highperfocused/nak
1
0
Fork 0
mirror of https://github.com/fiatjaf/nak.git synced 2026-06-04 09:41:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

nsite: fix path traversal vulnerability in download command.

Browse Source
This commit is contained in:
Yasuhiro Matsumoto
2026-05-05 21:19:17 +09:00
parent a152d7f633
commit 187842214e
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
nsite.go
View File

@@ -273,7 +273,11 @@ var nsite = &cli.Command{
signer := keyer.NewReadOnlySigner(pk)
for path, hash := range mnf.Paths {
fullPath := filepath.Join(outputDir, filepath.FromSlash(strings.TrimPrefix(path, "/")))
relPath := strings.TrimPrefix(path, "/")
if !filepath.IsLocal(relPath) {
return fmt.Errorf("manifest path %q escapes output directory", path)
}
fullPath := filepath.Join(outputDir, filepath.FromSlash(relPath))
if err := os.MkdirAll(filepath.Dir(fullPath), 0o755); err != nil {
return fmt.Errorf("failed to create %s: %w", filepath.Dir(fullPath), err)
}