From be40b8ca3e44bbc6677d4a8a791bfdcf626af83f Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 27 Aug 2025 19:12:05 -0700
Subject: [PATCH] chore: set more explicit guards for serving bin files
 (#19597)

---
 site/site.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/site/site.go b/site/site.go
index e2a0d408e7..d15439b264 100644
--- a/site/site.go
+++ b/site/site.go
@@ -1018,6 +1018,16 @@ func newBinMetadataCache(binFS http.FileSystem, binSha1Hashes map[string]string)
 }
 
 func (b *binMetadataCache) getMetadata(name string) (binMetadata, error) {
+	// Reject any invalid or non-basename paths before touching the filesystem.
+	if name == "" ||
+		name == "." ||
+		strings.Contains(name, "/") ||
+		strings.Contains(name, "\\") ||
+		!fs.ValidPath(name) ||
+		path.Base(name) != name {
+		return binMetadata{}, os.ErrNotExist
+	}
+
 	b.mut.RLock()
 	metadata, ok := b.metadata[name]
 	b.mut.RUnlock()