shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: set more explicit guards for serving bin files (#19597)

Browse Source
This commit is contained in:
Jon Ayers
2025-08-27 19:12:05 -07:00
committed by GitHub
parent 0f1fc88d5a
commit be40b8ca3e
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
site/site.go
+10
View File
@@ -1018,6 +1018,16 @@ func newBinMetadataCache(binFS http.FileSystem, binSha1Hashes map[string]string)
}
func (b *binMetadataCache) getMetadata(name string) (binMetadata, error) {
// Reject any invalid or non-basename paths before touching the filesystem.
if name == "" ||
name == "." ||
strings.Contains(name, "/") ||
strings.Contains(name, "\\") ||
!fs.ValidPath(name) ||
path.Base(name) != name {
return binMetadata{}, os.ErrNotExist
}
b.mut.RLock()
metadata, ok := b.metadata[name]
b.mut.RUnlock()