Skip to content

Commit

Permalink
Fix code scanning alert no. 12: Uncontrolled data used in path expres…
Browse files Browse the repository at this point in the history 
…sion

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
  • Loading branch information
@dadav @github-advanced-security
dadav and github-advanced-security[bot] authored Dec 24, 2024
1 parent eb7a8bc commit b30d076
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions internal/v3/api/release.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,14 @@ func (s *ReleaseOperationsApi) GetFile(ctx context.Context, filename string) (ge
}), nil
}

// Validate the filename to ensure it does not contain any path separators or parent directory references
if strings.Contains(filename, "/") || strings.Contains(filename, "\\") || strings.Contains(filename, "..") {
return gen.Response(400, gen.GetFile400Response{
Message: "Invalid filename",
Errors: []string{"filename contains invalid characters"},
}), nil
}

releaseSlug := strings.TrimSuffix(filename, ".tar.gz")
if !utils.CheckReleaseSlug(releaseSlug) {
return gen.Response(400, gen.GetFile400Response{
Expand Down

0 comments on commit b30d076

Please sign in to comment.