DBT/clawgo
1
0
Fork 0
mirror of https://github.com/YspCoder/clawgo.git synced 2026-05-07 01:35:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

Harden gateway auth and file boundaries

Browse Source
This commit is contained in:
lpf
2026-03-15 15:31:00 +08:00
parent 617f7cc0f1
commit ba95aeed35
16 changed files with 587 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
pkg/tools/filesystem.go
View File

@@ -9,16 +9,31 @@ import (
)
func resolveToolPath(baseDir, path string) (string, error) {
path = strings.TrimSpace(path)
if path == "" {
return "", fmt.Errorf("path is required")
}
if filepath.IsAbs(path) {
return filepath.Clean(path), nil
return "", fmt.Errorf("absolute path is not allowed")
}
joined := path
if baseDir != "" {
return filepath.Clean(filepath.Join(baseDir, path)), nil
joined = filepath.Join(baseDir, path)
}
abs, err := filepath.Abs(path)
abs, err := filepath.Abs(joined)
if err != nil {
return "", fmt.Errorf("failed to resolve path: %w", err)
}
if baseDir != "" {
absBase, err := filepath.Abs(baseDir)
if err != nil {
return "", fmt.Errorf("failed to resolve base path: %w", err)
}
rel, err := filepath.Rel(absBase, abs)
if err != nil || rel == ".." || strings.HasPrefix(rel, ".."+string(filepath.Separator)) {
return "", fmt.Errorf("path escapes allowed directory")
}
}
return abs, nil
}