diff options
| author | Xe Iaso <me@xeiaso.net> | 2025-03-03 07:28:17 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-03-03 12:28:17 +0000 |
| commit | 6c9c582c78ece0a9dee13d682de69555a5840aad (patch) | |
| tree | f349396392bf96046b292d4f9ca8a1658cf369c0 | |
| parent | 233435d22040b5e2ff62f00abaf8bf8d362b16cb (diff) | |
| download | x-6c9c582c78ece0a9dee13d682de69555a5840aad.tar.xz x-6c9c582c78ece0a9dee13d682de69555a5840aad.zip | |
Potential fix for code scanning alert no. 9: Uncontrolled data used in path expression (#687)
* Potential fix for code scanning alert no. 9: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Update cmd/mimi/modules/discord/heic2jpeg/heic2jpeg.go
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
| -rw-r--r-- | cmd/mimi/modules/discord/heic2jpeg/heic2jpeg.go | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/cmd/mimi/modules/discord/heic2jpeg/heic2jpeg.go b/cmd/mimi/modules/discord/heic2jpeg/heic2jpeg.go index 7ae6011..b49f151 100644 --- a/cmd/mimi/modules/discord/heic2jpeg/heic2jpeg.go +++ b/cmd/mimi/modules/discord/heic2jpeg/heic2jpeg.go @@ -80,11 +80,29 @@ func (m *Module) heic2jpeg(s *discordgo.Session, mc *discordgo.MessageCreate) { } defer resp.Body.Close() - fname := filepath.Join(dir, filepath.Base(req.URL.Path)) - fnameStem := strings.TrimSuffix(fname, filepath.Ext(fname)) + baseName := filepath.Base(req.URL.Path) + if strings.Contains(baseName, "/") || strings.Contains(baseName, "\\") || strings.Contains(baseName, "..") { + s.ChannelMessageSend(mc.ChannelID, "invalid file name") + slog.Error("invalid file name", "file name", baseName) + return + } + fname := filepath.Join(dir, baseName) + absPath, err := filepath.Abs(fname) + if err != nil { + s.ChannelMessageSend(mc.ChannelID, "invalid file path") + slog.Error("invalid file path", "path", absPath) + return + } + relPath, err := filepath.Rel(dir, absPath) + if err != nil || strings.HasPrefix(relPath, "..") { + s.ChannelMessageSend(mc.ChannelID, "invalid file path") + slog.Error("invalid file path", "path", absPath) + return + } + fnameStem := strings.TrimSuffix(absPath, filepath.Ext(absPath)) fnameJPEG := fnameStem + ".jpeg" - fout, err := os.Create(fname) + fout, err := os.Create(absPath) if err != nil { s.ChannelMessageSend(mc.ChannelID, "failed to save image") slog.Error("failed to save image", "err", err) |