handle sub routes #17

darkoatanasovski · 2025-12-21T21:13:19Z

No description provided.

cmd/main.go


-		fs.ServeHTTP(w, r)
+		// Check if exact file exists (e.g., /favicon.ico, /_next/static/...)
+		if info, err := os.Stat(resolvedPath); err == nil && !info.IsDir() {


cmd/main.go

-		fs.ServeHTTP(w, r)
+		// Check if exact file exists (e.g., /favicon.ico, /_next/static/...)
+		if info, err := os.Stat(resolvedPath); err == nil && !info.IsDir() {
+			http.ServeFile(w, r, resolvedPath)


cmd/main.go

+				http.Error(w, "Invalid path", http.StatusBadRequest)
+				return
+			}
+			if info, err := os.Stat(htmlPathAbs); err == nil && !info.IsDir() {


cmd/main.go

+				return
+			}
+			if info, err := os.Stat(htmlPathAbs); err == nil && !info.IsDir() {
+				http.ServeFile(w, r, htmlPathAbs)


cmd/main.go

+				http.Error(w, "Invalid path", http.StatusBadRequest)
+				return
+			}
+			if info, err := os.Stat(indexPathAbs); err == nil && !info.IsDir() {


cmd/main.go

+				return
+			}
+			if info, err := os.Stat(indexPathAbs); err == nil && !info.IsDir() {
+				http.ServeFile(w, r, indexPathAbs)


In general, the problem is that a file path derived from r.URL.Path is used in http.ServeFile after only a custom validation that the analyzer does not fully trust. The fix is to (a) make the path validation clearly and robustly constrain paths to live under a configured static root, and (b) ensure every path passed to http.ServeFile or other file operations is validated using that function. This addresses real traversal risk and also helps CodeQL recognize that tainted data is sanitized before reaching the sink.

The single best fix here, without changing functionality, is:

Strengthen isPathWithinRoot to operate in a clearly “relative to root” manner by:

Cleaning the root path and turning it into an absolute path.

Cleaning the candidate path, joining it to the absolute root if it is not already absolute, and then resolving that to an absolute path.

Returning the resolved candidate only if it is equal to the root or has the root as a directory prefix (using absRoot + string(os.PathSeparator)).

This keeps the same logical behavior (candidate must be within root) but makes the sanitizer clearer and less dependent on how the candidate was built earlier.

Use isPathWithinRoot for the final index.html fallback as well, to maintain consistent protection and to make sure every served path is checked. Currently:

resolvedPath is validated.

htmlPathAbs and indexPathAbs are validated.

The final indexPath := filepath.Join(staticRoot, "index.html") is used directly in http.ServeFile without validation. While this particular path is constant and safe, reusing isPathWithinRoot there tightens the pattern and can help the analyzer understand that all ServeFile calls are guarded.

Concretely:

In cmd/main.go, update isPathWithinRoot (lines 23–36) to:

Clean and absolutize the root.

Clean the candidate, and if candidate is not absolute, join it with absRoot.

Absolutize the resulting candidate and perform the prefix check.

Near the bottom (lines 157–159), replace the direct join and ServeFile with:

Compute indexPath := filepath.Join(staticRoot, "index.html").

Pass it through isPathWithinRoot(staticRoot, indexPath) and handle the ok flag.

Use the validated indexPathAbs for http.ServeFile.

No new imports are needed; we reuse os, filepath, and strings that are already imported.

handle sub routes

3fb6c6a

github-advanced-security bot found potential problems Dec 21, 2025

View reviewed changes

cmd/main.go Fixed Show fixed Hide fixed

cmd/main.go Fixed Show fixed Hide fixed

cmd/main.go Fixed Show fixed Hide fixed

cmd/main.go Fixed Show fixed Hide fixed

cmd/main.go Fixed Show fixed Hide fixed

cmd/main.go Fixed Show fixed Hide fixed

github-advanced-security bot found potential problems Dec 21, 2025

View reviewed changes

cmd/main.go Fixed Show fixed Hide fixed

github-advanced-security bot found potential problems Dec 21, 2025

View reviewed changes

cmd/main.go Fixed Show fixed Hide fixed

cmd/main.go Fixed Show fixed Hide fixed

github-advanced-security bot found potential problems Dec 21, 2025

View reviewed changes

darkoatanasovski force-pushed the improve-workflows branch from 54d3621 to 3fb6c6a Compare December 21, 2025 21:28

darkoatanasovski merged commit 1cf60da into master Dec 21, 2025
7 of 8 checks passed

darkoatanasovski deleted the improve-workflows branch December 21, 2025 21:28

@@ -19,17 +19,29 @@
             	"github.com/tikv/client-go/v2/rawkv"
             )
-            // isPathWithinRoot returns true if candidate is the same as root or a descendant of it.
+            // isPathWithinRoot returns the absolute candidate path and true if it is the same as root or a descendant of it.
             func isPathWithinRoot(root, candidate string) (string, bool) {
+            	// Normalize and absolutize the root directory.
             	cleanRoot := filepath.Clean(root)
             	absRoot, err := filepath.Abs(cleanRoot)
             	if err != nil {
             		return "", false
             	}
-            	absCandidate, err := filepath.Abs(candidate)
+            	// Normalize the candidate path.
+            	cleanCandidate := filepath.Clean(candidate)
+            	// If candidate is not absolute, interpret it as relative to absRoot.
+            	if !filepath.IsAbs(cleanCandidate) {
+            		cleanCandidate = filepath.Join(absRoot, cleanCandidate)
+            	}
+            	absCandidate, err := filepath.Abs(cleanCandidate)
             	if err != nil {
             		return "", false
             	}
+            	// Candidate must be equal to root or reside within it.
             	if absCandidate == absRoot || strings.HasPrefix(absCandidate, absRoot+string(os.PathSeparator)) {
             		return absCandidate, true
             	}
@@ -156,7 +159,12 @@
             		// Default: serve index.html (home page or SPA fallback)
             		indexPath := filepath.Join(staticRoot, "index.html")
-            		http.ServeFile(w, r, indexPath)
+            		indexPathAbs, ok := isPathWithinRoot(staticRoot, indexPath)
+            		if !ok {
+            			http.Error(w, "Invalid path", http.StatusBadRequest)
+            			return
+            		}
+            		http.ServeFile(w, r, indexPathAbs)
             	})
             	port := os.Getenv("PORT")
             	if port == "" {

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

handle sub routes #17

handle sub routes #17

Uh oh!

darkoatanasovski commented Dec 21, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

handle sub routes #17

handle sub routes #17

Uh oh!

Conversation

darkoatanasovski commented Dec 21, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants