From e308bfd8bdcba01bc953589c6da7e5fd24fabda7 Mon Sep 17 00:00:00 2001 From: Joe <875022+moloch--@users.noreply.github.com> Date: Wed, 17 Apr 2024 16:06:43 -0700 Subject: [PATCH] Fix path traversal (#274) ## What type of PR is this? (check all applicable) - [ ] Refactor - [ ] Feature - [x] Bug Fix - [ ] Optimization - [ ] Documentation Update - [ ] Go Version Update - [ ] Dependency Update ## Added/updated tests? - [ ] Yes - [x] No, and this is why: _no additional tests needed, small fix_ - [ ] I need help with writing tests ## Run verifications and test - [ ] `make verify` is passing - [x] `make test` is passing ``` PASS coverage: 78.1% of statements ok github.com/gorilla/sessions 1.155s coverage: 78.1% of statements ``` --- store.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/store.go b/store.go index aea37e4..68d4ce5 100644 --- a/store.go +++ b/store.go @@ -14,6 +14,11 @@ import ( "github.com/gorilla/securecookie" ) +const ( + // File name prefix for session files. + sessionFilePrefix = "session_" +) + // Store is an interface for custom session stores. // // See CookieStore and FilesystemStore for examples. @@ -257,7 +262,7 @@ func (s *FilesystemStore) save(session *Session) error { if err != nil { return err } - filename := filepath.Join(s.path, "session_"+session.ID) + filename := filepath.Join(s.path, sessionFilePrefix+filepath.Base(session.ID)) fileMutex.Lock() defer fileMutex.Unlock() return os.WriteFile(filename, []byte(encoded), 0600) @@ -265,7 +270,7 @@ func (s *FilesystemStore) save(session *Session) error { // load reads a file and decodes its content into session.Values. func (s *FilesystemStore) load(session *Session) error { - filename := filepath.Join(s.path, "session_"+session.ID) + filename := filepath.Join(s.path, sessionFilePrefix+filepath.Base(session.ID)) fileMutex.RLock() defer fileMutex.RUnlock() fdata, err := os.ReadFile(filepath.Clean(filename)) @@ -281,7 +286,7 @@ func (s *FilesystemStore) load(session *Session) error { // delete session file func (s *FilesystemStore) erase(session *Session) error { - filename := filepath.Join(s.path, "session_"+session.ID) + filename := filepath.Join(s.path, sessionFilePrefix+filepath.Base(session.ID)) fileMutex.RLock() defer fileMutex.RUnlock()