extension in urls, filename validation (#33)

ice-blockchain · Dec 2, 2024 · f451e0b · f451e0b
1 parent 9d0cea4
commit f451e0b
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/server/http/storage_nip96.go b/server/http/storage_nip96.go
@@ -123,6 +123,10 @@ func (s *storageHandler) Upload() gin.HandlerFunc {
 			gCtx.JSON(http.StatusBadRequest, uploadErr("file required"))
 			return
 		}
+		if upload.File.Filename == "" || strings.Contains(upload.File.Filename, "..") {
+			gCtx.JSON(http.StatusBadRequest, uploadErr("invalid filename, must be provided"))
+			return
+		}
 		if upload.MediaType != "" && upload.MediaType != mediaTypeAvatar && upload.MediaType != mediaTypeBanner {
 			gCtx.JSON(http.StatusBadRequest, uploadErr(fmt.Sprintf("unsupported media type %v", upload.MediaType)))
 			return
@@ -253,6 +257,9 @@ func (s *storageHandler) serveFileFromStorage() gin.HandlerFunc {
 			masterPubkey = spl[0]
 			file = spl[1]
 		}
+		if strings.Contains(file, ".") {
+			file = strings.TrimSuffix(file, filepath.Ext(file))
+		}
 		filePath, err := s.storageClient.FilePath(masterPubkey, file)
 		if err != nil {
 			if errors.Is(err, storage.ErrNotFound) {

diff --git a/storage/upload.go b/storage/upload.go
@@ -192,7 +192,7 @@ func (c *client) buildUrl(bagID, relativePath, masterPubkey, fileHash string, bo
 		if err != nil {
 			return "", errors.Wrapf(err, "invalid relay-url configured %v", globalConfig.RelayURL)
 		}
-		return fmt.Sprintf("https://%v:%v/files/%v:%v", relayUrl.Hostname(), relayUrl.Port(), masterPubkey, fileHash), nil
+		return fmt.Sprintf("https://%v:%v/files/%v:%v%v", relayUrl.Hostname(), relayUrl.Port(), masterPubkey, fileHash, filepath.Ext(relativePath)), nil
 	}
 	url := fmt.Sprintf("http://%v.bag/%v?bootstrap=%v", bagID, relativePath, bootstrap)