all: use securejoin
Anirudh Oppiliappan 2 weeks ago 8 files (+27, -22)
MODIFIED
appview/pages/templates/knots.html
MODIFIED
appview/pages/templates/knots.html
@@ -24,6 +24,7 @@ </section><section class="mb-12"><h3 class="text-xl font-semibold mb-4">my knots</h3>+ <p>This is a list of knots</p><ul id="my-knots" class="space-y-6">{{ range .Registrations }}{{ if .Registered }}
MODIFIED
appview/state/repo.go
MODIFIED
appview/state/repo.go
@@ -6,9 +6,9 @@ "fmt""io""log""net/http"- "path/filepath""github.com/bluesky-social/indigo/atproto/identity"+ securejoin "github.com/cyphar/filepath-securejoin""github.com/go-chi/chi/v5""github.com/sotangled/tangled/appview/auth""github.com/sotangled/tangled/appview/pages"@@ -419,7 +419,8 @@ return f.OwnerId.Handle.String()}func (f *FullyResolvedRepo) OwnerSlashRepo() string {- return filepath.Join(f.OwnerDid(), f.RepoName)+ p, _ := securejoin.SecureJoin(f.OwnerDid(), f.RepoName)+ return p}func fullyResolvedRepo(r *http.Request) (*FullyResolvedRepo, error) {
MODIFIED
appview/state/state.go
MODIFIED
appview/state/state.go
@@ -9,7 +9,6 @@ "encoding/json""fmt""log""net/http"- "path/filepath""strings""time"@@ -17,6 +16,7 @@ comatproto "github.com/bluesky-social/indigo/api/atproto""github.com/bluesky-social/indigo/atproto/syntax"lexutil "github.com/bluesky-social/indigo/lex/util""github.com/bluesky-social/jetstream/pkg/models"+ securejoin "github.com/cyphar/filepath-securejoin""github.com/go-chi/chi/v5"tangled "github.com/sotangled/tangled/api/tangled""github.com/sotangled/tangled/appview"@@ -529,7 +529,8 @@ return}// acls- err = s.enforcer.AddRepo(user.Did, domain, filepath.Join(user.Did, repoName))+ p, _ := securejoin.SecureJoin(domain, repoName)+ err = s.enforcer.AddRepo(user.Did, domain, p)if err != nil {s.pages.Notice(w, "repo", "Failed to set up repository permissions.")return
MODIFIED
cmd/repoguard/main.go
MODIFIED
cmd/repoguard/main.go
@@ -9,10 +9,10 @@ "net/http""net/url""os""os/exec"- "path/filepath""strings""time"+ securejoin "github.com/cyphar/filepath-securejoin""github.com/sotangled/tangled/appview")@@ -79,7 +79,7 @@didOrHandle := components[0]did := resolveToDid(didOrHandle)repoName := components[1]- qualifiedRepoName := filepath.Join(did, repoName)+ qualifiedRepoName, _ := securejoin.SecureJoin(did, repoName)validCommands := map[string]bool{"git-receive-pack": true,@@ -100,8 +100,7 @@ exitWithLog("access denied: user not allowed")}}- fullPath := filepath.Join(*baseDirFlag, qualifiedRepoName)- fullPath = filepath.Clean(fullPath)+ fullPath, _ := securejoin.SecureJoin(*baseDirFlag, qualifiedRepoName)logEvent("Processing command", map[string]interface{}{"user": *incomingUser,
MODIFIED
go.mod
MODIFIED
go.mod
@@ -10,6 +10,7 @@ github.com/bluekeyes/go-gitdiff v0.8.0github.com/bluesky-social/indigo v0.0.0-20250123072624-9e3b84fdbb20github.com/bluesky-social/jetstream v0.0.0-20241210005130-ea96859b93d1github.com/casbin/casbin/v2 v2.103.0+ github.com/cyphar/filepath-securejoin v0.3.3github.com/dustin/go-humanize v1.0.1github.com/gliderlabs/ssh v0.3.5github.com/go-chi/chi/v5 v5.2.0@@ -36,7 +37,6 @@ github.com/carlmjohnson/versioninfo v0.22.5 // indirectgithub.com/casbin/govaluate v1.3.0 // indirectgithub.com/cespare/xxhash/v2 v2.3.0 // indirectgithub.com/cloudflare/circl v1.4.0 // indirect- github.com/cyphar/filepath-securejoin v0.3.3 // indirectgithub.com/davecgh/go-spew v1.1.1 // indirectgithub.com/emirpasic/gods v1.18.1 // indirectgithub.com/felixge/httpsnoop v1.0.4 // indirect
MODIFIED
knotserver/git.go
MODIFIED
knotserver/git.go
@@ -6,6 +6,7 @@ "io""net/http""path/filepath"+ securejoin "github.com/cyphar/filepath-securejoin""github.com/go-chi/chi/v5""github.com/sotangled/tangled/knotserver/git/service")@@ -13,7 +14,7 @@func (d *Handle) InfoRefs(w http.ResponseWriter, r *http.Request) {did := chi.URLParam(r, "did")name := chi.URLParam(r, "name")- repo := filepath.Join(d.c.Repo.ScanPath, did, name)+ repo, _ := securejoin.SecureJoin(d.c.Repo.ScanPath, filepath.Join(did, name))w.Header().Set("content-type", "application/x-git-upload-pack-advertisement")w.WriteHeader(http.StatusOK)@@ -33,7 +34,7 @@func (d *Handle) UploadPack(w http.ResponseWriter, r *http.Request) {did := chi.URLParam(r, "did")name := chi.URLParam(r, "name")- repo := filepath.Join(d.c.Repo.ScanPath, did, name)+ repo, _ := securejoin.SecureJoin(d.c.Repo.ScanPath, filepath.Join(did, name))w.Header().Set("content-type", "application/x-git-upload-pack-result")w.Header().Set("Connection", "Keep-Alive")
MODIFIED
knotserver/routes.go
MODIFIED
knotserver/routes.go
@@ -14,6 +14,7 @@ "path/filepath""strconv""strings"+ securejoin "github.com/cyphar/filepath-securejoin""github.com/gliderlabs/ssh""github.com/go-chi/chi/v5""github.com/go-git/go-git/v5/plumbing"@@ -29,7 +30,7 @@ w.Write([]byte("This is a knot, part of the wider Tangle network: https://tangled.sh"))}func (h *Handle) RepoIndex(w http.ResponseWriter, r *http.Request) {- path := filepath.Join(h.c.Repo.ScanPath, didPath(r))+ path, _ := securejoin.SecureJoin(h.c.Repo.ScanPath, didPath(r))l := h.l.With("path", path, "handler", "RepoIndex")gr, err := git.Open(path, "")@@ -116,7 +117,7 @@ ref := chi.URLParam(r, "ref")l := h.l.With("handler", "RepoTree", "ref", ref, "treePath", treePath)- path := filepath.Join(h.c.Repo.ScanPath, didPath(r))+ path, _ := securejoin.SecureJoin(h.c.Repo.ScanPath, didPath(r))gr, err := git.Open(path, ref)if err != nil {notFound(w)@@ -148,7 +149,7 @@ ref := chi.URLParam(r, "ref")l := h.l.With("handler", "FileContent", "ref", ref, "treePath", treePath)- path := filepath.Join(h.c.Repo.ScanPath, didPath(r))+ path, _ := securejoin.SecureJoin(h.c.Repo.ScanPath, didPath(r))gr, err := git.Open(path, ref)if err != nil {notFound(w)@@ -192,7 +193,7 @@ filename := fmt.Sprintf("%s-%s.tar.gz", name, ref)setContentDisposition(w, filename)setGZipMIME(w)- path := filepath.Join(h.c.Repo.ScanPath, didPath(r))+ path, _ := securejoin.SecureJoin(h.c.Repo.ScanPath, didPath(r))gr, err := git.Open(path, ref)if err != nil {notFound(w)@@ -222,7 +223,7 @@ }func (h *Handle) Log(w http.ResponseWriter, r *http.Request) {ref := chi.URLParam(r, "ref")- path := filepath.Join(h.c.Repo.ScanPath, didPath(r))+ path, _ := securejoin.SecureJoin(h.c.Repo.ScanPath, didPath(r))l := h.l.With("handler", "Log", "ref", ref, "path", path)@@ -288,7 +289,7 @@ ref := chi.URLParam(r, "ref")l := h.l.With("handler", "Diff", "ref", ref)- path := filepath.Join(h.c.Repo.ScanPath, didPath(r))+ path, _ := securejoin.SecureJoin(h.c.Repo.ScanPath, didPath(r))gr, err := git.Open(path, ref)if err != nil {notFound(w)@@ -312,7 +313,7 @@ return}func (h *Handle) Tags(w http.ResponseWriter, r *http.Request) {- path := filepath.Join(h.c.Repo.ScanPath, didPath(r))+ path, _ := securejoin.SecureJoin(h.c.Repo.ScanPath, didPath(r))l := h.l.With("handler", "Refs")gr, err := git.Open(path, "")@@ -353,7 +354,7 @@ return}func (h *Handle) Branches(w http.ResponseWriter, r *http.Request) {- path := filepath.Join(h.c.Repo.ScanPath, didPath(r))+ path, _ := securejoin.SecureJoin(h.c.Repo.ScanPath, didPath(r))l := h.l.With("handler", "Branches")gr, err := git.Open(path, "")@@ -445,7 +446,7 @@ did := data.Didname := data.NamerelativeRepoPath := filepath.Join(did, name)- repoPath := filepath.Join(h.c.Repo.ScanPath, relativeRepoPath)+ repoPath, _ := securejoin.SecureJoin(h.c.Repo.ScanPath, relativeRepoPath)err := git.InitBare(repoPath)if err != nil {l.Error("initializing bare repo", "error", err.Error())@@ -522,7 +523,7 @@ return}h.jc.AddDid(data.Did)- repoName := filepath.Join(ownerDid, repo)+ repoName, _ := securejoin.SecureJoin(ownerDid, repo)if err := h.e.AddCollaborator(data.Did, ThisServer, repoName); err != nil {l.Error("adding repo collaborator", "error", err.Error())writeError(w, err.Error(), http.StatusInternalServerError)
MODIFIED
knotserver/util.go
MODIFIED
knotserver/util.go
@@ -5,6 +5,7 @@ "net/http""os""path/filepath"+ securejoin "github.com/cyphar/filepath-securejoin""github.com/go-chi/chi/v5""github.com/microcosm-cc/bluemonday")@@ -16,7 +17,7 @@func didPath(r *http.Request) string {did := chi.URLParam(r, "did")name := chi.URLParam(r, "name")- path := filepath.Join(did, name)+ path, _ := securejoin.SecureJoin(did, name)filepath.Clean(path)return path}