mirrors/Mole
1
0
Fork 0
mirror of https://github.com/tw93/Mole.git synced 2026-03-23 23:50:07 +00:00
Code Activity

security: add regression tests for validatePath with special chars

Browse Source 
- Add TestValidatePath covering Chinese, emoji, and special characters
- Add TestValidatePathWithChineseAndSpecialChars for filesystem tests
- Fix validatePath to detect .. components without rejecting valid paths

Ensures paths with $, ;, :, emoji, Chinese chars are not rejected
while still blocking path traversal attempts.
This commit is contained in:
Tw93
2026-03-14 08:26:45 +08:00
parent 951e395ab7
commit 0d2f217f28
2 changed files with 87 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
cmd/analyze/delete.go
View File

@@ -153,7 +153,7 @@ func moveToTrash(path string) error {
}
// validatePath checks path safety for external commands.
// Returns error if path is empty, relative, contains null bytes, or escapes root.
// Returns error if path is empty, relative, contains null bytes, or has traversal.
func validatePath(path string) error {
if path == "" {
return fmt.Errorf("path is empty")
@@ -164,10 +164,11 @@ func validatePath(path string) error {
if strings.Contains(path, "\x00") {
return fmt.Errorf("path contains null bytes")
}
// Ensure Clean doesn't radically alter the path (path traversal check).
clean := filepath.Clean(path)
if !strings.HasPrefix(clean, "/") {
return fmt.Errorf("path escapes root: %s", path)
// Check for path traversal attempts (.. components).
for _, component := range strings.Split(path, string(filepath.Separator)) {
if component == ".." {
return fmt.Errorf("path contains traversal components: %s", path)
}
}
return nil
}