Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion router/router_server_files.go
Original file line number Diff line number Diff line change
Expand Up @@ -424,7 +424,10 @@ func postServerCreateDirectory(c *gin.Context) {
middleware.CaptureAndAbort(c, err)
return
}

if err := s.Filesystem().Chown(filepath.Join(data.Path, data.Name)); err != nil {
middleware.CaptureAndAbort(c, err)
return
}
Comment on lines +427 to +430

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Guard against empty/dot directory names before recursive Chown.

With the new recursive Chown, a request like name="" (or ".") will resolve to data.Path, so this endpoint can recursively chown an existing tree instead of only the new folder. Please reject invalid names before create/chown.

🔧 Proposed fix
 func postServerCreateDirectory(c *gin.Context) {
 	s := ExtractServer(c)

 	var data struct {
 		Name string `json:"name"`
 		Path string `json:"path"`
 	}
 	// BindJSON sends 400 if the request fails, all we need to do is return
 	if err := c.BindJSON(&data); err != nil {
 		return
 	}
+	name := strings.TrimSpace(data.Name)
+	if name == "" || name == "." || name == ".." {
+		c.AbortWithStatusJSON(http.StatusUnprocessableEntity, gin.H{
+			"error": "Invalid directory name.",
+		})
+		return
+	}
+	target := filepath.Join(data.Path, name)

-	if err := s.Filesystem().CreateDirectory(data.Name, data.Path); err != nil {
+	if err := s.Filesystem().CreateDirectory(name, data.Path); err != nil {
 		...
 	}
-	if err := s.Filesystem().Chown(filepath.Join(data.Path, data.Name)); err != nil {
+	if err := s.Filesystem().Chown(target); err != nil {
 		middleware.CaptureAndAbort(c, err)
 		return
 	}
 	c.Status(http.StatusNoContent)
 }
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@router/router_server_files.go` around lines 427 - 430, The handler currently
calls s.Filesystem().Chown(filepath.Join(data.Path, data.Name)) without
validating data.Name, allowing empty string or "." to resolve to data.Path and
recurse over an unintended tree; before calling s.Filesystem().Chown (and before
any create/chown logic) validate data.Name to reject empty strings, "." or other
path-traversal/invalid names (e.g., trim and check for len==0 or name==".", and
ensure it does not contain path separators), and return an error via
middleware.CaptureAndAbort(c, err) if invalid so the recursive chown only runs
for explicit valid folder names.

c.Status(http.StatusNoContent)
}

Expand Down
Loading