From bfd234ceca4e347bd15fd5050d6ff657729c31fe Mon Sep 17 00:00:00 2001 From: Watanabe Takashi Date: Sun, 1 Feb 2026 10:16:18 +0900 Subject: [PATCH] =?UTF-8?q?codeql=E3=81=AE=E6=8C=87=E6=91=98=E5=AF=BE?= =?UTF-8?q?=E5=BF=9C1?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- exec_if.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/exec_if.go b/exec_if.go index 425ab80..06d4605 100644 --- a/exec_if.go +++ b/exec_if.go @@ -74,6 +74,10 @@ func OutputFilter(stdout io.Reader, w http.ResponseWriter) error { func splitPathInfo(basedir string, path string, suffix string) (string, string, error) { ret := path + if strings.Contains(path, "..") { + slog.Warn("skip suspicious path", "path", path) + return "", "", fmt.Errorf("not found %s", path) + } for ret != "" && ret != "." && ret != "/" { slog.Debug("check", "path", path, "basedir", basedir, "cur", ret) if strings.HasSuffix(ret, suffix) { @@ -122,7 +126,7 @@ func RunBy(opts SrvConfig, runner Runner, w http.ResponseWriter, r *http.Request slog.Error("not found", "error", err, "basename", bn) span.SetStatus(codes.Error, "not found") w.WriteHeader(http.StatusNotFound) - fmt.Fprintln(w, bn, "not found") + fmt.Fprintln(w, "not found") return err } slog.Debug("memo(path)", "bn", bn, "bn2", bn2, "rest", rest)