fix: enhance file path security

- Add file path validation to prevent directory traversal attacks - Clean and normalize file paths - Convert relative paths to absolute paths - Add better error messages for invalid paths - Fix G304 (CWE-22) security issue
davidhoo · Jan 7, 2025 · 590656e · 590656e
1 parent 6f7d9d0
commit 590656e
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/cmd/jp/main.go b/cmd/jp/main.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"unicode"
@@ -379,7 +380,23 @@ func readInput(file string) (string, error) {
 	if file == "" {
 		input, err = io.ReadAll(os.Stdin)
 	} else {
-		input, err = os.ReadFile(file)
+		// 验证文件路径
+		cleanPath := filepath.Clean(file)
+		if !filepath.IsAbs(cleanPath) {
+			// 如果是相对路径，转换为绝对路径
+			cleanPath, err = filepath.Abs(cleanPath)
+			if err != nil {
+				return "", fmt.Errorf("%s: %v", errorColor("error processing file path"), err)
+			}
+		}
+
+		// 检查路径是否包含 .. 序列
+		if strings.Contains(cleanPath, "..") {
+			return "", fmt.Errorf("%s: path contains parent directory reference", errorColor("error: invalid path"))
+		}
+
+		// 读取文件
+		input, err = os.ReadFile(cleanPath)
 	}
 	if err != nil {
 		return "", fmt.Errorf("%s: %v", errorColor("error reading input"), err)