Do not allow path parent path refs in file hook

tftp-go-team · Oct 20, 2013 · aadd5da · aadd5da
1 parent 3127ba0
commit aadd5da
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/hooks/file.go b/hooks/file.go
@@ -4,8 +4,11 @@ package hooks
 import (
 	"os"
 	"io"
+	"regexp"
 )
 
+var pathEscape = regexp.MustCompile("\\.\\.\\/")
+
 var FileHook = HookComponents{
 	func (path string) (io.ReadCloser, error) {
 		file, err := os.Open(path)
@@ -15,6 +18,6 @@ var FileHook = HookComponents{
 		return file, nil
 	},
 	func (s string) string{
-		return s
+		return pathEscape.ReplaceAllLiteralString(s, "")
 	},
 }
diff --git a/hooks/hooks_test.go b/hooks/hooks_test.go
@@ -45,6 +45,15 @@ func TestHooks(t *testing.T) {
 			"filecontents",
 			noError,
 		},
+		{
+			&config.HookDef{
+				Regexp:       ".*",
+				FileTemplate: "$0",
+			},
+			"../file_fixture.txt",
+			"filecontents",
+			noError,
+		},
 		{
 			&config.HookDef{
 				Regexp:       "^extension:(.*)$",