stereo.cat/backend
2
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

sanitise file name

Browse source
This commit is contained in:
grngxd 2025-06-09 23:11:32 +01:00
parent b05135420c
commit 2b64d64f80
1 changed files with 19 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

19
internal/api/routes/files.go
View file

@ -114,12 +114,31 @@ func RegisterFileRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
api.GET("/:name", func(c *gin.Context) { api.GET("/:name", func(c *gin.Context) {
name := c.Param("name") name := c.Param("name")
name = strings.TrimSpace(name)
safe := ""
for _, r := range name {
if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') ||
(r >= '0' && r <= '9') || r == '_' || r == '.' || r == '-' {
safe += string(r)
} else {
safe += "_"
}
}
name = safe
parts := strings.SplitN(name, "_", 2) parts := strings.SplitN(name, "_", 2)
if len(parts) != 2 { if len(parts) != 2 {
c.JSON(400, gin.H{"error": "invalid file name"}) c.JSON(400, gin.H{"error": "invalid file name"})
return return
} }
uid, filename := parts[0], parts[1] uid, filename := parts[0], parts[1]
if uid == "" || filename == "" {
c.JSON(400, gin.H{"error": "invalid file name"})
return
}
path := filepath.Join(cfg.ImagePath, uid, filename) path := filepath.Join(cfg.ImagePath, uid, filename)
if _, err := os.Stat(path); err != nil { if _, err := os.Stat(path); err != nil {
c.JSON(404, gin.H{"error": "file not found"}) c.JSON(404, gin.H{"error": "file not found"})