortWithStatusJSON(400, gin.H{"error": "path cannot start with ../ or contain /../"})
+			return
+		}
 		log.Printf("Deleting '%s'...", path)
 		if err := resourceManager.Delete(path); err != nil {
 			_ = c.AbortWithError(400, err)
diff --git a/api/middleware.go b/api/middleware.go
index 2b9bac0..aabea23 100644
--- a/api/middleware.go
+++ b/api/middleware.go
@@ -53,7 +53,7 @@ func Secure(types ...security.Type) gin.HandlerFunc {
 		if !exists {
 			abort(c, nil, http.StatusUnauthorized, "missing auth")
 		} else {
-			securityType := security.Type(value.(string))
+			securityType := value.(security.Type)
 			for _, t := range types {
 				if t == securityType {
 					return