forked from projectdiscovery/simplehttpserver
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request projectdiscovery#35 from projectdiscovery/feature-…
…sandbox Adding pseudo-sandbox mode
- Loading branch information
Showing
7 changed files
with
155 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
package httpserver | ||
|
||
import ( | ||
"errors" | ||
"net/http" | ||
"path/filepath" | ||
) | ||
|
||
// SandboxFileSystem implements superbasic security checks | ||
type SandboxFileSystem struct { | ||
fs http.FileSystem | ||
RootFolder string | ||
} | ||
|
||
// Open performs basic security checks before providing folder/file content | ||
func (sbfs SandboxFileSystem) Open(path string) (http.File, error) { | ||
abspath, err := filepath.Abs(filepath.Join(sbfs.RootFolder, path)) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
filename := filepath.Base(abspath) | ||
// rejects names starting with a dot like .file | ||
dotmatch, err := filepath.Match(".*", filename) | ||
if err != nil { | ||
return nil, err | ||
} else if dotmatch { | ||
return nil, errors.New("invalid file") | ||
} | ||
|
||
// reject symlinks | ||
symlinkCheck, err := filepath.EvalSymlinks(abspath) | ||
if err != nil { | ||
return nil, err | ||
} | ||
if symlinkCheck != abspath { | ||
return nil, errors.New("symlinks not allowed") | ||
} | ||
|
||
// check if the path is within the configured folder | ||
if sbfs.RootFolder != abspath { | ||
pattern := sbfs.RootFolder + string(filepath.Separator) + "*" | ||
matched, err := filepath.Match(pattern, abspath) | ||
if err != nil { | ||
return nil, err | ||
} else if !matched { | ||
return nil, errors.New("invalid file") | ||
} | ||
} | ||
|
||
f, err := sbfs.fs.Open(path) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
return f, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,23 @@ | ||
package httpserver | ||
|
||
import "io/ioutil" | ||
import ( | ||
"errors" | ||
"io/ioutil" | ||
"path/filepath" | ||
"strings" | ||
) | ||
|
||
func handleUpload(base, file string, data []byte) error { | ||
// rejects all paths containing a non exhaustive list of invalid characters - This is only a best effort as the tool is meant for development | ||
if strings.ContainsAny(file, "\\`\"':") { | ||
return errors.New("invalid character") | ||
} | ||
|
||
// allow upload only in subfolders | ||
rel, err := filepath.Rel(base, file) | ||
if rel == "" || err != nil { | ||
return err | ||
} | ||
|
||
func handleUpload(file string, data []byte) error { | ||
return ioutil.WriteFile(file, data, 0655) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
package httpserver | ||
|
||
func toMb(n int) int64 { | ||
return int64(n) * 1024 * 1024 | ||
} |