ADD: Check target path - Security fix

Author: jarpsimoes

README.md

@@ -11,11 +11,15 @@ selected branch (in variable REPO_BRANCH) and can be pulled new version on defin
 
 ## RELEASE NOTES: v0.0.3-alpha
 
-| Feature | Description                                       |
-|---------|---------------------------------------------------|
-| Done    | Add support to proxy redirect with HTTPS backends |
-| FIX     | Bump golang.org/x/text from 0.3.7 to 0.3.8        |
-
+| Feature | Description                                                                                                        |
+|---------|--------------------------------------------------------------------------------------------------------------------|
+| Done    | Add support to proxy redirect with HTTPS backends                                                                  |
+| FIXED   | Bump golang.org/x/text from 0.3.7 to 0.3.8                                                                         |
+| FIXED   | Bump github.com/stretchr/testify from 1.7.0 to 1.7.1                                                               |
+| FIXED   | Bump golang.org/x/sys from 0.0.0-20220209214540-3681064d5158 to 0.1.0                                              |
+| FIXED   | Bump golang.org/x/crypto from 0.0.0-20220214200702-86341886e292 to 0.1.0                                           |
+| FIXED   | Bump golang.org/x/net from 0.0.0-20220127200216-cd36cc0744dd to 0.17.0 in                                          |
+| FIXED   | Vulnerability issue Uncontrolled data used in path [Issue](https://github.com/jarpsimoes/git-http-server/issues/8) |
 
 
 ## Authentication Methods

src/utils/environment_config.go

@@ -6,6 +6,8 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"log"
 	"os"
+	"path/filepath"
+	"runtime"
 	"sync"
 	"time"
 )
@@ -51,6 +53,11 @@ var baseRouteConfigInstance *BaseRouteConfig
 var baseRepositoryConfigInstance *BaseRepositoryConfig
 var basicAuthenticationMethod *BasicAuthenticationMethod
 var healthCheckControl *HealthCheckControl
+var pathSecurityCheck *PathSecurityCheck
+var (
+	_, b, _, _ = runtime.Caller(0)
+	basePath   = filepath.Dir(b)
+)
 
 // UpdateState [HealthCheckControl] it's a function to update Status
 func (hcc *HealthCheckControl) UpdateState(status bool) {
@@ -183,9 +190,16 @@ func GetRepositoryConfigInstance() *BaseRepositoryConfig {
 				repoURL:      os.Getenv("REPO_URL"),
 				branch:       os.Getenv("REPO_BRANCH"),
 				targetFolder: os.Getenv("REPO_TARGET_FOLDER"),
-				rootFolder:   os.Getenv("FOLDER_ROOT"),
+				rootFolder:   basePath,
 			}
 
+			if pathSecurityCheck.IsValidPath(baseRepositoryConfigInstance.targetFolder) {
+				log.Printf("[BaseRepositoryConfigInstance] Target folder %v is valid", baseRepositoryConfigInstance.targetFolder)
+			} else {
+				log.Printf("[BaseRepositoryConfigInstance] Target folder %v is invalid", baseRepositoryConfigInstance.targetFolder)
+				log.Printf("[BaseRepositoryConfigInstance] Will be changed to target")
+				baseRepositoryConfigInstance.targetFolder = "target_folder"
+			}
 		}
 	}
 

src/utils/path_security_check.go

@@ -0,0 +1,61 @@
+package utils
+
+import (
+	"regexp"
+)
+
+type PathSecurityCheck struct {
+}
+
+// IsValidPath checks if the input string adheres to the specified rules.
+func (psc *PathSecurityCheck) IsValidPath(input string) bool {
+	// Rule 1: Do not allow more than a single "." character.
+	if countDots := psc.countOccurrences(input, '.'); countDots > 1 {
+		return false
+	}
+
+	if psc.containsDirectorySeparator(input) {
+		return false
+	}
+
+	allowList := []*regexp.Regexp{
+		regexp.MustCompile(`^[a-zA-Z0-9_-]+$`),                        // Alphanumeric characters, underscore, and hyphen.
+		regexp.MustCompile(`^([a-zA-Z0-9_-]+\.){0,2}[a-zA-Z0-9_-]+$`), // Allow up to two dots in the filename.
+	}
+
+	for _, pattern := range allowList {
+		if pattern.MatchString(input) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// countOccurrences counts the occurrences of a specific character in a string.
+func (psc *PathSecurityCheck) countOccurrences(s string, c byte) int {
+	count := 0
+	for i := 0; i < len(s); i++ {
+		if s[i] == c {
+			count++
+		}
+	}
+	return count
+}
+
+// containsDirectorySeparator checks if the input string contains directory separators.
+func (psc *PathSecurityCheck) containsDirectorySeparator(s string) bool {
+	return psc.containsAny(s, []byte{'/', '\\'})
+}
+
+// containsAny checks if the input string contains any of the specified characters.
+func (psc *PathSecurityCheck) containsAny(s string, chars []byte) bool {
+	for i := 0; i < len(s); i++ {
+		for _, c := range chars {
+			if s[i] == c {
+				return true
+			}
+		}
+	}
+	return false
+}

src/utils/path_security_test.go

@@ -0,0 +1,33 @@
+package utils
+
+import (
+	"testing"
+)
+
+func TestIsValidPath(t *testing.T) {
+	tests := []struct {
+		input    string
+		expected bool
+	}{
+		{"valid_path123", true},
+		{"invalid_path/with_slash", false},
+		{"invalid_path/with/slash", false},
+		{"invalid/path/with/slash", false},
+		{"invalid.path.with.multiple.dots", false},
+		{"another.invalid.path.with.multiple.dots", false},
+		{"valid_path_with_underscore", true},
+		{"valid-path_with-hyphen", true},
+		{"valid.path_with_underscore-hyphen", true},
+	}
+
+	pathSecurityCheck := PathSecurityCheck{}
+
+	for _, test := range tests {
+		t.Run(test.input, func(t *testing.T) {
+			result := pathSecurityCheck.IsValidPath(test.input)
+			if result != test.expected {
+				t.Errorf("Expected IsValidPath(%s) to be %v, but got %v", test.input, test.expected, result)
+			}
+		})
+	}
+}