mirror/pasty
1
0
Fork 0
mirror of https://github.com/lus/pasty.git synced 2023-08-10 21:13:09 +03:00
Code Issues Projects Releases Wiki Activity

Encode IDs in file storage driver to prevent unallowed file access

Browse Source
This commit is contained in:
Lukas SP 2020-08-24 21:40:18 +02:00
parent 7d0c25fb2f
commit 55e65f5ecf
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
internal/storage/file_driver.go
View File

@ -1,6 +1,7 @@
package storage package storage
import ( import (
"encoding/base64"
"encoding/json" "encoding/json"
"github.com/Lukaesebrot/pasty/internal/env" "github.com/Lukaesebrot/pasty/internal/env"
"github.com/Lukaesebrot/pasty/internal/pastes" "github.com/Lukaesebrot/pasty/internal/pastes"
@ -28,6 +29,7 @@ func (driver *FileDriver) Terminate() error {
// Get loads a paste // Get loads a paste
func (driver *FileDriver) Get(id string) (*pastes.Paste, error) { func (driver *FileDriver) Get(id string) (*pastes.Paste, error) {
// Read the file // Read the file
id = base64.StdEncoding.EncodeToString([]byte(id))
data, err := ioutil.ReadFile(filepath.Join(driver.filePath, id+".json")) data, err := ioutil.ReadFile(filepath.Join(driver.filePath, id+".json"))
if err != nil { if err != nil {
if os.IsNotExist(err) { if os.IsNotExist(err) {
@ -54,7 +56,8 @@ func (driver *FileDriver) Save(paste *pastes.Paste) error {
} }
// Create the file to save the paste to // Create the file to save the paste to
file, err := os.Create(filepath.Join(driver.filePath, paste.ID+".json")) id := base64.StdEncoding.EncodeToString([]byte(paste.ID))
file, err := os.Create(filepath.Join(driver.filePath, id+".json"))
if err != nil { if err != nil {
return err return err
} }
@ -67,5 +70,6 @@ func (driver *FileDriver) Save(paste *pastes.Paste) error {
// Delete deletes a paste // Delete deletes a paste
func (driver *FileDriver) Delete(id string) error { func (driver *FileDriver) Delete(id string) error {
id = base64.StdEncoding.EncodeToString([]byte(id))
return os.Remove(filepath.Join(driver.filePath, id+".json")) return os.Remove(filepath.Join(driver.filePath, id+".json"))
} }