Skip to content
This repository has been archived by the owner on Jun 25, 2022. It is now read-only.

Commit

Permalink
cleaning file path (#206)
Browse files Browse the repository at this point in the history 
to prevent path traversal outside the box
  • Loading branch information
@cdreier @markbates
cdreier authored and markbates committed Jun 5, 2019
1 parent 53c9ca9 commit f58136c
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions v2/box.go
View file
Expand Up @@ -12,12 +12,13 @@ import (
"sort"
"strings"

"errors"

"github.com/gobuffalo/packd"
"github.com/gobuffalo/packr/v2/file"
"github.com/gobuffalo/packr/v2/file/resolver"
"github.com/gobuffalo/packr/v2/plog"
"github.com/markbates/oncer"
"errors"
)

var _ packd.Box = &Box{}
Expand Down Expand Up @@ -216,7 +217,7 @@ func (b *Box) Resolve(key string) (file.File, error) {

f, err := r.Resolve(b.Name, key)
if err != nil {
z := filepath.Join(resolver.OsPath(b.ResolutionDir), resolver.OsPath(key))
z := filepath.Join(resolver.OsPath(b.ResolutionDir), filepath.FromSlash(path.Clean("/"+resolver.OsPath(key))))
f, err = r.Resolve(b.Name, z)
if err != nil {
plog.Debug(r, "Resolve", "box", b.Name, "key", z, "err", err)
Expand Down

0 comments on commit f58136c

Please sign in to comment.