Merge pull request #128 from mattn/fix/nsite-path-traversal

nsite: fix path traversal vulnerability in download command
2026-06-04 01:31:12 +02:00 · 2026-05-05 21:39:55 +09:00
parent 405be6efa9 187842214e
commit d0e719fb93
1 changed files with 5 additions and 1 deletions
--- a/nsite.go
+++ b/nsite.go
@@ -273,7 +273,11 @@ var nsite = &cli.Command{
 				signer := keyer.NewReadOnlySigner(pk)

 				for path, hash := range mnf.Paths {
-					fullPath := filepath.Join(outputDir, filepath.FromSlash(strings.TrimPrefix(path, "/")))
+					relPath := strings.TrimPrefix(path, "/")
+					if !filepath.IsLocal(relPath) {
+						return fmt.Errorf("manifest path %q escapes output directory", path)
+					}
+					fullPath := filepath.Join(outputDir, filepath.FromSlash(relPath))
 					if err := os.MkdirAll(filepath.Dir(fullPath), 0o755); err != nil {
 						return fmt.Errorf("failed to create %s: %w", filepath.Dir(fullPath), err)
 					}