Commit 397ae85c authored by Jacob Vosmaer's avatar Jacob Vosmaer

Remove path traversal check

The Golang net/http HTTP server will not pass URLs with '/../' in
them to our code (see http://golang.org/pkg/net/http/#ServeMux ).
parent 84164aac
...@@ -150,25 +150,26 @@ func gitHandler(w http.ResponseWriter, r *http.Request) { ...@@ -150,25 +150,26 @@ func gitHandler(w http.ResponseWriter, r *http.Request) {
// Don't hog a TCP connection in CLOSE_WAIT, we can already close it now // Don't hog a TCP connection in CLOSE_WAIT, we can already close it now
authResponse.Body.Close() authResponse.Body.Close()
// Validate the path to the Git repository // About path traversal: the Go net/http HTTP server, or
foundPath := strings.TrimSuffix(r.URL.Path, g.suffix) // rather ServeMux, makes the following promise: "ServeMux
if !validPath(foundPath) { // also takes care of sanitizing the URL request path, redirecting
// any request containing . or .. elements to an equivalent
// .- and ..-free URL.". In other words, we may assume that
// r.URL.Path does not contain '/../', so there is no possibility
// of path traversal here.
repoPath := path.Join(repoRoot, strings.TrimSuffix(r.URL.Path, g.suffix))
if !looksLikeRepo(repoPath) {
http.Error(w, "Not Found", 404) http.Error(w, "Not Found", 404)
return return
} }
g.handleFunc(env, g.rpc, path.Join(repoRoot, foundPath), w, r) g.handleFunc(env, g.rpc, repoPath, w, r)
} }
func validPath(p string) bool { func looksLikeRepo(p string) bool {
if strings.Contains(p, "/../") {
log.Printf("path traversal detected in %s", p)
return false
}
// If /path/to/foo.git/objects exists then let's assume it is a valid Git // If /path/to/foo.git/objects exists then let's assume it is a valid Git
// repository. // repository.
if _, err := os.Stat(path.Join(repoRoot, p, "objects")); err != nil { if _, err := os.Stat(path.Join(p, "objects")); err != nil {
log.Print(err) log.Print(err)
return false return false
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment