Clean file path from tar archive (#1027)

aad68011 · Nemanja Zbiljić · GitHub · 268c615e · aad68011 · aad68011
Commit aad68011 authored Dec 08, 2020 by Nemanja Zbiljić Committed by GitHub Dec 08, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 46 additions and 2 deletions

dirs.go pkg/api/dirs.go +12 -1

dirs_test.go pkg/api/dirs_test.go +34 -1

No files found.
--- a/pkg/api/dirs.go
+++ b/pkg/api/dirs.go
@@ -15,6 +15,7 @@ import (
 	"mime"
 	"net/http"
 	"path/filepath"
+	"runtime"
 	"strings"

 	"github.com/ethersphere/bee/pkg/collection/entry"
@@ -129,7 +130,17 @@ func storeDir(ctx context.Context, reader io.ReadCloser, log logging.Logger, p p
 			return swarm.ZeroAddress, fmt.Errorf("read tar stream: %w", err)
 		}

-		filePath := fileHeader.Name
+		filePath := filepath.Clean(fileHeader.Name)
+
+		if filePath == "." {
+			logger.Warning("skipping file upload empty path")
+			continue
+		}
+
+		if runtime.GOOS == "windows" {
+			// always use Unix path separator
+			filePath = filepath.ToSlash(filePath)
+		}

 		// only store regular files
 		if !fileHeader.FileInfo().Mode().IsRegular() {

--- a/pkg/api/dirs_test.go
+++ b/pkg/api/dirs_test.go
@@ -226,6 +226,33 @@ func TestDirs(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "invalid archive paths",
+			files: []f{
+				{
+					data:      []byte("<h1>Swarm"),
+					name:      "index.html",
+					dir:       "",
+					filePath:  "./index.html",
+					reference: swarm.MustParseHexAddress("bcb1bfe15c36f1a529a241f4d0c593e5648aa6d40859790894c6facb41a6ef28"),
+				},
+				{
+					data:      []byte("body {}"),
+					name:      "app.css",
+					dir:       "",
+					filePath:  "./app.css",
+					reference: swarm.MustParseHexAddress("9813953280d7e02cde1efea92fe4a8fc0fdfded61e185620b43128c9b74a3e9c"),
+				},
+				{
+					data: []byte(`User-agent: *
+Disallow: /`),
+					name:      "robots.txt",
+					dir:       "",
+					filePath:  "./robots.txt",
+					reference: swarm.MustParseHexAddress("84a620dcaf6b3ad25251c4b4d7097fa47266908a4664408057e07eb823a6a79e"),
+				},
+			},
+		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			// tar all the test case files
@@ -396,9 +423,14 @@ func tarFiles(t *testing.T, files []f) *bytes.Buffer {
 	tw := tar.NewWriter(&buf)

 	for _, file := range files {
+		filePath := path.Join(file.dir, file.name)
+		if file.filePath != "" {
+			filePath = file.filePath
+		}
+
 		// create tar header and write it
 		hdr := &tar.Header{
-			Name: path.Join(file.dir, file.name),
+			Name: filePath,
 			Mode: 0600,
 			Size: int64(len(file.data)),
 		}
@@ -425,6 +457,7 @@ type f struct {
 	data      []byte
 	name      string
 	dir       string
+	filePath  string
 	reference swarm.Address
 	header    http.Header
 }