Potential fix for code scanning alert no. 9: Uncontrolled data used in path expression

darkoatanasovski · github-advanced-security[bot] · web-flow · commit 54d3621a401d · 2025-12-21T22:25:20.000+01:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/cmd/main.go b/cmd/main.go
@@ -19,6 +19,23 @@ import (
 	"github.com/tikv/client-go/v2/rawkv"
 )
 
+// isPathWithinRoot returns true if candidate is the same as root or a descendant of it.
+func isPathWithinRoot(root, candidate string) (string, bool) {
+	cleanRoot := filepath.Clean(root)
+	absRoot, err := filepath.Abs(cleanRoot)
+	if err != nil {
+		return "", false
+	}
+	absCandidate, err := filepath.Abs(candidate)
+	if err != nil {
+		return "", false
+	}
+	if absCandidate == absRoot || strings.HasPrefix(absCandidate, absRoot+string(os.PathSeparator)) {
+		return absCandidate, true
+	}
+	return "", false
+}
+
 func main() {
 	// Read PD addresses from env: TIKV_PD_ADDRS="127.0.0.1:2379|My Cluster 1,127.0.0.1:2381;server-2.com:2379|Cluster 2"
 	pdAddrsEnv := os.Getenv("TIKV_PD_ADDRS")
@@ -78,8 +95,8 @@ func main() {
 	// In Docker, we will copy the built 'out' directory to 'public'
 	staticDir := "./public"
 	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		// Resolve the static directory to an absolute path
-		staticRoot, err := filepath.Abs(staticDir)
+		// Resolve the static directory to an absolute, cleaned path
+		staticRoot, err := filepath.Abs(filepath.Clean(staticDir))
 		if err != nil {
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
@@ -99,27 +116,23 @@ func main() {
 		absPath := filepath.Join(staticRoot, relPath)
 
 		// Ensure the resolved path is within staticRoot
-		absPath, err = filepath.Abs(absPath)
-		if err != nil {
-			http.Error(w, "Internal server error", http.StatusInternalServerError)
-			return
-		}
-		if absPath != staticRoot && !strings.HasPrefix(absPath, staticRoot+string(os.PathSeparator)) {
+		resolvedPath, ok := isPathWithinRoot(staticRoot, absPath)
+		if !ok {
 			http.Error(w, "Invalid path", http.StatusBadRequest)
 			return
 		}
 
 		// Check if exact file exists (e.g., /favicon.ico, /_next/static/...)
-		if info, err := os.Stat(absPath); err == nil && !info.IsDir() {
-			http.ServeFile(w, r, absPath)
+		if info, err := os.Stat(resolvedPath); err == nil && !info.IsDir() {
+			http.ServeFile(w, r, resolvedPath)
 			return
 		}
 
 		// For routes like /metrics, try serving metrics.html (Next.js static export)
 		if r.URL.Path != "/" {
-			htmlPath := absPath + ".html"
-			htmlPathAbs, err := filepath.Abs(htmlPath)
-			if err != nil || !strings.HasPrefix(htmlPathAbs, staticRoot+string(os.PathSeparator)) {
+			htmlPath := resolvedPath + ".html"
+			htmlPathAbs, ok := isPathWithinRoot(staticRoot, htmlPath)
+			if !ok {
 				http.Error(w, "Invalid path", http.StatusBadRequest)
 				return
 			}
@@ -129,9 +142,9 @@ func main() {
 			}
 
 			// Also check for directory with index.html (e.g., /metrics/index.html)
-			indexPath := filepath.Join(absPath, "index.html")
-			indexPathAbs, err := filepath.Abs(indexPath)
-			if err != nil || !strings.HasPrefix(indexPathAbs, staticRoot+string(os.PathSeparator)) {
+			indexPath := filepath.Join(resolvedPath, "index.html")
+			indexPathAbs, ok := isPathWithinRoot(staticRoot, indexPath)
+			if !ok {
 				http.Error(w, "Invalid path", http.StatusBadRequest)
 				return
 			}
