Prevent directory traversal

factorial-io · Feb 25, 2025 · 1ff293b · 1ff293b
1 parent a38d919
commit 1ff293b
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/results_disk.go b/results_disk.go
@@ -15,6 +15,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"strings"
 	"tobey/internal/collector"
 )
 
@@ -38,6 +39,22 @@ func newDiskResultReporterConfigFromDSN(dsn string) (DiskResultReporterConfig, e
 		return config, fmt.Errorf("invalid disk result reporter DSN: %w", err)
 	}
 
+	// Ensure the output directory is below the current working directory. It must
+	// not be above the current working directory, to prevent directory traversal
+	// attacks. Allow absolute paths, as long as they resolve to a directory above
+	// the current working directory.
+	wd, err := os.Getwd()
+	if err != nil {
+		return config, fmt.Errorf("invalid disk result reporter DSN: %w", err)
+	}
+	abs, err := filepath.Abs(u.Path)
+	if err != nil {
+		return config, fmt.Errorf("invalid disk result reporter DSN: %w", err)
+	}
+	if !strings.HasPrefix(abs, wd) {
+		return config, fmt.Errorf("output directory (%s) must be below the current working directory (%s)", abs, wd)
+	}
+
 	// FIXME: No windows support yet, would need to remove leading slash.
 	config.OutputDir = u.Path