From 1e6331563414a6f62cd542e7736bb3f628345ae7 Mon Sep 17 00:00:00 2001
From: guochao <jeffguorg@gmail.com>
Date: Wed, 18 Dec 2024 17:08:47 +0800
Subject: [PATCH] check local path boundary

---
 cmd/proxy/main.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/cmd/proxy/main.go b/cmd/proxy/main.go
index 7324644..d2d18e6 100644
--- a/cmd/proxy/main.go
+++ b/cmd/proxy/main.go
@@ -160,6 +160,14 @@ func configFromFile(path string) (*Config, error) {
 		return nil, err
 	}
 
+	if config.Storage.Local != nil {
+		localPath, err := filepath.Abs(config.Storage.Local.Path)
+		if err != nil {
+			return nil, err
+		}
+		config.Storage.Local.Path = localPath
+	}
+
 	return config, nil
 }
 
@@ -170,6 +178,10 @@ func (server *Server) handleRequest(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
+	if !strings.HasPrefix(fullpath, server.Storage.Local.Path) {
+		http.Error(w, "crossing local directory boundary", http.StatusBadRequest)
+		return
+	}
 
 	ranged := r.Header.Get("Range") != ""