From e5e8dd90dd94406c8656a0558acf7cdd14e2725c Mon Sep 17 00:00:00 2001 From: Zeroday BYTE Date: Thu, 17 Jul 2025 13:49:46 +0700 Subject: [PATCH 1/2] Update driver.go Signed-off-by: Zeroday BYTE --- drivers/local/driver.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/local/driver.go b/drivers/local/driver.go index 39c571dda..b117c9466 100644 --- a/drivers/local/driver.go +++ b/drivers/local/driver.go @@ -251,6 +251,10 @@ func (d *Local) Link(ctx context.Context, file model.Obj, args model.LinkArgs) ( } func (d *Local) MakeDir(ctx context.Context, parentDir model.Obj, dirName string) error { + // Validate dirName to ensure it does not contain invalid characters + if strings.Contains(dirName, "/") || strings.Contains(dirName, "\\") || strings.Contains(dirName, "..") { + return fmt.Errorf("invalid directory name: %s", dirName) + } fullPath := filepath.Join(parentDir.GetPath(), dirName) err := os.MkdirAll(fullPath, os.FileMode(d.mkdirPerm)) if err != nil { From 443fbd2753834d2f6266e19ebcb116fca136f86b Mon Sep 17 00:00:00 2001 From: Zeroday BYTE Date: Thu, 17 Jul 2025 14:57:25 +0700 Subject: [PATCH 2/2] Update drivers/local/driver.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Zeroday BYTE --- drivers/local/driver.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/local/driver.go b/drivers/local/driver.go index b117c9466..f03e040c1 100644 --- a/drivers/local/driver.go +++ b/drivers/local/driver.go @@ -252,8 +252,8 @@ func (d *Local) Link(ctx context.Context, file model.Obj, args model.LinkArgs) ( func (d *Local) MakeDir(ctx context.Context, parentDir model.Obj, dirName string) error { // Validate dirName to ensure it does not contain invalid characters - if strings.Contains(dirName, "/") || strings.Contains(dirName, "\\") || strings.Contains(dirName, "..") { - return fmt.Errorf("invalid directory name: %s", dirName) + if filepath.Base(dirName) != dirName { + return fmt.Errorf("invalid directory name: %q", dirName) } fullPath := filepath.Join(parentDir.GetPath(), dirName) err := os.MkdirAll(fullPath, os.FileMode(d.mkdirPerm))