From 9e754b0733ce45024ac2fe0846ca899ca8a6595d Mon Sep 17 00:00:00 2001
From: Iris Lightshard <nilix@nilfm.cc>
Date: Fri, 3 May 2024 19:21:51 -0600
Subject: [PATCH] anti path traversal

---
 admin/admin.go    | 14 +++++++++++++-
 static/index.html |  2 +-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/admin/admin.go b/admin/admin.go
index db9207f..8402423 100644
--- a/admin/admin.go
+++ b/admin/admin.go
@@ -17,6 +17,7 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"strings"
 )
 
 func apiGetTableList(next http.Handler, udb auth.UserStore) http.Handler {
@@ -201,16 +202,23 @@ func apiUploadImg(next http.Handler, dbAdapter mongodb.DbAdapter, uploads, uploa
 		// check for filename; call create to overwrite regardless
 		// get file data from multipart form
 		header := f.File["file"][0]
+		if strings.Contains(header.Filename, "/") {
+		  w.WriteHeader(422)
+		  next.ServeHTTP(w, req)
+		  return
+		}
 		file, err := header.Open()
 		if err != nil {
 			fmt.Println(err.Error())
 			w.WriteHeader(500)
 			next.ServeHTTP(w, req)
+			return
 		}
 		fileData, err := ioutil.ReadAll(file)
 		if err != nil {
 			w.WriteHeader(500)
 			next.ServeHTTP(w, req)
+			return
 		}
 		// write to file
 		destPath := filepath.Join(uploads, tableKey.Name, uploadType, header.Filename)
@@ -282,7 +290,6 @@ func apiListImages(next http.Handler, uploads string, uploadType string, udb aut
 		}
 		w.WriteHeader(422)
 		next.ServeHTTP(w, req)
-		return
 	}
 
 	return http.HandlerFunc(handlerFunc)
@@ -316,6 +323,11 @@ func apiDeleteImage(next http.Handler, uploads string, uploadType string, udb au
 				if dbAdapter.CheckTable(tableKey) {
 					// if the file exists, delete it and return 201
 					filename := urlParams["file"]
+					if strings.Contains(filename, "/") {
+					  w.WriteHeader(422)
+					  next.ServeHTTP(w, req)
+					  return
+					}
 					fullPath := filepath.Join(uploads, tableName, uploadType, filename)
 					s, err := os.Stat(fullPath)
 					if err == nil && !s.IsDir() {
diff --git a/static/index.html b/static/index.html
index 405df7e..6534341 100644
--- a/static/index.html
+++ b/static/index.html
@@ -146,7 +146,7 @@
       </form>
     </details>
     <div id="lag" style="display:none;">lag...</div>
-    <div class="ui_win" id="felt_info"><a href="https://hacklab.nilfm.cc/felt">felt v0.2.6</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LICENSE">license</a>) | built with <a href="https://leafletjs.com">leaflet</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LEAFLET_LICENSE">license</a>) </div>
+    <div class="ui_win" id="felt_info"><a href="https://hacklab.nilfm.cc/felt">felt v0.2.7</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LICENSE">license</a>) | built with <a href="https://leafletjs.com">leaflet</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LEAFLET_LICENSE">license</a>) </div>
 </nav>
 </body>
     <script>L_DISABLE_3D = window.location.hash.toLowerCase() === "#no3d";</script>