Use paths.SafeNew when dealing with external sources

cmaglie · cmaglie · commit 258eacb00af5 · 2020-08-02T16:13:45.000+02:00
diff --git a/arduino/resources/helpers.go b/arduino/resources/helpers.go
@@ -33,7 +33,11 @@ func (r *DownloadResource) ArchivePath(downloadDir *paths.Path) (*paths.Path, er
 	}
 
 	// Filter out paths from file name
-	archiveFileName := paths.New(r.ArchiveFileName).Base()
+	archiveFile, err := paths.SafeNew(r.ArchiveFileName)
+	if err != nil {
+		return nil, errors.Errorf("invalid filename: %s", r.ArchiveFileName)
+	}
+	archiveFileName := archiveFile.Base()
 	archivePath := staging.Join(archiveFileName).Clean()
 	if archivePath.IsDir() {
 		return nil, errors.Errorf("invalid filename or exinsting directory: %s", archivePath)
diff --git a/arduino/resources/helpers_test.go b/arduino/resources/helpers_test.go
@@ -46,9 +46,11 @@ func TestResourcesSanityChecks(t *testing.T) {
 			"test.txt",
 			"/test.txt",
 			"somepath/to/test.txt",
-			"/../test.txt",
-			"some/../test.txt",
+			"/somepath/to/test.txt",
+			"path/to/../test.txt",
+			"/path/to/../test.txt",
 			"../test.txt",
+			"/../test.txt",
 		}
 		for _, testArchiveFileName := range testArchiveFileNames {
 			r := &DownloadResource{
@@ -74,13 +76,28 @@ func TestResourcesSanityChecks(t *testing.T) {
 	}
 
 	{
-		r := &DownloadResource{
-			ArchiveFileName: "..",
-			CachePath:       "cache",
+		testArchiveFileNames := []string{
+			"/",
+			".",
+			"/.",
+			"..",
+			"/..",
+			"path/..",
+			"/path/..",
+			"path/path/..",
+			"/path/path/..",
+			".." + string([]byte{0xC0, 0xAF}) + "test.txt",
+			"/.." + string([]byte{0xC0, 0xAF}) + "test.txt",
+		}
+		for _, testArchiveFileName := range testArchiveFileNames {
+			r := &DownloadResource{
+				ArchiveFileName: testArchiveFileName,
+				CachePath:       "cache",
+			}
+			archivePath, err := r.ArchivePath(tmp)
+			require.Nil(t, archivePath)
+			require.Error(t, err)
 		}
-		archivePath, err := r.ArchivePath(tmp)
-		require.Error(t, err)
-		require.Nil(t, archivePath)
 	}
 }
 
diff --git a/go.mod b/go.mod
@@ -9,7 +9,7 @@ require (
 	bou.ke/monkey v1.0.1
 	github.com/GeertJohan/go.rice v1.0.0
 	github.com/arduino/board-discovery v0.0.0-20180823133458-1ba29327fb0c
-	github.com/arduino/go-paths-helper v1.2.0
+	github.com/arduino/go-paths-helper v1.2.1-0.20200802112116-33dcc69b14ba
 	github.com/arduino/go-properties-orderedmap v1.3.0
 	github.com/arduino/go-timeutils v0.0.0-20171220113728-d1dd9e313b1b
 	github.com/arduino/go-win32-utils v0.0.0-20180330194947-ed041402e83b
diff --git a/go.sum b/go.sum
@@ -18,6 +18,8 @@ github.com/arduino/go-paths-helper v1.0.1 h1:utYXLM2RfFlc9qp/MJTIYp3t6ux/xM6mWje
 github.com/arduino/go-paths-helper v1.0.1/go.mod h1:HpxtKph+g238EJHq4geEPv9p+gl3v5YYu35Yb+w31Ck=
 github.com/arduino/go-paths-helper v1.2.0 h1:qDW93PR5IZUN/jzO4rCtexiwF8P4OIcOmcSgAYLZfY4=
 github.com/arduino/go-paths-helper v1.2.0/go.mod h1:HpxtKph+g238EJHq4geEPv9p+gl3v5YYu35Yb+w31Ck=
+github.com/arduino/go-paths-helper v1.2.1-0.20200802112116-33dcc69b14ba h1:rQtLTpIICgc8ad2UG/A7X1F4TpKGoazBxhKR+crsf4k=
+github.com/arduino/go-paths-helper v1.2.1-0.20200802112116-33dcc69b14ba/go.mod h1:HpxtKph+g238EJHq4geEPv9p+gl3v5YYu35Yb+w31Ck=
 github.com/arduino/go-properties-orderedmap v1.3.0 h1:4No/vQopB36e7WUIk6H6TxiSEJPiMrVOCZylYmua39o=
 github.com/arduino/go-properties-orderedmap v1.3.0/go.mod h1:DKjD2VXY/NZmlingh4lSFMEYCVubfeArCsGPGDwb2yk=
 github.com/arduino/go-timeutils v0.0.0-20171220113728-d1dd9e313b1b h1:9hDi4F2st6dbLC3y4i02zFT5quS4X6iioWifGlVwfy4=
